You are browsing documentation for an outdated version. See the
latest documentation here.
Non-mesh traffic
Incoming
When mTLS is enabled, clients from outside the mesh can’t reach the applications inside the mesh.
If you want to allow external clients to consume mesh services see
the Permissive mTLS mode.
Without
Transparent Proxying
TLS check on Envoy can be bypassed. You should take action to secure the application ports.
Outgoing
In its default setup, Kong Mesh allows any non-mesh traffic to pass Envoy without applying any policy.
For instance if a service needs to send a request to http://example.com,
all requests won’t be logged even if a traffic logging is enabled in the mesh where the service is deployed.
The passthrough mode is enabled by default on all the dataplane proxies in transparent mode in a Mesh.
This behavior can be changed by setting the networking.outbound.passthrough in the Mesh resource. Example:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
networking:
outbound:
passthrough: false
type: Mesh
name: default
networking:
outbound:
passthrough: false
When networking.outbound.passthrough is false, no traffic to any non-mesh resource can leave the Mesh.
Before setting networking.outbound.passthrough to false, double-check Envoy stats that no traffic is flowing through pass_through cluster.
Otherwise, you will block the traffic which may cause the instability of the system.
Policies don’t apply to non-mesh traffic
If you need to change configuration for non-mesh traffic
you can use a ProxyTemplate.
Circuit Breaker
Default values:
maxConnections: 1024
maxPendingRequests: 1024
maxRequests: 1024
maxRetries: 3
Proxy Template to change the defaults:
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
name: custom-template-1
spec:
selectors:
- match:
kuma.io/service: "*"
conf:
imports:
- default-proxy
modifications:
- cluster:
operation: patch
match:
name: "outbound:passthrough:ipv4"
value: |
circuit_breakers: {
thresholds: [
{
max_connections: 2048,
max_pending_requests: 2048,
max_requests: 2048,
max_retries: 4
}
]
}
type: ProxyTemplate
mesh: default
name: custom-template-1
selectors:
- match:
kuma.io/service: "*"
conf:
imports:
- default-proxy
modifications:
- cluster:
operation: patch
match:
name: "outbound:passthrough:ipv4"
value: |
circuit_breakers: {
thresholds: [
{
max_connections: 2048,
max_pending_requests: 2048,
max_requests: 2048,
max_retries: 4
}
]
}
Timeouts
Default values:
connectTimeout: 10s
tcp:
idleTimeout: 1h
Proxy Template to change the defaults:
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
name: custom-template-1
spec:
selectors:
- match:
kuma.io/service: "*"
conf:
imports:
- default-proxy
modifications:
- cluster:
operation: patch
match:
name: "outbound:passthrough:ipv4"
value: |
connect_timeout: "99s"
- networkFilter:
operation: patch
match:
name: "envoy.filters.network.tcp_proxy"
listenerName: "outbound:passthrough:ipv4"
value: |
name: envoy.filters.network.tcp_proxy
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
idleTimeout: "3h"
type: ProxyTemplate
mesh: default
name: custom-template-1
selectors:
- match:
kuma.io/service: "*"
conf:
imports:
- default-proxy
modifications:
- cluster:
operation: patch
match:
name: "outbound:passthrough:ipv4"
value: |
connect_timeout: "99s"
- networkFilter:
operation: patch
match:
name: "envoy.filters.network.tcp_proxy"
listenerName: "outbound:passthrough:ipv4"
value: |
name: envoy.filters.network.tcp_proxy
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
idleTimeout: "3h"
