Traffic Permissions

This policy provides access control rules to define the traffic that is allowed within the Mesh.

Traffic permissions requires Mutual TLS enabled on the Mesh. Mutual TLS is required for Kuma to validate the service identity with data plane proxy certificates. If Mutual TLS is disabled, Kuma allows all service traffic.

The default TrafficPermission policy that Kuma creates when you install allows all communication between all services in the new Mesh. Make sure to configure your policies to allow appropriate access to each of the services in your mesh.

As of version 1.2.0, traffic permissions support the ExternalService resource. This lets you configure access control for traffic to services outside the mesh.

Usage

To specify which source services can consume which destination services, provide the appropriate values for kuma.io/service. This value is required for sources and destinations.

Match all: You can match any value of a tag by using * — for example, like version: '*'.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5. name: allow-all-traffic
  6. spec:
  7. sources:
  8. - match:
  9. kuma.io/service: '*'
  10. destinations:
  11. - match:
  12. kuma.io/service: '*'

Apply the configuration with kubectl apply -f [..].

  1. type: TrafficPermission
  2. name: allow-all-traffic
  3. mesh: default
  4. sources:
  5. - match:
  6. kuma.io/service: '*'
  7. destinations:
  8. - match:
  9. kuma.io/service: '*'

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

You can use any Tag with the sources and destinations selectors. This approach supports fine-grained access control that lets you define the right levels of security for your services.

Access to External Services

The TrafficPermission policy can also be used to restrict traffic to services outside the mesh.

Prerequisites

These settings lock down traffic to and from the mesh, which means that requests to any unknown destination are not allowed. The mesh can’t rely on mTLS, because there is no data plane proxy on the destination side.

Usage

First, define the ExternalService for a service that is not in the mesh.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: ExternalService
  3. mesh: default
  4. metadata:
  5. name: httpbin
  6. spec:
  7. tags:
  8. kuma.io/service: httpbin
  9. kuma.io/protocol: http
  10. networking:
  11. address: httpbin.org:443
  12. tls:
  13. enabled: true
  1. type: ExternalService
  2. mesh: default
  3. name: httpbin
  4. tags:
  5. kuma.io/service: httpbin
  6. kuma.io/protocol: http
  7. networking:
  8. address: httpbin.org:443
  9. tls:
  10. enabled: true

Then apply the TrafficPermission policy. In the destination section, specify all the tags defined in ExternalService.

For example, to enable the traffic from the data plane proxies of service web or backend to the new ExternalService, apply:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficPermission
  3. mesh: default
  4. metadata:
  5. name: backend-to-httpbin
  6. spec:
  7. sources:
  8. - match:
  9. kuma.io/service: web
  10. - match:
  11. kuma.io/service: backend
  12. destinations:
  13. - match:
  14. kuma.io/service: httpbin
  1. type: TrafficPermission
  2. name: backend-to-httpbin
  3. mesh: default
  4. sources:
  5. - match:
  6. kuma.io/service: web
  7. - match:
  8. kuma.io/service: backend
  9. destinations:
  10. - match:
  11. kuma.io/service: httpbin

Remember, the ExternalService follows the same rules for matching policies as any other service in the mesh — Kuma selects the most specific TrafficPermission for every ExternalService.