MeshTrafficPermission (beta)
This policy uses new policy matching algorithm and is in beta state, it should not be mixed with TrafficPermission.
TargetRef support matrix
TargetRef type | top level | to | from |
---|---|---|---|
Mesh | ✅ | ❌ | ✅ |
MeshSubset | ✅ | ❌ | ✅ |
MeshService | ✅ | ❌ | ✅ |
MeshServiceSubset | ✅ | ❌ | ✅ |
If you don’t understand this table you should read matching docs.
Configuration
Action
Kong Mesh allows configuring one of 3 actions for a group of service’s clients:
-
Allow
- allows incoming requests matching the fromtargetRef
. -
Deny
- denies incoming requests matching the fromtargetRef
-
AllowWithShadowDeny
- same asAllow
but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.
Examples
Service ‘payments’ allows requests from ‘orders’
Explanation
-
Top level
targetRef
selects data plane proxies that implementpayments
service. MeshTrafficPermissionallow-orders
will be configured on these proxies.targetRef: # 1 kind: MeshService name: payments
-
TargetRef
inside thefrom
array selects proxies that implementorder
service. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshService name: orders
-
The action is
Allow
. All requests from serviceorders
will be allowed on servicepayments
.default: # 3 action: Allow
Deny all
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects all clients.- targetRef: # 2 kind: Mesh
-
The action is
Deny
. All requests from all services will be denied on all proxies in thedefault
mesh.default: # 3 action: Deny
Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects proxies that have labelkuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/zone: us-east
-
The action is
Allow
. All requests from the zoneus-east
will be allowed on all proxies.default: # 3 action: Allow
-
TargetRef
inside thefrom
array selects proxies that have tagskuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 4 kind: MeshSubset tags: env: dev
-
The action is
Deny
. All requests from the envdev
will be denied on all proxies.default: # 5 action: Deny
Order of rules inside the
from
array matters. Request from the proxy that has bothkuma.io/zone: east
andenv: dev
will be denied. This is because the rule withDeny
is later in thefrom
array than anyAllow
rules.