apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
Copied to clipboard!
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
Copied to clipboard!
By default, any Pod can join any mesh by changing its kuma.io/mesh
annotation.
We can restrict that by relying on autogenerated k8s.kuma.io/namespace
tag.
In this example, only data plane proxies from ns-1
and ns-2
can join a default
mesh.
If there is another mesh without any requirements, Pods from ns-1
and ns-2
namespaces can also join that mesh.
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
Copied to clipboard!
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
Copied to clipboard!
By using these constraints, we can enforce consistency of tags in Kong Mesh deployment.
With the example above, every data plane proxy must have non-empty team
and cloud
tags and cannot have legacy
tag.
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: demo
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
Copied to clipboard!
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
type: Mesh
name: demo
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
Copied to clipboard!
This way, only data plane proxies from the east
zone can join default
mesh and only data plane proxies from the west
zone can join demo
mesh.