What is a plugin?

Kong Gateway is a Lua application designed to load and execute modules. These modules, called plugins, allow you to add more features to your implementation.

Kong provides a set of standard Lua plugins that get bundled with Kong Gateway and Konnect.

You can also develop custom plugins, adding your own custom functionality to Kong Gateway.

Custom plugins

Kong provides an entire development environment for developing plugins, including Plugin Development Kits (or PDKs), database abstractions, migrations, and more.

Plugins consist of modules interacting with the request/response objects or streams via a PDK to implement arbitrary logic. Kong provides PDKs in the following languages:

  • Lua
  • Go
  • Python
  • JavaScript

These PDKs are sets of functions that a plugin can use to facilitate interactions between plugins and the core (or other components) of Kong.

To start creating your own plugins, review the Getting Started documentation, or see the following references:

How do plugins work?

A Kong Gateway plugin allows you to inject custom logic at several entrypoints in the lifecycle of a request, response, or TCP stream connection as it is proxied by Kong Gateway.

Plugin contexts

The following functions are used to implement plugin logic at various entry-points of Kong Gateway’s execution life-cycle:

All of those functions, except init_worker and configure, take one parameter which is given by Kong Gateway upon its invocation: the configuration of your plugin. This parameter is a Lua table, and contains values defined by your users, according to your plugin’s schema (described in the schema.lua module). The configure is called with an array of all the enabled plugin configurations for the particular plugin (or in case there is no active configurations to plugin, a nil is passed). init_worker and configure happens outside requests or frames, while the rest of the phases are bound to incoming request/frame.

Note that UDP streams don’t have real connections. Kong Gateway will consider all packets with the same origin and destination host and port as a single connection. After a configurable time without any packet, the connection is considered closed and the log function is executed.

Scoping plugins

You can run plugins in various contexts, depending on your environment needs. Each plugin can run globally, or be scoped to some combination of the following:

Using scopes, you can customize how Kong Gateway handles functions in your environment, either before a request is sent to your upstream services or after it receives a response. For example, if you apply a plugin to a single Route, that plugin will only trigger when a request matches the Route’s specific path.

Global scope

A global plugin is not associated to any Service, Route, Consumer, or Consumer Group is considered global, and will be run on every request, regardless of any other configuration.

  • In self-managed Kong Gateway Enterprise, the plugin applies to every entity in a given Workspace.
  • In self-managed open-source Kong Gateway, the plugin applies to your entire environment.
  • In Konnect, the plugin applies to every entity in a given Control Plane.

Every plugin supports a subset of these scopes.

Plugin precedence

A plugin can have multiple instances in the same configuration. Different instances can be used to apply the plugin to various entities, combinations of entities, or even globally. You can give each plugin instance a unique name to help identify it. The instance name itself doesn’t affect processing - it acts like an internal label instead.

A single plugin instance always runs once per request. The configuration with which it runs depends on the entities it has been configured for.

This is useful, for example, when you want to configure a plugin a certain way for most requests but make authenticated requests behave slightly differently.

Therefore, there is an order of precedence for running a plugin when it has been applied to different entities with different configurations. The number of entities configured to a specific plugin directly correlates to its priority. The more entities a plugin is configured for, the higher its order of precedence.

The complete order of precedence for plugins configured to multiple entities is:

  1. Consumer + Route + Service: Highest precedence, affecting authenticated requests that match a specific Consumer on a particular Route and Service.
  2. Consumer group + Service + Route: Affects groups of authenticated users across specific Services and Routes.
  3. Consumer + Route: Targets authenticated requests from a specific Consumer on a particular Route.
  4. Consumer + Service: Applies to authenticated requests from a specific Consumer accessing any Route within a given Service.
  5. Consumer group + Route: Affects groups of authenticated users on specific Routes.
  6. Consumer group + Service: Applies to all Routes within a specific Service for groups of authenticated users.
  7. Route + Service: Targets all Consumers on a specific Route and Service.
  8. Consumer: Applies to all requests from a specific, authenticated Consumer across all Routes and Services.
  9. Consumer Group: Affects all Routes and Services for a designated group of authenticated users.
  10. Route: Specific to given Route.
  11. Service: Specific to given Service.
  12. Globally configured plugins: Lowest precedence, applies to all requests across all Services and Routes regardless of Consumer status.

Note on precedence for Consumer Groups

When a Consumer is a member of two Consumer Groups, each with a scoped instance of the same plugin, Kong Gateway ensures deterministic behavior by executing only one of these plugin instances. Currently, this is determined by the Consumer Group name, in alphabetical order. For example, if you have two Consumer Groups, A and B, each with an instance of the Rate Limiting Advanced plugin, the plugin in Consumer Group A will be applied.

The specific rules that govern this behavior are not defined and are subject to change in future releases.

Supported scopes by plugin

See the following table for plugins and their compatible scopes:

Plugin priority

All of the plugins bundled with Kong Gateway have a static priority. This can be adjusted dynamically using the plugin’s ordering configuration parameter.

Dynamic plugin ordering

You can override the priority for any Kong Gateway plugin using each plugin’s ordering configuration parameter. This determines plugin ordering during the access phase, and lets you create dynamic dependencies between plugins.

You can choose to run a particular plugin before or after a specified plugin or list of plugins.

