-
Kong Mesh
Learn how Kong Mesh works and how to configure it.
-
About service meshes
Overview of service mesh concepts and how Kong Mesh simplifies secure and reliable service-to-service communication using sidecar proxies and a Control Plane.
-
Mesh policies
Bundled features for your service traffic and network configuration.
-
Mesh release notes
Release notes for supported Kong Mesh versions.
-
Enterprise features
Explore the features included with Kong Mesh Enterprise, including mTLS backends, RBAC, FIPS support, and signed container images.
All Mesh Documentation
Overview
Install & Configure
-
Kong Mesh quickstart
Run an instance of Kong Mesh in Universal mode with one command.
-
Requirements
Learn about the requirements for running Kong Mesh, including supported platforms, sizing guidelines, and Kubernetes setup.
-
Deploy Kong Mesh on Universal
Guide to deploying Kong Mesh in Universal mode using Docker containers. Walks through installing the Control Plane, adding demo services, enabling mTLS, and configuring gateways.
-
Deploy Kong Mesh on Kubernetes
Step-by-step guide to deploy Kong Mesh on Kubernetes using Helm and Minikube. Includes demo app setup, GUI exploration, and enabling mTLS for zero-trust security.
-
Kong Mesh on Amazon ECS
Learn how to deploy Kong Mesh on Amazon ECS with IAM-based authentication and Universal mode support for Fargate and EC2.
-
Get started with Red Hat OpenShift and Kong Mesh
This guide explains how to get started on Kong Mesh with Red Hat OpenShift, including installation, sidecar setup, and running a demo app.
-
Red Hat Universal Base Images
Use Red Hat Universal Base Images (UBI) for running Kong Mesh components, available alongside standard Alpine-based images.
-
Deploy Kong Mesh using Terraform and Konnect
Learn how to provision a Global Control Plane, Mesh, and Kubernetes zone for Kong Mesh using Terraform and Konnect.
-
Konnect Kong Mesh deployment to Terraform
This guide explains how to import an existing Konnect Kong Mesh deployment into Terraform.
-
Mesh Manager
Manage service meshes and Control Planes in Konnect.
How Mesh Works
-
Concepts
Understand the core concepts of Kong Mesh, including the Control Plane, Data Plane proxies, inbounds and outbounds, and resources like policies.
-
Architecture
Understand the architecture of a Kong Mesh mesh, including control and Data Plane components, Kubernetes and Universal modes, and how services integrate into the mesh.
-
How ingress works
Overview of how ingress (north/south) traffic flows through delegated and built-in gateways in Kong Mesh, with visuals and key differences.
-
Service discovery
Explains how Kong Mesh handles service discovery and communication between Data Plane and Control Plane in single-zone and multi-zone deployments.
-
Configuring your Mesh and multi-tenancy
Learn how to create and configure isolated service meshes using the Mesh resource in Kong Mesh, supporting multi-tenancy and gradual adoption.
-
Single-zone deployment
Run Kong Mesh in a single zone with a standalone Control Plane and interconnected Data Plane proxies.
-
Multi-zone deployment
Group equivalent MeshServices across zones and expose a unified, zone-agnostic service with global failover capabilities.
-
Kong Mesh user interface (GUI)
Visual overview of your meshes, Data Planes, and policies using the Kong Mesh web-based GUI.
-
Kubernetes annotations and labels
Reference for all Kubernetes annotations and labels available in Kong Mesh, including sidecar injection, mesh association, transparent proxy settings, and metrics configuration.
-
Data plane proxy
Explanation of the components, behavior, and configuration of Data Plane proxies in Kong Mesh.
-
Data plane on Kubernetes
How to configure and operate Data Plane proxies on Kubernetes using Kong Mesh.
-
Data plane on Universal
How to run and configure Data Plane proxies on Universal mode with Kong Mesh.
Production Deployments
-
Kong Mesh license
Understand how licensing works in Kong Mesh, including limits, behaviors, and how to apply a license in both Kubernetes and Universal modes.
-
Deploy Kong Mesh in production with Helm
Deploy a production-grade Kong Mesh installation on Kubernetes using Helm charts for single zone, multi-zone, or federated environments.
Upgrade
-
Upgrade Kong Mesh
Reference guide for upgrading Kong Mesh across versions. Covers compatibility rules, upgrade order, and considerations for single-zone and multizone deployments.
-
Version specific upgrade notes
Version specific upgrade notes
-
Migration to the new policies
Migrate from old to new policies in Kong Mesh to improve flexibility and transparency.
Policies
-
Policies
Learn how policies in Kong Mesh configure Data Plane proxies by defining rules for traffic behavior, proxy targeting, and merging strategies. This reference covers `targetRef`, directional policies, producer/consumer scopes, and shadow mode simulation.
