我的书签
添加书签
移除书签How Kuma chooses the right policy to apply
At any single moment, there might be multiple policies (of the same type) that match a connection between sources and destinations Dataplanes.
E.g., there might be a catch-all policy that sets the baseline for your organization
type: TrafficLogmesh: defaultname: catch-all-policysources:- match:service: '*'destinations:- match:service: '*'conf:backend: logstash
Additionally, there might be a more focused use case-specific policy, e.g.
type: TrafficLogmesh: defaultname: web-to-backend-policysources:- match:service: webcloud: awsregion: usdestinations:- match:service: backendconf:backend: splunk
What does Kuma do when it encounters multiple matching policies ?
The answer depends on policy type:
- since
TrafficPermissionrepresents a grant of access given to a particular clientservice,Kumaconceptually “aggregates” all such grants by applying ALLTrafficPermissionpolicies that match a connection betweensourcesanddestinationsDataplanes - for other policy types -
TrafficRoute,TrafficLog,HealthCheck- conceptual “aggregation” would be too complex for users to always keep in mind; that is whyKumachooses and applies only “the most specific” matching policy in that case
Going back to 2 TrafficLog policies described above:
- for connections between
webandbackendDataplanesKumawill choose and applyweb-to-backend-policypolicy as “the most specific” in that case - for connections between all other dataplanes
Kumawill choose and applycatch-all-policypolicy as “the most specific” in that case
“The most specific” policy is defined according to the following rules:
a policy that matches a connection between 2
Dataplanes by a greater number of tags is “more specific”E.g.,
web-to-backend-policypolicy matches a connection between 2Dataplanes by 4 tags (3 tags onsourcesand 1 tag ondestinations), whilecatch-all-policymatches only by 2 tags (1 tag onsourcesand 1 tag ondestinations)a policy that matches by the exact tag value is more specific than policy that matches by a
'*'(wildcard) tag valueE.g.,
web-to-backend-policypolicy matchessourcesbyservice: web, whilecatch-all-policymatches byservice: *if 2 policies match a connection between 2
Dataplanes by the same number of tags, then the one with a greater total number of matches by the exact tag value is “more specific” than the otherif 2 policies match a connection between 2
Dataplanes by the same number of tags, and the total number of matches by the exact tag value is the same for both policies, and the total number of matches by a'*'(wildcard) tag value is the same for both policies, then a “more specific” policy is the one whoose name comes first when ordered alphabetically
E.g.,
match by a greater number of tags
sources:- match:service: '*'cloud: awsregion: usdestinations:- match:service: '*'
is “more specific” than
sources:- match:service: '*'destinations:- match:service: '*'
match by the exact tag value
sources:- match:service: webdestinations:- match:service: backend
is “more specific” than a match by a
'*'(wildcard)sources:- match:service: '*'destinations:- match:service: '*'
match with a greater total number of matches by the exact tag value
sources:- match:service: webversion: v1destinations:- match:service: backend
is “more specific” than
sources:- match:service: webversion: '*'destinations:- match:service: backend
when 2 matches are otherwise “equally specific”
name: policy-1sources:- match:service: webversion: v1destinations:- match:service: backend
policy-1is considered “more specific” only due to the alphabetical order of names"policy-1"and"policy-2"name: policy-2sources:- match:service: webdestinations:- match:service: backendcloud: aws
