MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

TargetRef support matrix

targetRefAllowed kinds
targetRef.kindMesh, MeshSubset, MeshService, MeshServiceSubset
from[].targetRef.kindMesh, MeshSubset, MeshServiceSubset

MeshTrafficPermission isn’t supported on builtin gateways. If applied via spec.targetRef.kind: MeshService, it has no effect.

MeshTrafficPermission isn’t supported on delegated gateways.

If you don’t understand this table you should read matching docs.

Configuration

Action

Kuma allows configuring one of 3 actions for a group of service’s clients:

  • Allow - allows incoming requests matching the from targetRef.
  • Deny - denies incoming requests matching the from targetRef
  • AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTrafficPermission
  3. metadata:
  4. namespace: kuma-system
  5. name: allow-orders
  6. spec:
  7. targetRef: # 1
  8. kind: MeshService
  9. name: payments
  10. from:
  11. - targetRef: # 2
  12. kind: MeshSubset
  13. tags:
  14. kuma.io/service: orders
  15. default: # 3
  16. action: Allow
  1. type: MeshTrafficPermission
  2. name: allow-orders
  3. mesh: default
  4. spec:
  5. targetRef: # 1
  6. kind: MeshService
  7. name: payments
  8. from:
  9. - targetRef: # 2
  10. kind: MeshSubset
  11. tags:
  12. kuma.io/service: orders
  13. default: # 3
  14. action: Allow

Explanation

  1. Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.

    1. targetRef: # 1
    2. kind: MeshService
    3. name: payments
  2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

    1. - targetRef: # 2
    2. kind: MeshSubset
    3. tags:
    4. kuma.io/service: orders
  3. The action is Allow. All requests from service orders will be allowed on service payments.

    1. default: # 3
    2. action: Allow

Deny all

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTrafficPermission
  3. metadata:
  4. namespace: kuma-system
  5. name: deny-all
  6. spec:
  7. targetRef: # 1
  8. kind: Mesh
  9. from:
  10. - targetRef: # 2
  11. kind: Mesh
  12. default: # 3
  13. action: Deny
  1. type: MeshTrafficPermission
  2. name: deny-all
  3. mesh: default
  4. spec:
  5. targetRef: # 1
  6. kind: Mesh
  7. from:
  8. - targetRef: # 2
  9. kind: Mesh
  10. default: # 3
  11. action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

    1. targetRef: # 1
    2. kind: Mesh
  2. TargetRef inside the from array selects all clients.

    1. - targetRef: # 2
    2. kind: Mesh
  3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

    1. default: # 3
    2. action: Deny

Allow all

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTrafficPermission
  3. metadata:
  4. name: allow-all
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: Mesh
  11. from:
  12. - targetRef:
  13. kind: Mesh
  14. default:
  15. action: Allow
  1. type: MeshTrafficPermission
  2. name: allow-all
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: Mesh
  7. from:
  8. - targetRef:
  9. kind: Mesh
  10. default:
  11. action: Allow

Explanation

  1. Top level targetRef selects all proxies in the mesh.

    1. targetRef: # 1
    2. kind: Mesh
  2. targetRef inside the element of the from array selects all clients within the mesh.

    1. - targetRef: # 2
    2. kind: Mesh
  3. The action is Allow. All requests from all services will be allow on all proxies in the default mesh.

    1. default: # 3
    2. action: Allow

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTrafficPermission
  3. metadata:
  4. namespace: kuma-system
  5. name: example-with-tags
  6. spec:
  7. targetRef: # 1
  8. kind: Mesh
  9. from:
  10. - targetRef: # 2
  11. kind: MeshSubset
  12. tags:
  13. kuma.io/zone: us-east
  14. default: # 3
  15. action: Allow
  16. - targetRef: # 4
  17. kind: MeshSubset
  18. tags:
  19. env: dev
  20. default: # 5
  21. action: Deny

Apply the configuration with kubectl apply -f [..].

  1. type: MeshTrafficPermission
  2. name: example-with-tags
  3. mesh: default
  4. spec:
  5. targetRef: # 1
  6. kind: Mesh
  7. from:
  8. - targetRef: # 2
  9. kind: MeshSubset
  10. tags:
  11. kuma.io/zone: us-east
  12. default: # 3
  13. action: Allow
  14. - targetRef: # 4
  15. kind: MeshSubset
  16. tags:
  17. env: dev
  18. default: # 5
  19. action: Deny

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

Explanation

  1. Top level targetRef selects all proxies in the mesh.

    1. targetRef: # 1
    2. kind: Mesh
  2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

    1. - targetRef: # 2
    2. kind: MeshSubset
    3. tags:
    4. kuma.io/zone: us-east
  3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

    1. default: # 3
    2. action: Allow
  4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

    1. - targetRef: # 4
    2. kind: MeshSubset
    3. tags:
    4. env: dev
  5. The action is Deny. All requests from the env dev will be denied on all proxies.

    1. default: # 5
    2. action: Deny

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options