Control Plane Groups

Uses: Kong Gateway Admin API Konnect API

What is a Control Plane Group?

A Control Plane Group is a read-only Control Plane that combines configuration from its members, which are standard Control Planes. All of the standard Control Planes within a Control Plane Group share the same cluster of Data Plane nodes.

The following diagram illustrates using a Control Plane Group for a federated platform administrator model:

 
flowchart LR
  A(Team Blue)
  B(Team Green)
  C(Control Plane Blue)
  D(Control Plane Purple
    global config)
  E(Control Plane Green)
  F(Data Plane nodes)
  G(Data Plane nodes)

  A -- deck gateway sync --> C
  B -- deck gateway sync --> E

  subgraph id1 ["`**KONNECT ORG**`"]
    subgraph id2 [
Control Plane Group Steel]
    C
    D
    E
    end
  end

  id2 -- Get config from 
  Control Plane Group
  Steel--> F & G

  subgraph id3 [Data centers]
  F
  G
  end

In this diagram:

Team Blue configures Control Plane Blue, which is then combined with the configuration from Team Green.
The Control Plane Group also contains Control Plane Purple, which is managed by a central platform team.
The central platform team manages global plugin configuration in Control Plane Purple, which is added to any configuration that teams Blue and Green provide.

How do I create a Control Plane Group?

In Konnect, Control Plane Groups can be created using the Control Planes API.

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Content-Type: application/json" \
     --json '{
       "name": "CPG",
       "cluster_type": "CLUSTER_TYPE_CONTROL_PLANE_GROUP"
     }'

How do I attach Control Planes to a Control Plane Group?

Once you have a Control Plane Group, you can add Control Planes to the Group using the Konnect UI or API.

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_GROUP_ID/group-memberships/add" \
     -H "Authorization: Bearer $KONNECT_TOKEN"\
     -H "Content-Type: application/json" \
     --json '{
       "members": [
         {
           "id": "062e2f2c-0f42-4938-91b4-f73f399260f5"
         }
       ]
     }'

Configuring Gateway entities

There are some special cases and behaviors to note for Gateway entities in a Control Plane Group.

All entities in a Control Plane Group must have unique names and IDs. For example, if two members of a Control Plane Group both have a Service named example_service, it will cause a conflict which must be resolved to restore function.

A number of Kong Gateway entities can be associated with each other. Based on the type of association, the behavior of these associated entities in a Control Plane Group follows one of these patterns:

If the entity relationship is referenced by ID, associations remain constrained to the behavior of the individual Control Plane.
If the entity relationship is referenced by a string, then associations across one or more member Control Planes are possible.

Entity	Associated Entity	Type of Association
Service	Route	By ID
Upstream	Target	By ID
Certificate	SNI	By ID
Consumer	Credential	By ID
Consumer	Consumer Group	By ID
Consumer	ACL group	By string
Consumer Groups	Plugin	By string
Plugin (Non-Global)	Service, Route, Consumer	By ID
Global plugin	Control Plane	By Control Plane
Key	Key set	By ID
Vault	Control plane	By Control Plane
deGraphQL Route	Service	By ID
GraphQL Rate Limiting cost decoration	Service	By ID

The Kong Gateway resource associated with an entity must be part of the same standard Control Plane as the entity.

Entity-specific behavior exceptions

The following are exceptions to the entity behavior:

Entity	Behavior in Control Plane Groups
Consumers	A Consumer from a standard Control Plane becomes a Consumer of the Control Plane Group once the Control Plane joins the group. The Consumer’s authentication credentials also become valid for the Control Plane Group. However, a Consumer ID from one member cannot be used for authorization in another member.
Consumer Groups	Only Consumers from the same Control Plane can be added to a Consumer Group. In the Rate Limiting Advanced plugin, Consumer Group names can reference groups from other Control Plane Group members.
Vaults	Vault prefixes must be unique. When a Vault from a standard Control Plane joins a Control Plane Group, it becomes available to the whole group. Entity fields can reference secrets in Vaults from other members of the Control Plane Group.
Global plugins	A globally scoped plugin in a standard Control Plane remains globally scoped within the Control Plane Group. It affects the entire group. For example, you cannot install two instances of the Rate Limiting plugin in the same Control Plane Group. Note: If you want to limit which users can apply global plugins, add all global plugins into a single Control Plane, and then grant access to only your limited set of users. If any other member Control Planes add a global plugin to their configuration, a conflict will result and prevent the changed configuration from being applied.

