2023 Interview Questions for Kong API developer Role

 1. Versions are tied to a specific runtime group. Is it correct statement?

Yes, that statement is true. In Kong Konnect, each version of a Konnect Service is tied to a specific runtime group, which defines the environment where the service is deployed and executed. A runtime group is a logical grouping of Kong Gateways that share the same configuration, including plugins, authentication methods, and rate limiting settings. Each Konnect Service can be associated with one or more runtime groups, and the service can be deployed to any Kong Gateway that belongs to those runtime groups. This allows for flexible deployment options, such as deploying a service to multiple geographically dispersed data centers or deploying a service to a specific subset of Kong Gateways based on traffic routing and performance requirements.

2. API Spec cannot be published to Dev portal directly from the Service Hub. Is it correct statement?

Yes, that statement is true. In Kong Konnect, the API specifications for a Konnect Service are defined using an OpenAPI specification, and the specifications can be managed and versioned in the Service Hub. However, the API specifications cannot be published directly to the Developer Portal from the Service Hub. Instead, the API specifications must be published to the Developer Portal from a connected Kong Gateway that has the Developer Portal plugin installed and configured.

3. A runtime instance stores its configuration in the cache and does not need a database. Is it correct statement?

No, that statement is not entirely true. While it is true that a runtime instance in Kong Konnect stores some of its configuration in the cache, it still needs to access a database to retrieve other information, such as consumer credentials and plugin configurations.

4. Data plane cannot continue to run if the control plane goes down. Is it correct statement?

No, that statement is not entirely true. In Kong, the control plane and data plane are designed to operate independently, which means that the data plane can continue to run even if the control plane goes down.

5. What are the steps to automate in Kong's APIOPS?

Kong's APIOps provides a framework for automating the entire API lifecycle. Some of the steps that can be automated using Kong's APIOps are:

API Design: Using API definition languages like OpenAPI or Kong's native DSL to define the API specifications.

Code Generation: Generating server-side stubs and client-side SDKs based on the API specifications.

Testing: Automated testing of APIs to ensure they meet the requirements and behave as expected.

Security: Configuring and enforcing security policies like OAuth2, JWT, and rate limiting.

Deployment: Automated deployment of API gateways and proxies to multiple environments like development, staging, and production.

Scaling: Automatically scaling the API infrastructure to meet demand by deploying additional nodes or containers.

Monitoring: Collecting and analyzing API metrics and logs to identify performance bottlenecks, errors, and security issues.

Alerting: Setting up alerts and notifications based on pre-defined thresholds and conditions to notify stakeholders of issues or potential issues.

Top 5 Kong Interview Questions

 1. What are the two main categories of metric provided by Vitals?

Vitals is a plugin for Kong that provides monitoring and analytics capabilities. The two main categories of metric provided by Vitals are:

System metrics: These are metrics related to the underlying system on which Kong is running, such as CPU usage, memory usage, and network activity. These metrics are used to monitor the health and performance of the system and to detect any potential issues or bottlenecks.

Kong-specific metrics: These are metrics related to the Kong API Gateway itself, such as the number of requests processed, the latency of requests, and the status of plugins. These metrics provide insight into the performance and usage of Kong and can be used to optimize the gateway for specific workloads or to troubleshoot issues that may arise.

2. Which is the method for load balancing in Kong?

Kong provides several load balancing methods, including:

Round-robin: In this method, requests are distributed evenly among the available upstream servers in a sequential manner.

Least connections: In this method, requests are sent to the upstream server with the least number of active connections.

IP Hash: In this method, requests are sent to the same upstream server based on the client's IP address. This can be useful for maintaining session affinity.

Consistent Hash: In this method, requests are distributed based on a consistent hash algorithm, which allows for better cache utilization and improved resilience to upstream server failures.

Random: In this method, requests are distributed randomly among the available upstream servers.

3. What are the components of Kong Konnect?

Kong Konnect is a cloud-native service connectivity platform that provides several components, including:

Kong Gateway: This is a highly performant, cloud-native API gateway that provides traffic management, security, and observability features.

