Case Study Jobteaser Case Study: Scalable Public APIs with KrakenD

Product UpdatesSecurity

4 min read

KrakenD Enterprise 2.2 released

by Albert Lombarte

The new KrakenD Enterprise version 2.2 is now available, and it’s supercharged: Introduces dynamic routing based on headers and query strings, adds a security policies engine, upgrades to OpenAPI 3, improves SOAP integration, default gzip compression and a lot more…

Below there is a summary of changes and an introduction to some of these new features.

Security Policies: Enforce any check, anywhere

From RBAC and ABAC, to lifecycle management, restriction of content by country, validation custom cryptography or other strategies, … The new policies engine allows you to do any custom evaluations you need, during runtime and with access to query strings, URLs, parameters, cookies, tokens, time functions, geolocation, cryptography, and a long etcetera.

Here’s a couple of elementary examples:

// Is the user from the right department?
has(JWT.department) && JWT.department in ["marketing", "sales"]

Or

{
  "req": {
    "policies": [
      "timestamp(now)< timestamp('2023-01-01T10:00:20.000-05:00') || timestamp(now)> timestamp('2023-01-01T12:00:20.000-05:00')"
    ],
    "error": {
      "body": "The system is down for maintenance from 10am to 12pm. Come back later",
      "status": 500
    }
  }
}

Policies are potent and allow you to perform many checks and return custom errors before or after hitting your services, see some examples.

Security Audit: Automated advice on your pipeline

The security audit command (krakend audit) parses and analyzes your configurations and outputs security recommendations. We have designed it to run as a standalone command or integrated it into your existing CI/CD pipeline to avoid dangerous configurations, such as unwillingly disabling the TLS, setting excessive timeouts, unprotected endpoints, or similar scenarios.

KrakenD Audit screenshot

Dynamic routing based on headers and query strings

The dynamic routing extends the routing capabilities to add header and query string processing to assemble the final upstream URL you want to reach.

{
  "endpoint": "/foo",
  "backend":[
    {
      "url_pattern": "/{input_headers.X-Tenant}/foo"
    }
  ]
}

JWT validation

Improvements on the JWT validator:

  • Extraction of JSON from paths in JWT claims has been improved
  • JWT is now more restrictive and fallbacks to returning 401 error codes with incorrect configurations.
  • The JWK URL requests to your identity server now include a KrakenD-specific user agent.

New manipulation options

In this category, we have enabled the following features:

Connectivity

OpenAPI 3

Added OpenAPI 3 through flag --oas3 supporting import, export, mocking, and JSON schema. The previous Swagger 2.0 has received improvements as well.

Configuration

  • Flexible Configuration component upgrades Sprig from v2 to v3. This has changes in the way ^ is handled. Some new functions available are fromJson, addf, maxf, mulf, osBase, osDir, osExt, osClean, or osIsAbs.
  • Flexible Configuration with YAML or TOML is now possible.

🚀 Summary of changes for EEv2.2

The v2.2. introduces a new security policies engine, routing based on headers, OpenAPI 3, SOAP integration with custom body generation, everything on Community 2.2.1, and more.

Upgrading to the latest version is always advised.

Scarf

Stay up to date with KrakenD releases and important updates