Enterprise Features

Kong Mesh builds on top of Kuma with the following Enterprise features:

mTLS policy backends

Kong Mesh supports the following additional backends for the mTLS policy:

Open Policy Agent (OPA) support

You can use OPA with Kong Mesh to provide access control for your services.

The agent is included in the data plane proxy sidecar.

Multi-zone authentication

To add to the security of your deployments, Kong Mesh provides authentication of zone control planes to the global control plane.

Authentication is based on the Zone Token, which is also used to authenticate the zone proxy.

FIPS 140-2 support

Kong Mesh provides built-in support for the Federal Information Processing Standard (FIPS-2). See FIPS Support for more information.

Certificate Authority rotation

Kong Mesh lets you provide secure communication between applications with mTLS. You can change the mTLS backend with Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) in Kong Mesh lets you restrict access to resources and actions to specified users or groups based on user roles. Apply targeted security policies, implement granular traffic control, and much more.

Red Hat Universal Base Images

Kong Mesh provides images based on the Red Hat Universal Base Image (UBI).

Kong Mesh UBI images are distributed with all standard images, but with the ubi- prefix. See the UBI documentation for more information.

Docker container image signing

Starting with Kong Mesh 2.7.4, Docker container images are signed, and can be verified using cosign with signatures published to a Docker Hub repository. Read the Verify signatures for signed Kong Mesh images documentation to learn more.

Build provenance

Starting with Kong Mesh 2.8.0, Kong Mesh produces build provenance for Docker container images and binaries and can be verified using cosign / slsa-verifier.

See the following documentation to learn more: