Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.1.x (latest)
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • Introduction to Kong Mesh
    • What is Service Mesh?
    • How Kong Mesh works
    • Deployments
    • Version support policy
    • Stability
    • Release notes
    • Installation Options
    • Kubernetes
    • Helm
    • OpenShift
    • Docker
    • Amazon ECS
    • Amazon Linux
    • Red Hat
    • CentOS
    • Debian
    • Ubuntu
    • macOS
    • Windows
    • Explore Kong Mesh with the Kubernetes demo app
    • Explore Kong Mesh with the Universal demo app
    • Standalone deployment
    • Deploy a standalone control plane
    • Multi-zone deployment
    • Deploy a multi-zone global control plane
    • License
    • Overview
    • Data plane proxy
    • Data plane on Kubernetes
    • Data plane on Universal
    • Gateway
    • Zone Ingress
    • Zone Egress
    • CLI
    • GUI
    • Observability
    • Inspect API
    • Kubernetes Gateway API
    • Networking
    • Service Discovery
    • DNS
    • Kong Mesh CNI
    • Transparent Proxying
    • IPv6 support
    • Non-mesh traffic
    • Secure access across Kong Mesh components
    • Secrets
    • Kong Mesh API Access Control
    • API server authentication
    • Data plane proxy authentication
    • Zone proxy authentication
    • Data plane proxy membership
    • Dataplane Health
    • Fine-tuning
    • Control Plane Configuration
    • Upgrades
    • Requirements
    • Introduction
    • General notes about Kong Mesh policies
    • Applying Policies
    • How Kong Mesh chooses the right policy to apply
    • Understanding TargetRef policies
    • Protocol support in Kong Mesh
    • Mesh
    • Mutual TLS
    • Traffic Permissions
    • Traffic Route
    • Traffic Metrics
    • Traffic Trace
    • Traffic Log
    • Locality-aware Load Balancing
    • Fault Injection
    • Health Check
    • Circuit Breaker
    • Proxy Template
    • External Service
    • Retry
    • Timeout
    • Rate Limit
    • Virtual Outbound
    • MeshGateway
    • MeshGatewayRoute
    • Service Health Probes
    • MeshAccessLog (Beta)
    • MeshCircuitBreaker (Beta)
    • MeshFaultInjection (Beta)
    • MeshHealthCheck (Beta)
    • MeshHTTPRoute (Beta)
    • MeshProxyPatch (Beta)
    • MeshRateLimit (Beta)
    • MeshRetry (Beta)
    • MeshTimeout (Beta)
    • MeshTrace (Beta)
    • MeshTrafficPermission (Beta)
    • Overview
    • HashiCorp Vault CA
    • Amazon ACM Private CA
    • cert-manager Private CA
    • OPA policy support
    • MeshOPA (beta)
    • Multi-zone authentication
    • FIPS support
    • Certificate Authority rotation
    • Role-Based Access Control
    • UBI Images
    • Windows Support
    • Auditing
    • HTTP API
    • Annotations and labels in Kubernetes mode
    • Kong Mesh data collection
      • Mesh
      • CircuitBreaker
      • ExternalService
      • FaultInjection
      • HealthCheck
      • MeshGateway
      • MeshGatewayRoute
      • ProxyTemplate
      • RateLimit
      • Retry
      • Timeout
      • TrafficLog
      • TrafficPermission
      • TrafficRoute
      • TrafficTrace
      • VirtualOutbound
      • Dataplane
      • ZoneEgress
      • ZoneIngress
      • kuma-cp
      • kuma-dp
      • kumactl
    • Kuma-cp configuration reference
    • Open source License
    • Contribute to Mesh

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • TargetRef support matrix
  • Configuration
    • Action
  • Examples
    • Service ‘payments’ allows requests from ‘orders’
    • Deny all
    • Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
Kong Mesh
2.1.x (latest)
  • Home
  • Kong Mesh
  • Policies
  • MeshTrafficPermission (beta)

MeshTrafficPermission (beta)

This policy uses new policy matching algorithm and is in beta state, it should not be mixed with TrafficPermission.

TargetRef support matrix

TargetRef type top level to from
Mesh ✅ ❌ ✅
MeshSubset ✅ ❌ ✅
MeshService ✅ ❌ ✅
MeshServiceSubset ✅ ❌ ✅

If you don’t understand this table you should read matching docs.

Configuration

Action

Kong Mesh allows configuring one of 3 actions for a group of service’s clients:

  • Allow - allows incoming requests matching the from targetRef.
  • Deny - denies incoming requests matching the from targetRef
  • AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: allow-orders
spec:
  targetRef: # 1
    kind: MeshService
    name: payments
  from:
    - targetRef: # 2
        kind: MeshService
        name: orders
      default: # 3
        action: Allow
type: MeshTrafficPermission
name: allow-orders
mesh: default
spec:
  targetRef: # 1
    kind: MeshService
    name: payments
  from:
    - targetRef: # 2
        kind: MeshService
        name: orders
      default: # 3
        action: Allow

Explanation

  1. Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.

     targetRef: # 1
       kind: MeshService
       name: payments
    
  2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
         kind: MeshService
         name: orders
    
  3. The action is Allow. All requests from service orders will be allowed on service payments.

     default: # 3
       action: Allow
    

Deny all

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: deny-all
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: Mesh
      default: # 3
        action: Deny
type: MeshTrafficPermission
name: deny-all
mesh: default
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: Mesh
      default: # 3
        action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
       kind: Mesh
    
  2. TargetRef inside the from array selects all clients.

     - targetRef: # 2
         kind: Mesh
    
  3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

     default: # 3
       action: Deny
    

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: example-with-tags
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
      default: # 3
        action: Allow
    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
      default: # 5
        action: Deny

Apply the configuration with kubectl apply -f [..].

type: MeshTrafficPermission
name: example-with-tags
mesh: default
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
      default: # 3
        action: Allow
    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
      default: # 5
        action: Deny

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
       kind: Mesh
    
  2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
         kind: MeshSubset
         tags:
           kuma.io/zone: us-east
    
  3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

     default: # 3
       action: Allow
    
  4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 4
         kind: MeshSubset
         tags:
           env: dev
    
  5. The action is Deny. All requests from the env dev will be denied on all proxies.

     default: # 5
       action: Deny
    

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023