You are browsing documentation for an older version. See the latest documentation here.

MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

Mutual TLS has to be enabled to make MeshTrafficPermission work.

The MeshTrafficPermission policy provides access control within the Mesh. It allows you to define granular rules about which services can communicate with each other.

TargetRef support matrix

Sidecar

Builtin Gateway

Delegated Gateway

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset`
`from[].targetRef.kind`	`Mesh`, `MeshSubset`, `MeshServiceSubset`

If you don’t understand this table you should read matching docs.

Configuration

Action

Kong Mesh allows configuring one of 3 actions for a group of service’s clients:

Allow - allows incoming requests matching the from targetRef.
Deny - denies incoming requests matching the from targetRef
AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-orders
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: payments
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/service: orders
    default:
      action: Allow

    
      type: MeshTrafficPermission
name: allow-orders
mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: payments
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/service: orders
    default:
      action: Allow

    
  

Explanation

Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.
```
 targetRef: # 1
   kind: MeshService
   name: payments
```
TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.
```
 - targetRef: # 2
     kind: MeshSubset
     tags: 
       kuma.io/service: orders
```
The action is Allow. All requests from service orders will be allowed on service payments.
```
 default: # 3
   action: Allow
```

Deny all

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: deny-all
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Deny

    
      type: MeshTrafficPermission
name: deny-all
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Deny

    
  

Explanation

Top level targetRef selects all proxies in the mesh.
```
 targetRef: # 1
   kind: Mesh
```
TargetRef inside the from array selects all clients.
```
 - targetRef: # 2
     kind: Mesh
```
The action is Deny. All requests from all services will be denied on all proxies in the default mesh.
```
 default: # 3
   action: Deny
```

Allow all

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-all
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

    
      type: MeshTrafficPermission
name: allow-all
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

    
  

Explanation

Top level targetRef selects all proxies in the mesh.
```
 targetRef: # 1
   kind: Mesh
```
targetRef inside the element of the from array selects all clients within the mesh.
```
 - targetRef: # 2
     kind: Mesh
```
The action is Allow. All requests from all services will be allow on all proxies in the default mesh.
```
 default: # 3
   action: Allow
```

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: example-with-tags
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/zone: us-east
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        env: dev
    default:
      action: Deny

    
      type: MeshTrafficPermission
name: example-with-tags
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/zone: us-east
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        env: dev
    default:
      action: Deny

    
  

Explanation

Top level targetRef selects all proxies in the mesh.
```
 targetRef: # 1
   kind: Mesh
```
TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.
```
 - targetRef: # 2
     kind: MeshSubset
     tags:
       kuma.io/zone: us-east
```
The action is Allow. All requests from the zone us-east will be allowed on all proxies.
```
 default: # 3
   action: Allow
```
TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.
```
 - targetRef: # 4
     kind: MeshSubset
     tags:
       env: dev
```
The action is Deny. All requests from the env dev will be denied on all proxies.
```
 default: # 5
   action: Deny
```

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options

Spec is the specification of the Kuma MeshTrafficPermission resource.

Type: object

Properties

from
- From list makes a match between clients and corresponding configurations
- Type: array
  - Items
  - Type: object
  - Properties
    - default
      - Default is a configuration specific to the group of clients referenced in'targetRef'
      - Type: object
      - Properties
        
        action
        
        Action defines a behavior for the specified group of clients:
        
        Type: string
        
        The value is restricted to the following:
        
        "Allow"
        
        "Deny"
        
        "AllowWithShadowDeny"
    - targetRef required
      - TargetRef is a reference to the resource that represents a group ofclients.
      - Type: object
      - Properties
        
        kind
        
        Kind of the referenced resource
        
        Type: string
        
        The value is restricted to the following:
        
        "Mesh"
        
        "MeshSubset"
        
        "MeshGateway"
        
        "MeshService"
        
        "MeshExternalService"
        
        "MeshServiceSubset"
        
        "MeshHTTPRoute"
        
        labels
        
        Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
        
        Type: object
        
        This schema accepts additional properties.
        
        Properties
        
        mesh
        
        Mesh is reserved for future use to identify cross mesh resources.
        
        Type: string
        
        name
        
        Name of the referenced resource. Can only be used with kinds: MeshService,MeshServiceSubset and MeshGatewayRoute
        
        Type: string
        
        namespace
        
        Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
        
        Type: string
        
        proxyTypes
        
        ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
        
        Type: array
        
        Item Count: ≥ 1
        
        Items
        
        Type: string
        
        The value is restricted to the following:
        
        "Sidecar"
        
        "Gateway"
        
        sectionName
        
        SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
        
        Type: string
        
        tags
        
        Tags used to select a subset of proxies by tags. Can only be used with kindsMeshSubset and MeshServiceSubset
        
        Type: object
        
        This schema accepts additional properties.
        
        Properties
targetRef required
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined inplace.
- Type: object
- Properties
  - kind
    - Kind of the referenced resource
    - Type: string
    - The value is restricted to the following:
      1. "Mesh"
      2. "MeshSubset"
      3. "MeshGateway"
      4. "MeshService"
      5. "MeshExternalService"
      6. "MeshServiceSubset"
      7. "MeshHTTPRoute"
  - labels
    - Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
    - Type: object
    - This schema accepts additional properties.
    - Properties
  - mesh
    - Mesh is reserved for future use to identify cross mesh resources.
    - Type: string
  - name
    - Name of the referenced resource. Can only be used with kinds: MeshService,MeshServiceSubset and MeshGatewayRoute
    - Type: string
  - namespace
    - Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
    - Type: string
  - proxyTypes
    - ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
    - Type: array
    - Item Count: ≥ 1
      - Items
      - Type: string
      - The value is restricted to the following:
        
        "Sidecar"
        
        "Gateway"
  - sectionName
    - SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
    - Type: string
  - tags
    - Tags used to select a subset of proxies by tags. Can only be used with kindsMeshSubset and MeshServiceSubset
    - Type: object
    - This schema accepts additional properties.
    - Properties

Generated with json-schema-md-doc Tue May 13 2025 08:54:09 GMT+0000 (Coordinated Universal Time)