Control Plane conflicts

When combining configurations from individual Control Planes into a Control Plane Group you may receive conflict errors in Konnect, for example:

Conflicts have been detected between these Control Planes: 
CONTROL-PLANE-EXAMPLE
CONTROL-PLANE-ANOTHER-EXAMPLE

The Control Plane won’t update a Data Plane configuration until the conflict is resolved. Review the following table of common issues and potential fixes:

Conflict	Description	Action
Duplicate names across Control Plane Group members	Same entity name exists in multiple member Control Planes.	Remove or rename one of the conflicting entities.
Shared credentials across Control Plane Group members	Credentials from one member can authenticate across the group.	Remove shared credentials if cross-access is not desired.
ACL group names across Control Plane Group members	ACL group names are shared across members.	Remove or rename duplicate ACL groups if isolation is needed.
Consumer groups across Control Plane Group members	Consumer group names are shared across members.	Remove or rename duplicates if isolation is needed.
decK dump with duplicate names found	`deck gateway dump` fails on duplicate names.	Remove or rename duplicate entities.
Reference by name vs reference by ID	ID-based references don’t work across Control Planes, string-based ones do.	Use string references, or remove conflicting entities.
Multiple instances of the same global plugin	Only one global plugin instance is allowed in the group.	Remove duplicates or assign unique instance names.

FAQs

How is a Control Plane Group different from a standard Control Plane?

In a standard Control Plane, each team manages its own Data Plane nodes. In a Control Plane Group, multiple Control Planes are combined, and their configurations are merged and applied to shared Data Plane nodes.

Can teams still manage their own configurations in a Control Plane Group?

Yes. Each team continues to administer its own Control Plane, but configurations are merged and pushed to shared Data Plane nodes through the Control Plane Group.

How many Control Planes can be in a Control Plane Group?

A Control Plane Group can have up to 256 Control Planes, with a limit of 50 added or removed at a time.

Can a standard Control Plane be part of more than one Control Plane Group?

Yes, a standard Control Plane can belong to up to 5 Control Plane Groups.

Can members of a Control Plane Group have their own Data Plane nodes?

No. Only the Control Plane Group itself manages Data Plane nodes. Member Control Planes must not have any connected Data Plane nodes when added.

What happens if multiple Control Planes have entities with the same name or ID?

This creates a conflict that must be resolved. All entities in a Control Plane Group must have unique names and IDs.

Are there any special behaviors for specific entities in a Control Plane Group?

Yes. For example, a Consumer’s credentials become valid across the group, and Vaults from one Control Plane can be accessed by others in the group. Global plugins affect the entire group.

How do entity associations work in a Control Plane Group?

Associations by ID are constrained to their originating Control Plane. Associations by string can span multiple member Control Planes.

Can a Control Plane Group be configured directly?

No. Control Plane Groups are read-only. Configuration changes must be made through a member Control Plane. The only exceptions are generating or uploading Data Plane node certificates and connecting Data Plane nodes.

How do I migrate a Control Plane configuration into a Control Plane Group?

Using decK, you can export the configuration of the Control Plane and sync it with the group:

Export the configuration of the old Control Plane using deck gateway dump:

deck gateway dump \
   -o old-group.yaml \
   --konnect-token $KONNECT_TOKEN \
   --konnect-control-plane-name old-group

Sync the configuration to the Control Plane Group:

deck gateway sync old-group.yaml \
   --konnect-token $KONNECT_TOKEN \
   --konnect-control-plane-name CP1

Can a Control Plane Group contain another Control Plane Group?

No. A Control Plane Group cannot be a member of another Control Plane Group.

Can Kong Ingress Controller Control Planes join a Control Plane Group?

No. Kong Ingress Controller Control Planes cannot be part of a Control Plane Group.

What happens if Control Plane configurations conflict in a group?

Even if configurations conflict and can’t be merged, the Control Plane Group is still created. Conflict detection only occurs after a Data Plane node is connected.