About Mesh Manager
Mesh Manager in Kong Konnect allows you to create, manage, and view your Kong Mesh service meshes using the Konnect platform.
A global control plane is a managed central component that stores and distributes all of the configuration and policies for your meshes and services to local zones.
Global control planes are responsible for validating and accepting connections from local zone control planes, and distributing the appropriate configuration down to each local zone as required.
They also serve as targets for all
kumactl CLI operations when manipulating resources and configuration within the mesh deployment.
Figure 1: Kong Mesh can support multiple zones (like a Kubernetes cluster, VPC, data center, etc.) together in the same distributed deployment. Then, you can create multiple isolated virtual meshes with the same control plane to support every team and application in the organization.
Mesh Manager is ideal for organizations who want to have one or more global control planes that allow you to run your mesh deployments across multiple zones. You can run a mix of Kubernetes and Universal zones. Your mesh deployment environments can include multiple isolated meshes for multi-tenancy, with workloads running in different regions, on different clouds, or in different data-centers.
Here are a few benefits of creating a mesh deployment in Konnect instead of using a self-managed setup:
Kong-managed global control plane: By creating your mesh in Konnect, your global control plane is managed by Kong.
All entities in one place: You can view all your information, such as entities from Kong Ingress Controller (KIC) for Kubernetes, Konnect-managed entities, and now service mesh data, all from one central platform.
Managed UI wizard setup: Konnect simplifies the process of creating a mesh by providing a setup wizard in the UI that guides you through the configuration steps.
Create a mesh
Creating a fully-functioning Kong Mesh deployment in Konnect involves the following steps:
- Create the global control plane in Konnect by going to Mesh Manager.
- Add and configure a zone for your control plane from the mesh global control plane dashboard.
kumactl to connect to your global control plane following the wizard in the UI.
- Add services to your mesh.
- If you’re using Kubernetes, you must add the kuma.io/sidecar-injection label to the namespace or deployments you want to bring into the mesh. This will automatically enable and register the service pods in the mesh.
- If you are using universal, you must create a dataplane definition, pass it to the
kuma-dp run command on a virtual machine, and point it to the local zone control plane.
Mesh zones are priced based on consumption. For more information about the pricing and consumption of zones, see Kong’s Pricing page.
Supported installation options
Konnect supports the following installation options for Kong Mesh zones:
- Amazon Linux
- Red Hat
View service mesh entities
After your mesh is deployed in Kong Mesh, Mesh Manager displays the following information for each control plane:
Figure 1: Example control plane dashboard with several zones and services, a service mesh, and data plane proxies.
Mesh Manager RBAC
Mesh Manager has its own role-based access control (RBAC) settings that are separate from the Konnect RBAC settings. The Mesh Manager RBAC settings are specific to the meshes and mesh policies in Mesh Manager.
To completely configure RBAC for Mesh Manager, you must configure both roles and role bindings.
Role: Determines what resources a user or group has access to
Role binding: Determines which users or groups are assigned to a particular role
The Admin role and role binding is automatically created for you. The admin role can be used for the service mesh operators who are part of infrastructure team responsible for Kong Mesh deployment.
Access roles specify access levels and resources to which access is granted. Access is only defined for write operations. Read access is available to all users who have the Konnect Mesh global control plane
Viewer role. Access roles define roles that are assigned separately to users and groups/teams using access role bindings. They are scoped globally, which means they aren’t bound to a mesh.
For more information about how to configure the key mappings and RBAC settings, see Role-Based Access Control in the Kong Mesh documentation.
|Kong Mesh key
|The resource type. For role binding, this should be
|Name for the role that you want to display in the Konnect UI.
|The type of subject you want to bind the role to. This must be either
User, this should be the Konnect email address associated with them. When
Group, this should be the name of the Konnect team you want to bind the role to.
|List of roles that you want to assign to the users or groups/teams.