The configuration looks like this:

pluginA:
  ordering:
    before|after:
      access:
        - pluginB
        - pluginC

Example with before token

For example, let’s say you want to limit the amount of requests against your Gateway Service and Route before Kong requests authentication. The following example uses the Rate Limiting Advanced plugin with the Key Auth plugin as the authentication method:

Example with after token

For example, you may want to first transform a request with the Request Transformer plugin, then request authentication. You can change the order of the authentication plugin (Basic Auth, in this example) so that it always runs after transformation:

Known limitations of dynamic plugin ordering

If using dynamic ordering, manually test all configurations, and handle this feature with care.

There are a number of considerations that can affect your environment:

  • Cascading deletes: Detecting if a plugin has a dependency to a deleted plugin isn’t supported, so handle your configuration with care.

  • Performance: Dynamic plugin ordering requires sorting plugins during a request, which adds latency to the request. In some cases, this might be compensated for when you run rate limiting before an expensive authentication plugin.

    Re-ordering any plugin in a Workspace or control plane has performance implications to all other plugins within the same environment. If possible, consider offloading plugin ordering to a separate environment.

  • Validation: Validating dynamic plugin ordering is a non-trivial task and would require insight into the user’s business logic. Kong Gateway tries to catch basic mistakes, but it can’t detect all potentially dangerous configurations.

Note: In Kong Gateway 3.13 and earlier, Consumer and Consumer Group scoping was not compatible with dynamic plugin ordering. If you had Consumer or Consumer Group-scoped plugins anywhere in your Workspace or control plane, dynamic plugin ordering would cause those plugins not to trigger. This limitation was resolved in Kong Gateway 3.14.

Conditional plugin execution v3.15+

Plugins have a condition field that determines whether the plugin executes for a given request. By writing conditions using CEL (Common Expression Language) expressions, you can access dynamic configuration from the execution context.

When a request comes in, Kong Gateway evaluates the condition. If the condition matches, the plugin runs normally; if it doesn’t match, the plugin is skipped entirely for that request. By conditionally executing plugins only when there’s a match, you can reduce performance costs.

For example, you can create a condition that causes the plugin to trigger only when the request includes the header x-block: true:

condition: 'http.headers.x_block == "true"'

For more information, see:

Cloning plugins v3.15+

You can run multiple instances of a plugin by cloning it. Cloning a plugin creates a custom instance of an existing plugin, letting you apply different configurations to your preferred scopes. A cloned plugin shares its code and logic with the source plugin, but is treated as a separate plugin instance.

The priority of the cloned plugin can also be changed.

Cloned plugins are useful in many situations. For example:

  • Running the same plugin on different attributes of a request. For example, you may want to validate two different JWTs in two separate headers.
  • Allowing different teams who want to use the same plugin logic to apply different business rules. For example, a platform team may want to add a global IP deny list to a Gateway to enforce a global security policy, while an engineering team may also want to block IPs from a particular problematic customer on a single Route.
  • Running multiple instances of the Datakit plugin where different teams want to independently manage their own distinct flows on the same Gateway.
  • In conjunction with conditional plugins, running different configurations of the plugin based on different environmental conditions.

Permissions required

To create cloned plugins, you must have the following permissions:

  • Konnect: One of the following control plane roles: ServiceAdmin, RouteAdmin, PluginAdmin, CPAdmin, or Deployer.
  • Self-managed Kong Gateway: super-admin or admin role.

Supported plugins

The following plugins support cloning:

Example of cloned plugin

To create a plugin clone, use the cloned_plugins key to define a new plugin, then configure the clone the same as any other plugin through plugins:

cloned_plugins:
# Create a clone of request transformer to use for global configuration
 - name: request-transformer-global
   ref: request-transformer
   priority: 999

# Define an entry for the new plugin under the global plugins key
plugins:
  - name: request-transformer-global
    config:
      add:
        headers:
          - "X-Global-Header:isSetGlobally"
  • cloned_plugins.name: The name of your new plugin. This must be a unique name that doesn’t conflict with an existing plugin. We recommend making this name distinct so that it doesn’t conflict with future plugins. For example, acme-request-transformer-global.
  • cloned_plugins.ref: The source plugin that this clone is based on.
  • cloned_plugins.priority: The order in which the plugin runs relative to other plugins (see plugins priorities). This is an optional setting. If not set, the plugin inherits the priority of the source plugin. For plugins with the same priority, the order depends on their names in reverse alphabetical order: plugins with alphabetically greater names run earlier (for example, my-plugin-b runs before my-plugin-a).

Note: Each plugin ref (for example, ref: request-transformer) can have a maximum of five clones.

For more information, see the guide on Cloning a Kong Gateway plugin.

Deleting or updating cloned plugins

To delete a cloned plugin, remove all configurations that reference it first, then delete its entry under cloned_plugins.

If you need to make any changes to the configuration of the cloned plugin (for example, with a new name or priority, or to point to a different ref), we recommend the following approach for safe migration:

  1. Start a migration/maintenance window.
  2. Create a new cloned plugin.
  3. Update the configuration for all the plugin instances of the old cloned plugin to comply with the new cloned plugin.
  4. Remove the cloned plugin.
  5. Stop the migration/maintenance window.

Protocols

Plugins support different protocols.

Supported protocols by plugin

Each plugin supports a specific set of protocols. By default, all protocols supported by a plugin are enabled. You can adjust the plugin’s configuration to disable support for specific protocols, if needed.

See the following table for plugins and their compatible (default) protocols:

Set up a Plugin

Kong has many bundled plugins available, all of which have their own specific configurations and examples. See all Kong plugins for their individual configurations.

Here’s an example of configuration for the ACL plugin:

Schema

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!