Kong Studio: This is a collaborative, web-based IDE for designing, testing, and publishing APIs. It includes a visual editor for OpenAPI and GraphQL schemas, a built-in mock server for testing, and integration with Kong Gateway for publishing.

Kong Immunity: This is a cloud-native, AI-driven security solution that provides protection against OWASP Top 10 threats, including SQL injection, cross-site scripting (XSS), and more.

Kong Vitals: This is a real-time API analytics and observability solution that provides insights into API traffic, performance, and errors.

Kong Dev Portal: This is a customizable developer portal that provides API documentation, code samples, and other resources for API consumers.

Kong Manager: This is a centralized management console for administering Kong Konnect components, including Kong Gateway, Kong Studio, Kong Immunity, Kong Vitals, and Kong Dev Portal.

4. Every application service to be managed through Konnect Runtime needs to be represented by a Konnect Service in Service Hub. Is it correct statement?

The statement "Every application service to be managed through Konnect Runtime needs to be represented by a Konnect Service in Service Hub" is true. 

5. Konnect services can have multiple versions active simultaneously. Is it correct statement?

Yes, that statement is true. Konnect Services in Service Hub can have multiple versions active simultaneously, which enables teams to deploy and manage new versions of an application service without affecting the existing versions that are currently serving production traffic. This also allows for A/B testing, blue-green deployment, and gradual rollout strategies. Each version of a Konnect Service is represented by a unique version identifier, and traffic can be routed to specific versions of a Konnect Service based on routing rules and traffic splitting configurations.

Top 10 Interview Questions for KONG

 1. Workspaces enable traffic segmentation and allow teams of Admins to share the same Kong cluster but only interact with entities from their groups. Delegated Administration of the Gateway can be achieved by adding administrators to 'Teams', then assigning these Teams to 'workspaces’?

Yes, that is correct! Workspaces in Kong enable traffic segmentation and provide a way for different teams of administrators to share the same Kong cluster while interacting only with entities from their respective groups. This is achieved by adding administrators to teams and then assigning these teams to specific workspaces.

With workspaces, each team can have its own isolated environment to manage their services, routes, plugins, and other entities without interfering with other teams' workspaces. This helps to maintain the security, stability, and performance of the Kong cluster, while also streamlining the workflow of different teams.

In addition, workspaces also provide delegated administration capabilities, where the owner of a workspace can delegate certain privileges and permissions to other administrators in their team, without giving them full access to the entire Kong cluster. This allows for finer-grained access control and enhances the security of the Kong environment.

2. What is the default entity used for aggregating limits in the rate limiting advanced plugin?

The default entity used for aggregating limits in the rate limiting advanced plugin of Kong is the consumer.

By default, Kong applies rate limits based on the consumer entity, which represents the client making the request to the API. The consumer can be identified by a unique key such as an API key, an OAuth2 client ID, or a JWT token.

When a request is made to an API that has rate limiting enabled, Kong checks the current rate limit status of the consumer. If the consumer has exceeded their rate limit, Kong will return an HTTP 429 Too Many Requests response.

However, it is worth noting that the rate limiting advanced plugin in Kong provides a lot of flexibility and can be configured to use different entities for rate limiting, such as IP address, URL, or headers, depending on your specific use case. This can be achieved by configuring the plugin with the appropriate limit_by parameter.

3. What types of authorization does Kong provide?

Kong provides several types of authorization mechanisms that can be used to secure your APIs (Application Programming Interfaces). Some of the most used authorization plugins in Kong include:

Key Authentication: This plugin provides a simple authentication mechanism using a secret key that must be included in the request headers.

JWT Authentication: This plugin allows authentication using JSON Web Tokens (JWTs) that contain user information and are signed with a secret key.

OAuth2 Authentication: This plugin allows clients to authenticate and obtain access tokens using the OAuth2 protocol, which is widely used for delegated authorization.

ACL Authorization: This plugin allows you to define access control lists (ACLs) that determine which consumers can access specific APIs or routes.

RBAC Authorization: This plugin provides role-based access control (RBAC) capabilities, where different users or groups can be assigned specific roles that determine their access privileges to APIs or routes.

Mutual TLS Authentication: This plugin enables mutual authentication using Transport Layer Security (TLS) certificates, which helps to secure communication between clients and servers.

OpenID Connect: This plugin enables authentication using the OpenID Connect (OIDC) protocol, which is built on top of OAuth2 and provides additional identity verification features.

By using these authorization plugins, Kong provides a flexible and customizable way to secure your APIs and manage access control in a scalable and centralized manner.

4. You must specify a service for a plugin?

Yes, in Kong, you must specify a service for a plugin to associate the plugin with a specific service.

A plugin is a module that can be added to Kong to add functionality to the API Gateway. Plugins can be added to services, routes, or globally. When a plugin is added to a service or route, it only affects that specific service or route. When a plugin is added globally, it affects all services and routes.

When adding a plugin to a service or route, you need to specify the service or route ID to associate the plugin with the desired service or route. This can be done using the Kong Admin API, the Kong Dashboard, or by specifying the service or route ID in the configuration file for the plugin.

For example, if you want to add the rate-limiting plugin to a specific service in Kong, you will need to specify the service ID in the plugin configuration. Here is an example of how this can be done using the Kong Admin API.

5. Plugins can be applied globally or scoped to specific services or routes?

Yes, that is correct! In Kong, plugins can be applied globally or scoped to specific services or routes.

When a plugin is added globally, it is applied to all incoming requests that pass through the Kong API Gateway. This means the plugin will affect all services and routes configured in Kong. Global plugins are typically used for cross-cutting concerns that apply to all APIs or routes, such as security, logging, or traffic management.

When a plugin is scoped to a specific service or route, it only affects requests that are directed to that service or route. This allows you to add specific functionality or behavior to individual APIs or routes, without affecting other APIs or routes in the system. Scoped plugins are typically used for API-specific concerns, such as authentication, rate limiting, or transformation.

To add a plugin globally, you can add it to the http section in the Kong configuration file or use the Kong Admin API to add the plugin with no service or route ID specified. 

6. You must specify a route for a plugin?

Yes, that is correct. In Kong, when you add a plugin, you must specify a route for the plugin to associate it with a specific API route.

A route is a collection of rules used to match incoming requests to a specific upstream service. Each route is associated with a specific service and defines which requests should be forwarded to that service based on criteria such as the request path or headers.

When you add a plugin to a route, it only affects the requests that match that route. This allows you to add specific functionality or behavior to individual API routes, without affecting other routes in the system.

To add a plugin to a route, you can use the Kong Admin API or the Kong Dashboard. 

7. are plugins applied globally?

Yes, plugins can be applied globally in Kong. When a plugin is added globally, it is applied to all incoming requests that pass through the Kong API Gateway. This means the plugin will affect all services and routes configured in Kong. Global plugins are typically used for cross-cutting concerns that apply to all APIs or routes, such as security, logging, or traffic management.

Adding a plugin globally allows you to apply the same functionality or behavior to all APIs or routes in your Kong installation without having to add the plugin to each individual service or route. However, it is important to note that global plugins may not always be appropriate, especially if you have APIs with conflicting requirements or if you need to apply different configurations to different APIs. In these cases, you can use service-level or route-level plugins instead.

8. Which is a mandatory section of an OpenAPI specification?

The openapi section is a mandatory section of an OpenAPI specification. It is used to specify the version of the OpenAPI Specification that is being used and to provide basic information about the API, such as its title, version, and description.

9. Route, path, services, plugin, which of the following is a mandatory section of an OpenAPI specification?

The mandatory sections of an OpenAPI specification are:

openapi: This section specifies the version of the OpenAPI Specification being used, and it should always be the first section in the specification.

info: This section provides basic information about the API, such as its title, version, and description.

paths: This section defines the individual endpoints of the API and their operations.

10. What is the command to validate an OpenAPI specification?

inso lint is a command that is used to check an Insomnia Core workspace for potential issues and best practices violations. Insomnia Core is a popular REST API client that allows developers to test and debug APIs. With inso lint, developers can use Insomnia Core workspaces to improve the quality and consistency of their API testing.