MeshProxyPatch

The MeshProxyPatch provides configuration options for low-level Envoy resources that Kong Mesh policies do not directly expose.

If you need features that aren’t available as a Kong Mesh policy, open a new issue on GitHub so they can be added to the Kong Mesh roadmap.

A MeshProxyPatch policy can modify:

This policy uses a new policy matching algorithm. Do not combine with Proxy Template.

`targetRef` support matrix

Sidecar

Builtin Gateway

Delegated Gateway

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `Dataplane`, `MeshSubset(deprecated)`

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `MeshGateway`

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset`

To learn more about the information in this table, see the matching docs.

Configuration

Modifications

MeshProxyPatch lets you specify modifications in appendModification block that can add a new resource, patch an existing resource or remove an existing resource.

Each xDS resource modification consists of 3 fields:

operation - operation applied to the generated config (for example: Add, Remove, Patch).
match - some operations can be applied on matched resources (for example: remove only resource of given name, patch all outbound resources).

and one of

jsonPatches - list of modifications in JSON Patch notation.
value - raw Envoy xDS configuration. Can be partial if operation is patch.

Origin

All resources generated by Kong Mesh are marked with the origin value, so you can match specific resources.

Examples: add new filters but only on inbound listeners, set timeouts on outbound clusters.

Well known origins:

inbound - resources generated for incoming traffic.
outbound - resources generated for outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated for Prometheus to scrape when metrics on the Mesh is enabled.
direct-access - resources generated for Direct Access functionality.
gateway - resources generated for MeshGateway.

The list is not complete, as policy plugins can introduce new resources. For example MeshTrace plugin can create Cluster with mesh-trace origin.

Cluster

Modifications that are applied on Clusters resources.

Available operations:

Add - add a new Cluster or replace existing if the name is the same.
Remove - remove a Cluster.
Patch - patch a part of Cluster definition.

Available matchers:

name - name of the Cluster.
origin - origin of the Cluster.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - cluster:
          operation: Add
          value: |
            name: test-cluster
            connectTimeout: 5s
            type: STATIC
      - cluster:
          operation: Patch
          match: # optional: if absent, all clusters will be patched
            name: test-cluster # optional: if absent, all clusters regardless of name will be patched
            origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
          value: | # you can specify only part of cluster definition that will be merged into existing cluster
            connectTimeout: 5s
      - cluster:
          operation: Patch
          match: # optional: if absent, all clusters will be patched
            name: test-cluster # optional: if absent, all clusters regardless of name will be patched
            origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /transportSocket/typedConfig/commonTlsContext/tlsParams # remember to always use camelCase
              value:
                tlsMinimumProtocolVersion: TLSv1_2
            - op: add
              path: /transportSocket/typedConfig/commonTlsContext/tlsParams/tlsMaximumProtocolVersion
              value: TLSv1_2
            - op: replace
              path: /connectTimeout
              value: 77s
      - cluster:
          operation: Remove
          match: # optional: if absent, all clusters will be removed
            name: test-cluster # optional: if absent, all clusters regardless of name will be removed
            origin: inbound # optional: if absent, all clusters regardless of its origin will be removed

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - cluster:
          operation: Add
          value: |
            name: test-cluster
            connectTimeout: 5s
            type: STATIC
      - cluster:
          operation: Patch
          match: # optional: if absent, all clusters will be patched
            name: test-cluster # optional: if absent, all clusters regardless of name will be patched
            origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
          value: | # you can specify only part of cluster definition that will be merged into existing cluster
            connectTimeout: 5s
      - cluster:
          operation: Patch
          match: # optional: if absent, all clusters will be patched
            name: test-cluster # optional: if absent, all clusters regardless of name will be patched
            origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /transportSocket/typedConfig/commonTlsContext/tlsParams
              value:
                tlsMinimumProtocolVersion: TLSv1_2
            - op: add
              path: /transportSocket/typedConfig/commonTlsContext/tlsParams/tlsMaximumProtocolVersion
              value: TLSv1_2
            - op: replace
              path: /connectTimeout
              value: 77s
      - cluster:
          operation: Remove
          match: # optional: if absent, all clusters will be removed
            name: test-cluster # optional: if absent, all clusters regardless of name will be removed
            origin: inbound # optional: if absent, all clusters regardless of its origin will be removed

Listener

Modifications that are applied on Listeners resources.

