MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

Mutual TLS has to be enabled to make MeshTrafficPermission work.

The MeshTrafficPermission policy provides access control within the Mesh. It allows you to define granular rules about which services can communicate with each other.

TargetRef support matrix

If you don’t understand this table you should read matching docs.

Configuration

Action

Kong Mesh allows configuring one of 3 actions for a group of service’s clients:

• Allow - allows incoming requests matching the from targetRef.
• Deny - denies incoming requests matching the from targetRef
• AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-orders
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: payments
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/service: orders
    default:
      action: Allow

type: MeshTrafficPermission
name: allow-orders
mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: payments
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/service: orders
    default:
      action: Allow

resource "konnect_mesh_traffic_permission" "allow_orders" {
  provider = konnect-beta
  type = "MeshTrafficPermission"
  name = "allow-orders"
  spec = {
    target_ref = {
      kind = "Dataplane"
      labels = {
        app = "payments"
      }
    }
    from = [
      {
        target_ref = {
          kind = "MeshSubset"
          tags = {
            kuma.io/service = "orders"
          }
        }
        default = {
          action = "Allow"
        }
      }
    ]
  }
  labels   = {
    "kuma.io/mesh" = konnect_mesh.my_mesh.name
  }
  cp_id    = konnect_mesh_control_plane.my_meshcontrolplane.id
  mesh     = konnect_mesh.my_mesh.name
}

Explanation

1. Top level targetRef selects data plane proxies that have app: payments label. MeshTrafficPermission allow-orders will be configured on these proxies.

    targetRef: # 1
      kind: Dataplane
      labels:
        app: payments
   

2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

    - targetRef: # 2
        kind: MeshSubset
        tags: 
          kuma.io/service: orders
   

3. The action is Allow. All requests from service orders will be allowed on service payments.

    default: # 3
      action: Allow
   

Deny all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: deny-all
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Deny

type: MeshTrafficPermission
name: deny-all
mesh: default
spec:
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Deny

resource "konnect_mesh_traffic_permission" "deny_all" {
  provider = konnect-beta
  type = "MeshTrafficPermission"
  name = "deny-all"
  spec = {
    from = [
      {
        target_ref = {
          kind = "Mesh"
        }
        default = {
          action = "Deny"
        }
      }
    ]
  }
  labels   = {
    "kuma.io/mesh" = konnect_mesh.my_mesh.name
  }
  cp_id    = konnect_mesh_control_plane.my_meshcontrolplane.id
  mesh     = konnect_mesh.my_mesh.name
}

Explanation

1. Since top level targetRef is empty it selects all proxies in the mesh.

2. TargetRef inside the from array selects all clients.

    - targetRef: # 2
        kind: Mesh
   

3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

    default: # 3
      action: Deny
   

Allow all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-all
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

type: MeshTrafficPermission
name: allow-all
mesh: default
spec:
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

resource "konnect_mesh_traffic_permission" "allow_all" {
  provider = konnect-beta
  type = "MeshTrafficPermission"
  name = "allow-all"
  spec = {
    from = [
      {
        target_ref = {
          kind = "Mesh"
        }
        default = {
          action = "Allow"
        }
      }
    ]
  }
  labels   = {
    "kuma.io/mesh" = konnect_mesh.my_mesh.name
  }
  cp_id    = konnect_mesh_control_plane.my_meshcontrolplane.id
  mesh     = konnect_mesh.my_mesh.name
}

Explanation

1. Since top level targetRef is empty it selects all proxies in the mesh.

2. targetRef inside the element of the from array selects all clients within the mesh.

    - targetRef: # 2
        kind: Mesh
   

3. The action is Allow. All requests from all services will be allow on all proxies in the default mesh.

    default: # 3
      action: Allow
   

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: example-with-tags
  namespace: kuma-demo
  labels:
    kuma.io/mesh: default
spec:
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/zone: us-east
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        env: dev
    default:
      action: Deny

type: MeshTrafficPermission
name: example-with-tags
mesh: default
spec:
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/zone: us-east
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        env: dev
    default:
      action: Deny

resource "konnect_mesh_traffic_permission" "example_with_tags" {
  provider = konnect-beta
  type = "MeshTrafficPermission"
  name = "example-with-tags"
  spec = {
    from = [
      {
        target_ref = {
          kind = "MeshSubset"
          tags = {
            kuma.io/zone = "us-east"
          }
        }
        default = {
          action = "Allow"
        }
      },
      {
        target_ref = {
          kind = "MeshSubset"
          tags = {
            env = "dev"
          }
        }
        default = {
          action = "Deny"
        }
      }
    ]
  }
  labels   = {
    "kuma.io/mesh" = konnect_mesh.my_mesh.name
  }
  cp_id    = konnect_mesh_control_plane.my_meshcontrolplane.id
  mesh     = konnect_mesh.my_mesh.name
}

Explanation

1. Since top level targetRef is empty it selects all proxies in the mesh.

2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
   

3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

    default: # 3
      action: Allow
   

4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
   

5. The action is Deny. All requests from the env dev will be denied on all proxies.

    default: # 5
      action: Deny
   

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options