Data plane proxy membership

Data plane proxy membership constraints let us define a set of rules that are executed when a data plane proxy is joining a mesh.

Constraints contains two lists:

  • Requirements - a data plane proxy has to fulfill at least one requirement to join a mesh.
  • Restrictions - a data plane proxy cannot fulfill any restriction to join a mesh.

Keep in mind that membership rules are enforced only on new data plane proxies. If we put rules that existing data plane proxies violate, we need to remove them manually from the mesh.

Usage

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. constraints:
  7. dataplaneProxy:
  8. requirements:
  9. - tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
  10. kuma.io/zone: east
  11. restrictions:
  12. - tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
  13. kuma.io/service: backend
  1. type: Mesh
  2. name: default
  3. constraints:
  4. dataplaneProxy:
  5. requirements:
  6. - tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
  7. kuma.io/zone: east
  8. restrictions:
  9. - tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
  10. kuma.io/service: backend

Example use cases

Restrict which Pods in Kubernetes namespaces can join a Mesh

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. constraints:
  7. dataplaneProxy:
  8. requirements:
  9. - tags:
  10. kuma.io/namespace: ns-1
  11. - tags:
  12. kuma.io/namespace: ns-2
  1. type: Mesh
  2. name: default
  3. constraints:
  4. dataplaneProxy:
  5. requirements:
  6. - tags:
  7. kuma.io/namespace: ns-1
  8. - tags:
  9. kuma.io/namespace: ns-2

By default, any Pod can join any mesh by changing its kuma.io/mesh annotation. We can restrict that by relying on autogenerated k8s.kuma.io/namespace tag. In this example, only data plane proxies from ns-1 and ns-2 can join a default mesh. If there is another mesh without any requirements, Pods from ns-1 and ns-2 namespaces can also join that mesh.

Enforce consistency of tags

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. constraints:
  7. dataplaneProxy:
  8. requirements:
  9. - tags:
  10. team: '*'
  11. cloud: '*'
  12. restrictions:
  13. - tags:
  14. legacy: '*'
  1. type: Mesh
  2. name: default
  3. constraints:
  4. dataplaneProxy:
  5. requirements:
  6. - tags:
  7. team: '*'
  8. cloud: '*'
  9. restrictions:
  10. - tags:
  11. legacy: '*'

By using these constraints, we can enforce consistency of tags in Kuma deployment. With the example above, every data plane proxy must have non-empty team and cloud tags and cannot have legacy tag.

Multizone mesh segmentation

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. constraints:
  7. dataplaneProxy:
  8. requirements:
  9. - tags:
  10. kuma.io/zone: east
  11. ---
  12. apiVersion: kuma.io/v1alpha1
  13. kind: Mesh
  14. metadata:
  15. name: demo
  16. spec:
  17. constraints:
  18. dataplaneProxy:
  19. requirements:
  20. - tags:
  21. kuma.io/zone: west
  1. type: Mesh
  2. name: default
  3. constraints:
  4. dataplaneProxy:
  5. requirements:
  6. - tags:
  7. kuma.io/zone: east
  8. ---
  9. type: Mesh
  10. name: demo
  11. constraints:
  12. dataplaneProxy:
  13. requirements:
  14. - tags:
  15. kuma.io/zone: west

This way, only data plane proxies from the east zone can join default mesh and only data plane proxies from the west zone can join demo mesh.