Available operations:

Add - add a new Listener or replace existing if the name is the same.
Remove - remove a Listener.
Patch - patch a part of Listener definition.

Available matchers:

name - name of the Listener.
origin - origin of the Listener.
tags - tags of inbound or outbound Listeners. They match Listener.metadata.filterMetadata[io.kuma.tags] in XDS configuration.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - listener:
          operation: Add
          value: |
            name: test-listener
            address:
              socketAddress:
                address: 192.168.0.1
                portValue: 8080
      - listener:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: test-listener # optional: if absent, all listeners regardless of name will be patched
            origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
            tags: # optional: if absent, all listeners are matched
              kuma.io/service: backend
          value: | # you can specify only part of listener definition that will be merged into existing listener
            continueOnListenerFiltersTimeout: true
      - listener:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: test-listener # optional: if absent, all listeners regardless of name will be patched
            origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
            tags: # optional: if absent, all listeners are matched
              kuma.io/service: backend
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /continueOnListenerFiltersTimeout
              value: true
      - listener:
          operation: Remove
          match: # optional: if absent, all listeners will be removed
            name: test-listener # optional: if absent, all listeners regardless of name will be removed
            origin: inbound # optional: if absent, all listeners regardless of its origin will be removed

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - listener:
          operation: Add
          value: |
            name: test-listener
            address:
              socketAddress:
                address: 192.168.0.1
                portValue: 8080
      - listener:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: test-listener # optional: if absent, all listeners regardless of name will be patched
            origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
            tags: # optional: if absent, all listeners are matched
              kuma.io/service: backend
          value: | # you can specify only part of listener definition that will be merged into existing listener
            continueOnListenerFiltersTimeout: true
      - listener:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: test-listener # optional: if absent, all listeners regardless of name will be patched
            origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
            tags: # optional: if absent, all listeners are matched
              kuma.io/service: backend
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /continueOnListenerFiltersTimeout
              value: true
      - listener:
          operation: Remove
          match: # optional: if absent, all listeners will be removed
            name: test-listener # optional: if absent, all listeners regardless of name will be removed
            origin: inbound # optional: if absent, all listeners regardless of its origin will be removed

Network Filter

Modifications that are applied on Network Filters that are part of Listeners resource. Modifications are applied on all Filter Chains in the Listener.

Available operations:

AddFirst - add a new filter as a first filter in Filter Chain.
AddLast - add a new filter as a last filter in Filter Chain.
AddAfter - add a new filter after other filter in Filter Chain that is matched using match section.
AddBefore - add a new filter before other filter in Filter Chain that is matched using match section.
Patch - patch a matched filter in Filter Chain.
Remove - remove a filter in Filter Chain.

Available matchers:

name - name of the Network Filter.
listenerName - name of the Listener.
listenerTags - tags of inbound or outbound Listeners. They match Listener.metadata.filterMetadata[io.kuma.tags] in XDS configuration.
origin - origin of the Listener.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - networkFilter:
          operation: AddFirst
          match: # optional: if absent, filter will be added to all listeners
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddLast
          match: # optional: if absent, filter will be added to all listeners
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddBefore
          match:
            name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added before existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddAfter
          match:
            name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added after existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.tcp_proxy 
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          value: | # you can specify only part of filter definition that will be merged into existing filter
            name: envoy.filters.network.tcp_proxy
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              idleTimeout: 10s
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.tcp_proxy 
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: replace
              path: /idleTimeout
              value: 10s
      - networkFilter:
          operation: Remove
          match: # optional: if absent, all filters from all listeners will be removed
            name: envoy.filters.network.tcp_proxy # optional: if absent, all filters regardless of name will be removed
            listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
            listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
              kuma.io/service: backend
            origin: inbound # optional: if absent, all filters regardless of its origin will be removed

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - networkFilter:
          operation: AddFirst
          match: # optional: if absent, filter will be added to all listeners
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddLast
          match: # optional: if absent, filter will be added to all listeners
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddBefore
          match:
            name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added before existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: AddAfter
          match:
            name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added after existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.network.local_ratelimit
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
              statPrefix: rateLimit
              tokenBucket:
                fillInterval: 1s
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.tcp_proxy
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          value: | # you can specify only part of filter definition that will be merged into existing filter
            name: envoy.filters.network.tcp_proxy
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
              idleTimeout: 10s
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.tcp_proxy
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: replace
              path: /idleTimeout
              value: 10s
      - networkFilter:
          operation: Remove
          match: # optional: if absent, all filters from all listeners will be removed
            name: envoy.filters.network.tcp_proxy # optional: if absent, all filters regardless of name will be removed
            listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
            listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
              kuma.io/service: backend
            origin: inbound # optional: if absent, all filters regardless of its origin will be removed

HTTP Filter

Modifications that are applied on HTTP Filters that are part of Listeners resource. Modifications that Kong Mesh applies on all HTTP Connection Managers in the Listener.

HTTP Filter modifications can only be applied on services configured as HTTP.

Available operations:

AddFirst - add a new filter as a first filter in HTTP Connection Manager.
AddLast - add a new filter as a last filter in HTTP Connection Manager.
AddAfter - add a new filter after other filter in HTTP Connection Manager that is matched using match section.
AddBefore - add a new filter before other filter in HTTP Connection Manager that is matched using match section.
Patch - patch a matched filter in HTTP Connection Manager.
Remove - remove a filter in HTTP Connection Manager.

Available matchers:

name - name of the HTTP Filter.
listenerName - name of the Listener.
listenerTags - tags of inbound or outbound Listeners. They match Listener.metadata.filterMetadata[io.kuma.tags] in XDS configuration.
origin - origin of the Listener.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - httpFilter:
          operation: AddFirst
          match: # optional: if absent, filter will be added to all HTTP Connection Managers
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddLast
          match: # optional: if absent, filter will be added to all HTTP Connection Managers
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddBefore
          match:
            name: envoy.filters.http.router # a new filter (Gzip) will be added before existing (Router). If there is no Router filter, Gzip won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddAfter
          match:
            name: envoy.filters.http.router # a new filter (Gzip) will be added after existing (Router). If there is no Router filter, Gzip won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: Patch
          match:
            name: envoy.filters.http.router 
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          value: | # you can specify only part of filter definition that will be merged into existing filter
            name: envoy.filters.http.router 
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
              dynamicStats: false
      - httpFilter:
          operation: Patch
          match:
            name: envoy.filters.http.router 
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: replace
              path: /dynamicStats
              value: false
      - httpFilter:
          operation: Remove
          match: # optional: if absent, all filters from all listeners will be removed
            name: envoy.filters.http.gzip # optional: if absent, all filters regardless of name will be removed
            listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
            listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
              kuma.io/service: backend
            origin: inbound # optional: if absent, all filters regardless of its origin will be removed

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - httpFilter:
          operation: AddFirst
          match: # optional: if absent, filter will be added to all HTTP Connection Managers
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddLast
          match: # optional: if absent, filter will be added to all HTTP Connection Managers
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddBefore
          match:
            name: envoy.filters.http.router # a new filter (Gzip) will be added before existing (Router). If there is no Router filter, Gzip won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: AddAfter
          match:
            name: envoy.filters.http.router # a new filter (Gzip) will be added after existing (Router). If there is no Router filter, Gzip won't be added.
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
            listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
          value: |
            name: envoy.filters.http.gzip
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
              memoryLevel: 9
      - httpFilter:
          operation: Patch
          match:
            name: envoy.filters.http.router
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          value: | # you can specify only part of filter definition that will be merged into existing filter
            name: envoy.filters.http.router 
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
              dynamicStats: false
      - httpFilter:
          operation: Patch
          match:
            name: envoy.filters.http.router
            listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
            listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
              kuma.io/service: backend
            origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: replace
              path: /dynamicStats
              value: false
      - httpFilter:
          operation: Remove
          match: # optional: if absent, all filters from all listeners will be removed
            name: envoy.filters.http.gzip # optional: if absent, all filters regardless of name will be removed
            listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
            listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
              kuma.io/service: backend
            origin: inbound # optional: if absent, all filters regardless of its origin will be removed

VirtualHost

Modifications that are applied on VirtualHost resources.

VirtualHost modifications can only be applied on services configured as HTTP.

Available operations:

Add - add a new VirtualHost.
Remove - remove a VirtualHost.
Patch - patch a part of VirtualHost definition.

