Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Mesh
2.4.x (latest)
  • Home icon
  • Kong Mesh
  • Explore
  • Inspect API
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.4.x (latest)
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Matched policies
  • Affected data plane proxies
  • Envoy proxy configuration

Inspect API

Starting with version 1.5.0, Kong Mesh offers the Inspect API to improve the policy debugging experience. It’s made up of several HTTP endpoints and is fully supported by kumactl, but can be used directly, using the HTTP API.

Matched policies

Read how Kong Mesh chooses the right policy to apply to understand how Kong Mesh matches policies to data plane proxies. With so many policies, it’s hard to understand which policies are selected for a specific data plane proxy. That’s where the Inspect API can help:

kumactl inspect dataplane backend-1 --mesh=default
DATAPLANE:
  ProxyTemplate
    pt-1
  TrafficTrace
    backends-eu

INBOUND 127.0.0.1:10010:10011(backend):
  TrafficPermission
    allow-all-default

OUTBOUND 127.0.0.1:10006(gateway):
  Timeout
    timeout-all-default
  TrafficRoute
    route-all-default

SERVICE gateway:
  CircuitBreaker
    circuit-breaker-all-default
  HealthCheck
    gateway-to-backend
  Retry
    retry-all-default

Each data plane proxy has 4 policy attachment points:

  • Inbound – applied to envoy inbound listener
  • Outbound – applied to envoy outbound listener
  • Service – applied to envoy outbound cluster (upstream cluster)
  • Dataplane – non-specific policy attachment, could affect inbound/outbound listeners and clusters

The command in the example above shows what policies were matched for each type of attachment.

Affected data plane proxies

Sometimes it’s useful to see if it’s safe to delete or modify some policy. Before making any critical changes, it is worth checking which data plane proxies will be affected. This can be done using the Inspect API as well:

kumactl inspect traffic-permission tp1 --mesh=default
Affected data plane proxies:

  backend-1:
    inbound 127.0.0.1:10010:10011(backend)
    inbound 127.0.0.1:20010:20011(backend-admin)
    inbound 127.0.0.1:30010:30011(backend-api)

  web-1:
    inbound 127.0.0.1:10020:10021(web)

This command works for all types of policies.

Envoy proxy configuration

Kong Mesh has 3 components that build on top of envoy – kuma-dp, zone-ingress and zone-egress. To help with debugging these components, the Inspect API gives access to envoy config dumps:

Get config dump for data plane proxy:

kumactl inspect dataplane backend-1 --type=config-dump

Get config dump for zone ingress:

kumactl inspect zoneingress zi-1 --type=config-dump

Get config dump for zone egress:

kumactl inspect zoneegress ze-1 --type=config-dump

In order to retrieve a config dump in a Multizone deployment, kumactl should be pointed to a zone CP Global CPs don’t have access to envoy config dumps. This is a limitation that will be resolved in an upcoming release.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023