You are browsing unreleased documentation. See the latest documentation here.
MeshTLS
This policy enables Kong Mesh to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.
TargetRef support matrix
targetRef |
Allowed kinds |
---|---|
targetRef.kind |
Mesh , MeshSubset
|
from[].targetRef.kind |
Mesh |
To learn more about the information in this table, see the matching docs.
Configuration
The following describes the default configuration settings of the MeshTLS
policy:
-
tlsVersion
: Defines TLS versions to be used by both client and server. Allowed values:TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. -
tlsCiphers
: Defines TLS ciphers to be used by both client and server. Allowed values:ECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-ECDSA-CHACHA20-POLY1305
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-RSA-AES256-GCM-SHA384
,ECDHE-RSA-CHACHA20-POLY1305
. -
mode
: Defines the mTLS mode -Permissive
mode encrypts outbound connections the same way asStrict
mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values:Strict
,Permissive
.
Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.
Examples
Set specific TLS version and ciphers
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: set-version-and-ciphers
namespace: kong-mesh-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: Mesh
default:
tlsVersion:
min: TLS13
max: TLS13
tlsCiphers:
- ECDHE-ECDSA-AES256-GCM-SHA384
Enable strict mode on specific subset
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: strict-mode
namespace: kong-mesh-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: MeshSubset
tags:
app: redis
from:
- targetRef:
kind: Mesh
default:
mode: Strict
All policy options
Spec is the specification of the Kuma MeshTLS resource.
Type: object
Properties
- from
- From list makes a match between clients and corresponding configurations
- Type:
array
- Items
- Type:
object
- Properties
- default
- Default is a configuration specific to the group of clients referenced in'targetRef'
- Type:
object
- Properties
- mode
- Mode defines the behavior of inbound listeners with regard to traffic encryption.
- Type:
string
- The value is restricted to the following:
- "Permissive"
- "Strict"
- tlsCiphers
- TlsCiphers section for providing ciphers specification.
- Type:
array
- Items
- Type:
string
- The value is restricted to the following:
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-RSA-CHACHA20-POLY1305"
- tlsVersion
- Version section for providing version specification.
- Type:
object
- Properties
- max
- Max defines maximum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Max defines maximum supported version. One of
- min
- Min defines minimum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Min defines minimum supported version. One of
- max
- mode
- targetRef
required
- TargetRef is a reference to the resource that represents a group ofclients.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- "Dataplane"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
- default
- rules
- Rules defines inbound tls configurations. Currently limited toselecting all inbound traffic, as L7 matching is not yet implemented.
- Type:
array
- Items
- Type:
object
- Properties
- default
- Default contains configuration of the inbound tls
- Type:
object
- Properties
- mode
- Mode defines the behavior of inbound listeners with regard to traffic encryption.
- Type:
string
- The value is restricted to the following:
- "Permissive"
- "Strict"
- tlsCiphers
- TlsCiphers section for providing ciphers specification.
- Type:
array
- Items
- Type:
string
- The value is restricted to the following:
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-RSA-CHACHA20-POLY1305"
- tlsVersion
- Version section for providing version specification.
- Type:
object
- Properties
- max
- Max defines maximum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Max defines maximum supported version. One of
- min
- Min defines minimum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Min defines minimum supported version. One of
- max
- mode
- default
- targetRef
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined in-place.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- "Dataplane"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
Generated with json-schema-md-doc