Traffic Permissions

This policy provides access control rules that can be applied on our service traffic to determine what traffic is allowed across the Mesh via configurable sources and destinations.

The TrafficPermission policy only works when Mutual TLS is enabled on the Mesh.

When Mutual TLS is disabled, Kuma will not enforce any TrafficPermission and by default it will allow all service traffic to work. Even if Mutual TLS is disabled, we can still create and edit TrafficPermission resources that will go into effect once Mutual TLS is enabled on the Mesh.

The reason why this policy only works when Mutual TLS is enabled in the Mesh is because only in this scenario Kuma can validate the identity of the service traffic via the usage of data plane proxy certificates.

On the other end when Mutual TLS is disabled, Kuma cannot extract the service identity from the request and therefore cannot perform any validation.

Usage

You can determine what source services are allowed to consume specific destination services. The service field is mandatory in both sources and destinations.

Match-All: You can match any value of a tag by using *, like version: '*'.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5. namespace: default
  6. name: allow-all-traffic
  7. spec:
  8. sources:
  9. - match:
  10. service: '*'
  11. destinations:
  12. - match:
  13. service: '*'

We will apply the configuration with kubectl apply -f [..].

  1. type: TrafficPermission
  2. name: allow-all-traffic
  3. mesh: default
  4. sources:
  5. - match:
  6. service: '*'
  7. destinations:
  8. - match:
  9. service: '*'

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

You can use any Tag in the destinations selector, which makes TrafficPermissions quite powerful when it comes to creating a secure environment for our services.

For the time being the sources field only allows the service tag. This limitation will be removed in the future.