Non-mesh traffic
Incoming
When mTLS is enabled, clients from outside the mesh can’t reach the applications inside the mesh. If you want to allow external clients to consume mesh services see the Permissive mTLS mode.
Without Transparent Proxying
TLS check on Envoy can be bypassed. You should take action to secure the application ports.
Outgoing
In its default setup, Kuma allows any non-mesh traffic to pass Envoy without applying any policy. For instance if a service needs to send a request to http://example.com
, all requests won’t be logged even if a traffic logging is enabled in the mesh where the service is deployed. The passthrough mode is enabled by default on all the dataplane proxies in transparent mode in a Mesh. This behavior can be changed by setting the networking.outbound.passthrough
in the Mesh resource. Example:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
networking:
outbound:
passthrough: false
type: Mesh
name: default
networking:
outbound:
passthrough: false
When networking.outbound.passthrough
is false
, no traffic to any non-mesh resource can leave the Mesh.
Since version 2.8.x, you can take advantage of a new policy, MeshPassthrough, which allows you to enable passthrough traffic for a specific group of sidecars and only for specific destinations.
Before setting networking.outbound.passthrough
to false
, double-check Envoy stats that no traffic is flowing through pass_through
cluster. Otherwise, you will block the traffic which may cause the instability of the system.
Policies don’t apply to non-mesh traffic
If you need to change configuration for non-mesh traffic you can use a MeshProxyPatch.
Circuit Breaker
Default values:
maxConnections: 1024
maxPendingRequests: 1024
maxRequests: 1024
maxRetries: 3
MeshProxyPatch to change the defaults:
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-mpp-1
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
default:
appendModifications:
- cluster:
operation: Patch
match:
name: outbound:passthrough:ipv4
value: |
circuit_breakers: {
thresholds: [
{
max_connections: 2048,
max_pending_requests: 2048,
max_requests: 2048,
max_retries: 4
}
]
}
type: MeshProxyPatch
mesh: default
name: custom-mpp-1
spec:
targetRef:
kind: Mesh
default:
appendModifications:
- cluster:
operation: Patch
match:
name: outbound:passthrough:ipv4
value: |
circuit_breakers: {
thresholds: [
{
max_connections: 2048,
max_pending_requests: 2048,
max_requests: 2048,
max_retries: 4
}
]
}
Timeouts
Default values:
connectTimeout: 10s
tcp:
idleTimeout: 1h
MeshProxyPatch to change the defaults:
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-mpp-1
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
default:
appendModifications:
- cluster:
operation: Patch
match:
name: outbound:passthrough:ipv4
jsonPatches:
- op: replace
path: "/connectTimeout"
value: 99s
- networkFilter:
operation: Patch
match:
name: envoy.filters.network.tcp_proxy
listenerName: outbound:passthrough:ipv4
value: |
name: envoy.filters.network.tcp_proxy
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
idleTimeout: "3h"
type: MeshProxyPatch
mesh: default
name: custom-mpp-1
spec:
targetRef:
kind: Mesh
default:
appendModifications:
- cluster:
operation: Patch
match:
name: outbound:passthrough:ipv4
jsonPatches:
- op: replace
path: "/connectTimeout"
value: 99s
- networkFilter:
operation: Patch
match:
name: envoy.filters.network.tcp_proxy
listenerName: outbound:passthrough:ipv4
value: |
name: envoy.filters.network.tcp_proxy
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
idleTimeout: "3h"