-
Producer and Consumer policies
Understand how producer and consumer policies work in to control traffic at the namespace level. This guide walks through setup, roles, and overrides using real examples with MeshService and MeshTimeout.
-
External Service
The ExternalService policy allows services running inside the mesh to consume services that are not part of the mesh.
-
Mesh Health Check
This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data
-
Mesh Timeout
Connection timeout specifies the amount of time DP will wait for a TCP connection to be established.
-
MeshAccessLog
With the MeshAccessLog policy you can easily set up access logs on every data plane proxy in a mesh.
-
MeshCircuitBreaker
This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data
-
MeshFaultInjection
With the MeshFaultInjection policy you can easily test your microservices against resiliency.
-
MeshGlobalRateLimit Policy
This policy adds global rate limit support for Kong Mesh.
-
MeshHttpRoute
The `MeshHTTPRoute` policy allows altering and redirecting HTTP requests depending on where the request is coming from and where it's going to.
-
MeshLoadBalancingStrategy
This policy enables Kong Mesh to configure the load balancing strategy for traffic between services in the mesh.
-
MeshMetric
Kong Mesh facilitates consistent traffic metrics across all data plane proxies in your mesh.
-
MeshOPA
Kong Mesh integrates the Open Policy Agent (OPA) to provide access control for your Services.
-
meshpassthrough
This policy enables Kong Mesh to configure traffic to external destinations that is allowed to pass outside the mesh.
-
MeshProxyPatch
The `MeshProxyPatch` provides configuration options for low-level Envoy resources that Kong Mesh policies do not directly expose.
-
MeshRateLimit
This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.
-
MeshRetry
This policy enables Kong Mesh to know how to behave if there are failed requests which could be retried.
-
MeshTCPRoute
The MeshTCPRoute policy allows you to alter and redirect TCP requests depending on where the request is coming from and where it’s going to.
-
MeshTLS
This policy enables Kong Mesh to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.
-
MeshTrace
This policy enables publishing traces to a third party tracing solution.
-
MeshTrafficPermission
The `MeshTrafficPermission` policy provides access control within Mesh.
-
ACM Private CA Policy
Configure Kong Mesh to use Amazon Certificate Manager as a Certificate Authority for mTLS, including setup steps and authentication options.
-
Kubernetes cert-manager CA policy
Use Kubernetes cert-manager as an mTLS backend for issuing Data Plane certificates in Kong Mesh
-
MeshExternalService
Declare external resources that services in the mesh can consume, enabling TLS, routing, and hostname customization.
-
MeshMultiZoneService
Group MeshServices across zones into a single multizone service with zone-agnostic hostnames and load balancing.
-
MeshService
Define and manage services within the mesh, replacing kuma.io/service tags for clearer service targeting and routing.
-
HostnameGenerator
Customize hostnames for MeshService resources using templated HostnameGenerator policies.
-
HashiCorp Vault CA
Configure Kong Mesh to use HashiCorp Vault as a Certificate Authority for mTLS, including setup steps and authentication options.
Built-in Gateways
-
Add a builtin gateway
Deploy a built-in gateway in to expose internal mesh services to external traffic. This guide walks through setting up MeshGatewayInstance and MeshGateway resources, defining routes with MeshHTTPRoute, configuring permissions, and securing the gateway with TLS.
-
Configure a built-in gateway
Overview and deployment guide for configuring a built-in gateway with Kong Mesh using MeshGateway, MeshGatewayInstance, and Dataplane resources in both Kubernetes and Universal environments.
-
Configuring built-in listeners
Reference for configuring built-in listeners using MeshGateway, including listener setup, TLS termination, hostnames, and cross-mesh support.
-
Configuring built-in routes
Reference for configuring HTTP and TCP routing through builtin gateways using MeshHTTPRoute and MeshTCPRoute, including hostname matching and weighted backends.
-
Kubernetes Gateway API
Expose your services to external traffic using the Kubernetes Gateway API with . This guide walks through setting up a built-in gateway, defining routes, securing traffic with TLS, and configuring permissions.
-
Running built-in gateway pods on Kubernetes
Guide to running builtin gateway pods with MeshGatewayInstance in Kubernetes and customizing deployments and services.
-
Kubernetes Gateway API
How to use Kubernetes Gateway API with Kong Mesh, including support for built-in gateways, HTTP/TCP routing, TLS, GAMMA, and multi-zone limitations.
Delegated Gateways
-
Delegated gateways
Guide to configuring delegated gateways in Kong Mesh, allowing external API gateways to handle ingress while Kong Mesh manages egress to the mesh.
