MeshTLS
This policy enables Kong Mesh to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.
TargetRef support matrix
targetRef |
Allowed kinds |
---|---|
targetRef.kind |
Mesh , MeshSubset
|
from[].targetRef.kind |
Mesh |
To learn more about the information in this table, see the matching docs.
Configuration
The following describes the default configuration settings of the MeshTLS
policy:
-
tlsVersion
: Defines TLS versions to be used by both client and server. Allowed values:TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. -
tlsCiphers
: Defines TLS ciphers to be used by both client and server. Allowed values:ECDHE-ECDSA-AES128-GCM-SHA256
,ECDHE-ECDSA-AES256-GCM-SHA384
,ECDHE-ECDSA-CHACHA20-POLY1305
,ECDHE-RSA-AES128-GCM-SHA256
,ECDHE-RSA-AES256-GCM-SHA384
,ECDHE-RSA-CHACHA20-POLY1305
. -
mode
: Defines the mTLS mode -Permissive
mode encrypts outbound connections the same way asStrict
mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values:Strict
,Permissive
.
Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.
Examples
Set specific TLS version and ciphers
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: set-version-and-ciphers
namespace: kong-mesh-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: Mesh
default:
tlsVersion:
min: TLS13
max: TLS13
tlsCiphers:
- ECDHE-ECDSA-AES256-GCM-SHA384
Enable strict mode on specific subset
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: strict-mode
namespace: kong-mesh-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: MeshSubset
tags:
app: redis
from:
- targetRef:
kind: Mesh
default:
mode: Strict
All policy options
Spec is the specification of the Kuma MeshTLS resource.
Type: object
Properties
- from
- From list makes a match between clients and corresponding configurations
- Type:
array
- Items
- Type:
object
- Properties
- default
- Default is a configuration specific to the group of clients referenced in'targetRef'
- Type:
object
- Properties
- mode
- Mode defines the behavior of inbound listeners with regard to traffic encryption.
- Type:
string
- The value is restricted to the following:
- "Permissive"
- "Strict"
- tlsCiphers
- TlsCiphers section for providing ciphers specification.
- Type:
array
- Items
- Type:
string
- The value is restricted to the following:
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-RSA-CHACHA20-POLY1305"
- tlsVersion
- Version section for providing version specification.
- Type:
object
- Properties
- max
- Max defines maximum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Max defines maximum supported version. One of
- min
- Min defines minimum supported version. One of
TLSAuto
,TLS10
,TLS11
,TLS12
,TLS13
. - Type:
string
- The value is restricted to the following:
- "TLSAuto"
- "TLS10"
- "TLS11"
- "TLS12"
- "TLS13"
- Default: "TLSAuto"
- Min defines minimum supported version. One of
- max
- mode
- targetRef
required
- TargetRef is a reference to the resource that represents a group ofclients.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
- default
- targetRef
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined in-place.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
Generated with json-schema-md-doc