Configure data plane proxy membership
Data plane proxy membership constraints let us define a set of rules that are executed when a data plane proxy is joining a mesh.
Constraints contains two lists:
- Requirements - a data plane proxy has to fulfill at least one requirement to join a mesh.
- Restrictions - a data plane proxy cannot fulfill any restriction to join a mesh.
Keep in mind that membership rules are enforced only on new data plane proxies. If we put rules that existing data plane proxies violate, we need to remove them manually from the mesh.
Usage
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
kuma.io/zone: east
restrictions:
- tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
kuma.io/service: backend
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
kuma.io/zone: east
restrictions:
- tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
kuma.io/service: backend
Example use cases
Restrict which Pods in Kubernetes namespaces can join a Mesh
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
By default, any Pod can join any mesh by changing its kuma.io/mesh
annotation. We can restrict that by relying on autogenerated k8s.kuma.io/namespace
tag. In this example, only data plane proxies from ns-1
and ns-2
can join a default
mesh. If there is another mesh without any requirements, Pods from ns-1
and ns-2
namespaces can also join that mesh.
Enforce consistency of tags
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
By using these constraints, we can enforce consistency of tags in Kuma deployment. With the example above, every data plane proxy must have non-empty team
and cloud
tags and cannot have legacy
tag.
Multizone mesh segmentation
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: demo
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
type: Mesh
name: demo
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
This way, only data plane proxies from the east
zone can join default
mesh and only data plane proxies from the west
zone can join demo
mesh.