Traffic Permissions

Traffic Permissions allow you to determine security rules for services that consume other services via their Tags. It is a very useful policy to increase security in the Mesh and compliance in the organization.

You can determine what source services are allowed to consume specific destination services. The service field is mandatory in both sources and destinations.

In Kuma 0.1.0 the sources field only allows for service and only service will be enforced. This limitation will disappear in the next version of Kuma.

In the example below, the destinations includes not only the service property, but also an additional version tag. You can include any arbitrary tags to any Dataplane

On Universal:

  1. type: TrafficPermission
  2. name: permission-1
  3. mesh: default
  4. rules:
  5.   - sources:
  6.     - match:
  7.         service: backend
  8.     destinations:
  9.     - match:
  10.         service: redis
  11.         version: "5.0"

On Kubernetes:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5.   namespace: default
  6.   name: permission-1
  7. spec:
  8.   rules:
  9.     - sources:
  10.       - match:
  11.           service: backend
  12.       destinations:
  13.       - match:
  14.           service: redis
  15.           version: "5.0"

Match-All: You can match any value of a tag by using , like version: .