-
Use Kong as a delegated Gateway
Set up Kong Gateway as a delegated gateway for to expose internal services to external traffic. This guide covers installing the Kong Ingress Controller, enabling sidecar injection, creating routes, configuring permissions with MeshTrafficPermission, and verifying traffic access.
Authentication and Authorization
-
Multi-zone authentication
Use Control Plane scoped tokens to authenticate zone Control Planes in a multi-zone Kong Mesh deployment.
-
Secure access across services
Learn how Kong Mesh secures communication between Data Plane proxies, control planes, and users, including TLS configuration and certificate management across deployments.
-
Role-based access control
Use AccessRole and AccessRoleBinding resources in Kong Mesh to implement fine-grained, role-based access to policies and actions.
-
Authentication with the API server
Authenticate to the Kong Mesh API server using user tokens. Learn about admin tokens, signing keys, token revocation, and configuration.
-
Authentication with the Data Plane proxy
Reference guide to authentication methods for Data Plane proxies in Kong Mesh, including Kubernetes service accounts, dataplane tokens, revocation, and offline token issuance.
-
Configure zone proxy authentication
How to configure zone proxy authentication methods in multi-zone mode.
-
Manage Control Plane permissions on Kubernetes
This guide explains how to manage Control Plane permissions on Kubernetes
-
Restrict permissions to selected namespaces on Kubernetes
This guide explains how to limit Kuma to specific namespaces, giving you greater control over security and resource management.
Security
-
Certificate Authority rotation
Rotate the mTLS backend in Kong Mesh to transition between Certificate Authorities securely and with zero downtime.
-
Manage secrets
Store and manage secrets securely in Kong Mesh, including mesh-scoped and global-scoped secrets for use in mTLS, policies, and external services.
-
Progressively rolling in strict mTLS
Progressively roll in mutual TLS with the MeshTLS policy in Kong Mesh without disrupting traffic.
-
Kong Mesh audit logs
Track all user and system actions in Kong Mesh using the AccessAudit resource and configurable backends
-
Verify build provenance for Kong Mesh binaries
Verify the build provenance of signed Kong Mesh binary artifacts.
-
Verify build provenance for signed Kong Mesh images
Learn how to verify build provenance for signed Kong Mesh Docker container images using Cosign or slsa-verifier.
-
Verify signatures for signed Kong Mesh images
Learn how to verify signed Kong Mesh Docker images using Cosign and GitHub OIDC identity for increased trust.
Observability
-
Observability
Learn how to configure observability in Kong Mesh using Prometheus, Grafana, Jaeger, Loki, and Datadog.
-
Collect metrics with OpenTelemetry
Collect and export metrics from Kong Mesh with OpenTelemetry and visualize them using Prometheus and Grafana.
-
Dataplane Health
Overview of dataplane health features in Kong Mesh, including circuit breaking, active health checks, and integration with Kubernetes and Universal service probes.
References
-
Zone Egress
How to configure Zone Egress to isolate cross-zone and external service traffic.
-
Zone Ingress
How to deploy and configure Zone Ingress for cross-zone communication in multi-zone mode.
-
CLI
Reference for the CLI tools included in Kong Mesh, including usage examples and commands for kumactl, kuma-cp, and kuma-dp.
-
Software Bill of Materials
View and download software bill of materials (SBOMs) for Kong Mesh binaries and Docker images, including license, dependency, and security information.
-
kuma-cp configuration reference
Configuration Reference
-
Kong Mesh data collection
Enable or disable data collection in Kong Mesh. Understand what telemetry is collected and how to configure reporting.
-
Configure Data Plane proxy membership
Control which Data Plane proxies can join a mesh using requirements and restrictions. Useful for enforcing tag consistency, namespace control, and zone-based segmentation.
-
Control Plane configuration
Guide for configuring the Kong Mesh Control Plane using environment variables or YAML, with details on store types (memory, Kubernetes, PostgreSQL) and configuration inspection.
-
DNS
Learn how Kong Mesh DNS works with virtual IPs and service naming to enable transparent proxying.
-
IPv6 support
Instructions for enabling or disabling IPv6 support in Kong Mesh across Universal and Kubernetes environments.
-
Performance fine-tuning
Reference guide to performance tuning in Kong Mesh, including configuration trimming, Postgres tuning, XDS snapshot generation, profiling, and Envoy concurrency.
-
Kong Mesh vulnerability patching process
Understand how Kong addresses and patches vulnerabilities in Kong Mesh binaries, third-party dependencies, and Docker images.
-
Kong Mesh version support policy
Understand the lifecycle and version support guidelines for Kong Mesh, including supported release timelines.