MeshPassthrough

This policy uses new policy matching algorithm.

This policy enables Kuma to configure traffic to external destinations that is allowed to pass outside the mesh. When using this policy, the passthrough mode flag is ignored.

TargetRef support matrix

targetRefAllowed kinds
targetRef.kindMesh, MeshSubset

To learn more about the information in this table, see the matching docs.

Configuration

This policy doesn’t work with sidecars without transparent-proxy.

The following describes the default configuration settings of the MeshPassthrough policy:

  • passthroughMode: (Optional) Defines behaviour for handling traffic. Allowed values: All, None and Matched. Default: None. All enables all traffic to pass through, Matched allows only the traffic defined in appendMatch and None disallows all traffic.
  • appendMatch: List of destinations that are allowed to pass through. When enabled is true this list is not used. It only takes effect when enabled is false.
    • type: Defines what type of destination is allowed. Either Domain, IP or CIDR.
    • value: Destination address based on the defined type.
    • port: Port at which external destination is available. When not defined it caches all traffic to the address.
    • protocol: Defines protocol of the external destination.
      • tcp: Can’t be used when type is Domain (at TCP level we are not able to disinguish domain, in this case it is going to hijack whole traffic on this port).
      • tls: Should be used when TLS traffic is originated by the client application.
      • http
      • http2
      • grpc

Wildcard DNS matching

MeshPassthrough policy allows you to create a match for a wildcard subdomain.

Currently, support for partial subdomain matching is not implemented. For example, a match for *w.example.com will be rejected.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshPassthrough
  3. metadata:
  4. name: wildcard-passthrough
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: Mesh
  11. proxyTypes:
  12. - Sidecar
  13. default:
  14. passthroughMode: Matched
  15. appendMatch:
  16. - type: Domain
  17. value: "*.cluster-1.kafka.aws.us-east-2.com"
  18. protocol: tls
  19. port: 443
  1. type: MeshPassthrough
  2. name: wildcard-passthrough
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: Mesh
  7. proxyTypes:
  8. - Sidecar
  9. default:
  10. passthroughMode: Matched
  11. appendMatch:
  12. - type: Domain
  13. value: "*.cluster-1.kafka.aws.us-east-2.com"
  14. protocol: tls
  15. port: 443

Security

It is advised that the Mesh Operator is responsible for managing the MeshPassthrough policy. This policy can introduce traffic outside of the mesh or even the cluster, and the Mesh Operator should be aware of this. If you want to restrict access to MeshPassthrough to specific services, you must choose them manually. If you rely on tags in the top-level targetRef you might consider securing them by using one of the following techniques:

  • Make sure that service owners can’t freely modify them (using something like kyverno, OPA or similar)
  • Accept the risk of being able to “impersonate” a passthrough label and rely on auditing to figure out any violations.

Limitations

  • Due to the nature of some traffic, it is not possible to combine certain protocols on the same port. You can create a MeshPassthrough policy that handles tcp, tls, and one of http, http2, or grpc traffic on the same port. Layer 7 protocols cannot be distinguished, which could introduce unexpected behavior.
  • It is currently not possible to route passthrough traffic through the zone egress. However, this feature will be implemented in the future.
  • Gateways are currently not supported.

Examples

Disable passthrough for all sidecars

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshPassthrough
  3. metadata:
  4. name: disable-passthrough
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: Mesh
  11. proxyTypes:
  12. - Sidecar
  13. default:
  14. passthroughMode: None
  1. type: MeshPassthrough
  2. name: disable-passthrough
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: Mesh
  7. proxyTypes:
  8. - Sidecar
  9. default:
  10. passthroughMode: None

Enable passthrough for a subset of sidecars

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshPassthrough
  3. metadata:
  4. name: enable-passthrough
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: MeshSubset
  11. proxyTypes:
  12. - Sidecar
  13. tags:
  14. kuma.io/service: demo-app_kuma-demo_svc_5000
  15. default:
  16. passthroughMode: All
  1. type: MeshPassthrough
  2. name: enable-passthrough
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: MeshSubset
  7. proxyTypes:
  8. - Sidecar
  9. tags:
  10. kuma.io/service: demo-app_kuma-demo_svc_5000
  11. default:
  12. passthroughMode: All

Allow a subset of services to communicate with specifc external endpoints

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshPassthrough
  3. metadata:
  4. name: allow-some-passthrough
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: MeshSubset
  11. proxyTypes:
  12. - Sidecar
  13. tags:
  14. kuma.io/service: demo-app_kuma-demo_svc_5000
  15. default:
  16. passthroughMode: Matched
  17. appendMatch:
  18. - type: Domain
  19. value: httpbin.org
  20. protocol: tls
  21. port: 443
  22. - type: IP
  23. value: 10.240.15.39
  24. protocol: tcp
  25. port: 8888
  26. - type: CIDR
  27. value: 10.250.0.0/16
  28. protocol: tcp
  29. port: 10000
  30. - type: Domain
  31. value: "*.wikipedia.org"
  32. protocol: tls
  33. port: 443
  34. - type: Domain
  35. value: httpbin.dev
  36. protocol: http
  37. port: 80
  1. type: MeshPassthrough
  2. name: allow-some-passthrough
  3. mesh: default
  4. spec:
  5. targetRef:
  6. kind: MeshSubset
  7. proxyTypes:
  8. - Sidecar
  9. tags:
  10. kuma.io/service: demo-app_kuma-demo_svc_5000
  11. default:
  12. passthroughMode: Matched
  13. appendMatch:
  14. - type: Domain
  15. value: httpbin.org
  16. protocol: tls
  17. port: 443
  18. - type: IP
  19. value: 10.240.15.39
  20. protocol: tcp
  21. port: 8888
  22. - type: CIDR
  23. value: 10.250.0.0/16
  24. protocol: tcp
  25. port: 10000
  26. - type: Domain
  27. value: "*.wikipedia.org"
  28. protocol: tls
  29. port: 443
  30. - type: Domain
  31. value: httpbin.dev
  32. protocol: http
  33. port: 80

All policy options