Skip to main content

Enforce the Ingress Policy

You can see the following policy is automatically installed when you add the Kong Gateway System through Policy > Ingress.

The client-load application is installed along with the sample-app and repeatedly executes the following HTTP calls in an interval of 30 seconds, pretending to be different users to help generate sample data for visualization.

curl -is --user alice:password ingress-kong/finance/salary/alice
curl -is --user bob:password ingress-kong/finance/salary/alice
curl -is --user bob:password ingress-kong/finance/salary/charlie
curl -is --user david:password ingress-kong/finance/salary/bob
curl -is --user david:password ingress-kong/hr/dashboard
curl -is --user eve:password ingress-kong/admin

By default, all policies allow traffic to the service with the Kong Gateway data plane as sidecar container. Click the Decisions tab for your Kong Gateway System to view all the Allowed decisions.

The Quick Start provides a link to replace the sample Ingress policy. When the Ingress policy is published, the sample-app can receive ingress traffic only on the whitelisted /finance/salary endpoint. Switch to the Decisions tab and verify traffic to the /hr/dashboard and /admin paths is Denied.