Traffic Permissions
New to Kong Mesh? Don’t use this, check the
MeshTrafficPermission
policy instead.
Traffic Permissions is an inbound policy. Dataplanes whose configuration is modified are in the
destinations
matcher.
This policy provides access control rules to define the traffic that is allowed within the Mesh.
Traffic permissions requires Mutual TLS enabled on the Mesh. Mutual TLS is required for Kong Mesh to validate the service identity with data plane proxy certificates. If Mutual TLS is disabled, Kong Mesh allows all service traffic.
The default TrafficPermission
policy that Kong Mesh creates when you install allows all communication between all services in the new Mesh
. Make sure to configure your policies to allow appropriate access to each of the services in your mesh.
As of version 1.2.0, traffic permissions support the ExternalService
resource. This lets you configure access control for traffic to services outside the mesh.
Usage
To specify which source services can consume which destination services, provide the appropriate values for kuma.io/service
. This value is required for sources and destinations.
Match all: You can match any value of a tag by using
*
– for example, likeversion: '*'
.
apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
name: allow-all-traffic
spec:
sources:
- match:
kuma.io/service: '*'
destinations:
- match:
kuma.io/service: '*'
Apply the configuration with kubectl apply -f [..]
.
You can use any Tag with the sources
and destinations
selectors. This approach supports fine-grained access control that lets you define the right levels of security for your services.
Access to External Services
The TrafficPermission
policy can also be used to restrict traffic to services outside the mesh.
Prerequisites
- Kong Mesh deployed with transparent proxying
-
Mesh
configured to disable passthrough mode
These settings lock down traffic to and from the mesh, which means that requests to any unknown destination are not allowed. The mesh can’t rely on mTLS, because there is no data plane proxy on the destination side.
Usage
First, define the ExternalService
for a service that is not in the mesh.
apiVersion: kuma.io/v1alpha1
kind: ExternalService
mesh: default
metadata:
name: httpbin
spec:
tags:
kuma.io/service: httpbin
kuma.io/protocol: http
networking:
address: httpbin.org:443
tls:
enabled: true
Then apply the TrafficPermission
policy. In the destination section, specify all the tags defined in ExternalService
.
For example, to enable the traffic from the data plane proxies of service web
or backend
to the new ExternalService
, apply:
apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
name: backend-to-httpbin
spec:
sources:
- match:
kuma.io/service: web_default_svc_80
- match:
kuma.io/service: backend_default_svc_80
destinations:
- match:
kuma.io/service: httpbin
Remember, the ExternalService
follows the same rules for matching policies as any other service in the mesh – Kong Mesh selects the most specific TrafficPermission
for every ExternalService
.
All options
$schema: http://json-schema.org/draft-04/schema#
$ref: #/definitions/TrafficPermission
definitions
TrafficPermission
- ## Traffic Permission
- TrafficPermission defines permission for traffic between dataplanes.
- Type:
object
- This schema accepts additional properties.
- Properties
- sources
- List of selectors to match dataplanes that are sources of traffic.
- Type:
array
- Items
- $ref: #/definitions/kuma.mesh.v1alpha1.Selector
- destinations
- List of selectors to match services that are destinations of traffic.
- Type:
array
- Items
- $ref: #/definitions/kuma.mesh.v1alpha1.Selector
- sources
kuma.mesh.v1alpha1.Selector
- ## Selector
- Selector defines structure for selecting tags for given dataplane
- Type:
object
- This schema accepts additional properties.
- Properties
- match
- Tags to match, can be used for both source and destinations
- Type:
object
- This schema accepts additional properties.
- Properties
- match
Generated with json-schema-md-doc