Create multiple service meshes in a cluster
This resource describes a very important concept in Kong Mesh, and that is the ability of creating multiple isolated service meshes within the same Kong Mesh cluster which in turn make Kong Mesh a very simple and easy project to operate in environments where more than one mesh is required based on security, segmentation or governance requirements.
Typically we would want to create a
Mesh per line of business, per team, per application or per environment or for any other reason. Typically multiple meshes are being created so that a service mesh can be adopted by an organization with a gradual roll-out that doesn’t require all the teams and their applications to coordinate with each other, or as an extra layer of security and segmentation for our services so that - for example - policies applied to one
Mesh do not affect another
Mesh is the parent resource of every other resource in Kong Mesh, including:
In order to use Kong Mesh at least one
Mesh must exist, and there is no limit to the number of Meshes that can be created. When a data plane proxy connects to the control plane (
kuma-cp) it specifies to what
Mesh resource it belongs: a data plane proxy can only belong to one
Mesh at a time.
When starting a new Kong Mesh cluster from scratch a
defaultMesh is being created automatically.
Besides the ability of being able to create virtual service mesh, a
Mesh resource will also be used for:
- Mutual TLS, to secure and encrypt our service traffic and assign an identity to the data plane proxies within the Mesh.
- Traffic Metrics, to setup metrics backend that will be used to collect and visualize metrics of our service mesh and service traffic within the Mesh.
- Traffic Trace, to setup tracing backends that will be used to collect traces of our service traffic within the Mesh.
- Zone Egress
, to setup if
ZoneEgressshould be used for cross zone and external service communication.
- Non-mesh traffic, to setup if
passthroughmode should be used for the non-mesh traffic.
When Mutual TLS is enabled in
builtin mode, each
Mesh will provision its own CA root certificate and key unless we explicitly decide to use the same CA by sharing the same certificate and key across multiple meshes. When the CAs of our Meshes are different, data plane proxies from one
Mesh will not be able to consume data plane proxies belonging to another
Mesh and an intermediate API Gateway must be used in order to enable cross-mesh communication. Kong Mesh supports a gateway mode to make this happen.
The easiest way to create a
Mesh is to specify its
name. The name of a Mesh must be unique.
Creating resources in a Mesh
It is possible to determine to what
Mesh other resources belong to in the following ways.
Data plane proxies
Every time we start a data plane proxy, we need to specify to what
Mesh it belongs, this can be done in the following way:
You can control which data plane proxies are allowed to join the mesh using mesh constraints.
When creating new Policies we also must specify to what
Mesh they belong. This can be done in the following way: