Configure data plane proxy membership
Data plane proxy membership constraints let us define a set of rules that are executed when a data plane proxy is joining a mesh.
Constraints contains two lists:
- Requirements - a data plane proxy has to fulfill at least one requirement to join a mesh.
- Restrictions - a data plane proxy cannot fulfill any restriction to join a mesh.
Keep in mind that membership rules are enforced only on new data plane proxies.
If we put rules that existing data plane proxies violate, we need to remove them manually from the mesh.
Example use cases
Restrict which Pods in Kubernetes namespaces can join a Mesh
By default, any Pod can join any mesh by changing its
We can restrict that by relying on autogenerated
In this example, only data plane proxies from
ns-2 can join a
If there is another mesh without any requirements, Pods from
ns-2 namespaces can also join that mesh.
By using these constraints, we can enforce consistency of tags in Kong Mesh deployment.
With the example above, every data plane proxy must have non-empty
cloud tags and cannot have
Multizone mesh segmentation
This way, only data plane proxies from the
east zone can join
default mesh and only data plane proxies from the
west zone can join