Available matchers:

name - name of the VirtualHost.
origin - origin of the VirtualHost.
routeConfigurationName - name of the RouteConfiguration.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - virtualHost:
          operation: Add
          value: |
            name: backend
            domains:
            - "*"
            routes:
            - match:
                prefix: /
              route:
                cluster: backend
      - virtualHost:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: backend # optional: if absent, all virtual hosts regardless of name will be patched
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
            routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
          value: | # you can specify only part of virtual host definition that will be merged into existing virtual host
            retryPolicy:
              retryOn: 5xx
              numRetries: 3
      - virtualHost:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: backend # optional: if absent, all virtual hosts regardless of name will be patched
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
            routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /retryPolicy
              value:
                retryOn: 5xx
                numRetries: 3
      - virtualHost:
          operation: Remove
          match: # optional: if absent, all virtual hosts will be removed
            name: test-listener # optional: if absent, all virtual hsots regardless of name will be removed
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be removed

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: backend
  default:
    appendModifications:
      - virtualHost:
          operation: Add
          value: |
            name: backend
            domains:
            - "*"
            routes:
            - match:
                prefix: /
              route:
                cluster: backend
      - virtualHost:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: backend # optional: if absent, all virtual hosts regardless of name will be patched
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
            routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
          value: | # you can specify only part of virtual host definition that will be merged into existing virtual host
            retryPolicy:
              retryOn: 5xx
              numRetries: 3
      - virtualHost:
          operation: Patch
          match: # optional: if absent, all listeners will be patched
            name: backend # optional: if absent, all virtual hosts regardless of name will be patched
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
            routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
          jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
            - op: add
              path: /retryPolicy
              value:
                retryOn: 5xx
                numRetries: 3
      - virtualHost:
          operation: Remove
          match: # optional: if absent, all virtual hosts will be removed
            name: test-listener # optional: if absent, all virtual hsots regardless of name will be removed
            origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be removed

Merging

All modifications from appendModification list are always merged. For example, if there is a policy with targetRef.kind: Mesh and second policy with targetRef.kind: MeshService that matches a data plane proxy, all modifications from both policies will be applied.

JSONPatch

If you use JSONPatch, remember to always use camelCase instead of snake_case in path parameter even though you see snake_case in Envoy Config Dump.

Examples

Timeout adjustment for MeshGateway

Example how to change streamIdleTimeout for MeshGateway:

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshGateway
    name: gateway
  default:
    appendModifications:
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.http_connection_manager
            origin: gateway # you can also specify the name of the listener
          jsonPatches:
            - op: replace
              path: /streamIdleTimeout
              value: 15s

type: MeshProxyPatch
mesh: default
name: custom-template-1
spec:
  targetRef:
    kind: MeshGateway
    name: gateway
  default:
    appendModifications:
      - networkFilter:
          operation: Patch
          match:
            name: envoy.filters.network.http_connection_manager
            origin: gateway # you can also specify the name of the listener
          jsonPatches:
            - op: replace
              path: /streamIdleTimeout
              value: 15s

lua filter

Here is and example of lua filter that adds the new x-header: test header to all outgoing HTTP requests to service offers.

Kubernetes

Universal

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-template-1
  namespace: kong-mesh-system
spec:
  targetRef:
    kind: MeshService
    name: mesh-gateway_gateways_svc
  default:
    appendModifications:
      - httpFilter:
          operation: AddBefore
          match:
            name: envoy.filters.http.router
            origin: outbound
            listenerTags:
              kuma.io/service: offers
          value: |
            name: envoy.filters.http.lua
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
              inline_code: |
                function envoy_on_request(request_handle)
                  request_handle:headers():add("x-header", "test")
                end

type: MeshProxyPatch
mesh: default
name: backend-lua-filter
spec:
  targetRef:
    kind: MeshService
    name: mesh-gateway_gateways_svc
  default:
    appendModifications:
      - httpFilter:
          operation: AddBefore
          match:
            name: envoy.filters.http.router
            origin: outbound
            listenerTags:
              kuma.io/service: offers
          value: |
            name: envoy.filters.http.lua
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
              inline_code: |
                function envoy_on_request(request_handle)
                  request_handle:headers():add("x-header", "test")
                end

MeshProxyPatch

targetRef support matrix

Configuration

Modifications

Origin

Cluster

Listener

Network Filter

HTTP Filter

VirtualHost

Merging

JSONPatch

Examples

Timeout adjustment for MeshGateway

lua filter

All policy options

`targetRef` support matrix