Open in app

Sign in

Write

Sign in

KrakenD API Gateway
KrakenD
Published in
3 min readFeb 28, 2023

--

The new KrakenD Enterprise version 2.2 is now available, and it’s supercharged: Introduces dynamic routing based on headers and query strings, adds a security policies engine, upgrades to OpenAPI 3, improves SOAP integration, default gzip compression and a lot more… see below.

Security Policies: Enforce any check, anywhere

From RBAC and ABAC, to lifecycle management, restriction of content by country, validation custom cryptography or other strategies, … The new policies engine allows you to do any custom evaluations you need, during runtime and with access to query strings, URLs, parameters, cookies, tokens, time functions, geolocation, cryptography, and a long etcetera.

Here’s a couple of elementary examples:

// Is the user from the right department?
has(JWT.department) && JWT.department in ["marketing", "sales"]

Or

{
  "req": {
    "policies": [
      "timestamp(now)< timestamp('2023-01-01T10:00:20.000-05:00') || timestamp(now)> timestamp('2023-01-01T12:00:20.000-05:00')"
    ],
    "error": {
      "body": "The system is down for maintenance from 10am to 12pm. Come back later",
      "status": 500
    }
  }
}

Policies are potent and allow you to perform many checks and return custom errors before or after hitting your services, see some examples.

Security Audit: Automated advice on your pipeline

The security audit command (krakend audit) parses and analyzes your configurations and outputs security recommendations. We have designed it to run as a standalone command or integrated it into your existing CI/CD pipeline to avoid dangerous configurations, such as unwillingly disabling the TLS, setting excessive timeouts, unprotected endpoints, or similar scenarios.

KrakenD Audit screenshot

Dynamic routing based on headers and query strings

The dynamic routing extends the routing capabilities to add header and query string processing to assemble the final upstream URL you want to reach.

{
  "endpoint": "/foo",
  "backend":[
    {
      "url_pattern": "/{input_headers.X-Tenant}/foo"
    }
  ]
}

JWT validation

Improvements on the JWT validator:

  • Extraction of JSON from paths in JWT claims has been improved
  • JWT is now more restrictive and fallbacks to returning 401 error codes with incorrect configurations.
  • The JWK URL requests to your identity server now include a KrakenD-specific user agent.

New manipulation options

In this category, we have enabled the following features:

Connectivity

OpenAPI 3

Added OpenAPI 3 through flag --oas3 supporting import, export, mocking, and JSON schema. The previous Swagger 2.0 has received improvements as well.

Configuration

  • Flexible Configuration component upgrades Sprig from v2 to v3. This has changes in the way ^ is handled. Some new functions available are fromJson, addf, maxf, mulf, osBase, osDir, osExt, osClean, or osIsAbs.
  • Flexible Configuration with YAML or TOML is now possible.

Full changelog

Relevant fixes:

  • [bugfix] When you were loading multiple plugins, and one of them failed, the gateway did not load the rest. Now the sequence will continue excluding the failing one.
  • [bugfix] Older Docker images raised false positives when performing security scans due to an unused but included library (Thrift server). This library is no longer in the code.

Upgrading to the latest version is always advised.

Tags: enterpriserelease notes

--

--

KrakenD API Gateway
KrakenD

Written by KrakenD API Gateway

64 Followers
Editor for

The ultra-performant API Gateway: http://www.krakend.io

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams