Non-mesh traffic

Incoming

When mTLS is enabled, clients from outside the mesh can’t reach the applications inside the mesh. If you want to allow external clients to consume mesh services see the Permissive mTLS mode.

Without Transparent Proxying TLS check on Envoy can be bypassed. You should take action to secure the application ports.

Outgoing

In its default setup, Kuma allows any non-mesh traffic to pass Envoy without applying any policy. For instance if a service needs to send a request to http://example.com, all requests won’t be logged even if a traffic logging is enabled in the mesh where the service is deployed. The passthrough mode is enabled by default on all the dataplane proxies in transparent mode in a Mesh. This behavior can be changed by setting the networking.outbound.passthrough in the Mesh resource. Example:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. networking:
  7. outbound:
  8. passthrough: false
  1. type: Mesh
  2. name: default
  3. networking:
  4. outbound:
  5. passthrough: false

When networking.outbound.passthrough is false, no traffic to any non-mesh resource can leave the Mesh.

Since version 2.8.x, you can take advantage of a new policy, MeshPassthrough, which allows you to enable passthrough traffic for a specific group of sidecars and only for specific destinations.

Before setting networking.outbound.passthrough to false, double-check Envoy stats that no traffic is flowing through pass_through cluster. Otherwise, you will block the traffic which may cause the instability of the system.

Policies don’t apply to non-mesh traffic

If you need to change configuration for non-mesh traffic you can use a MeshProxyPatch.

Circuit Breaker

Default values:

  1. maxConnections: 1024
  2. maxPendingRequests: 1024
  3. maxRequests: 1024
  4. maxRetries: 3

MeshProxyPatch to change the defaults:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshProxyPatch
  3. metadata:
  4. name: custom-mpp-1
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: Mesh
  11. default:
  12. appendModifications:
  13. - cluster:
  14. operation: Patch
  15. match:
  16. name: outbound:passthrough:ipv4
  17. value: |
  18. circuit_breakers: {
  19. thresholds: [
  20. {
  21. max_connections: 2048,
  22. max_pending_requests: 2048,
  23. max_requests: 2048,
  24. max_retries: 4
  25. }
  26. ]
  27. }
  1. type: MeshProxyPatch
  2. mesh: default
  3. name: custom-mpp-1
  4. spec:
  5. targetRef:
  6. kind: Mesh
  7. default:
  8. appendModifications:
  9. - cluster:
  10. operation: Patch
  11. match:
  12. name: outbound:passthrough:ipv4
  13. value: |
  14. circuit_breakers: {
  15. thresholds: [
  16. {
  17. max_connections: 2048,
  18. max_pending_requests: 2048,
  19. max_requests: 2048,
  20. max_retries: 4
  21. }
  22. ]
  23. }

Timeouts

Default values:

  1. connectTimeout: 10s
  2. tcp:
  3. idleTimeout: 1h

MeshProxyPatch to change the defaults:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshProxyPatch
  3. metadata:
  4. name: custom-mpp-1
  5. namespace: kuma-system
  6. labels:
  7. kuma.io/mesh: default
  8. spec:
  9. targetRef:
  10. kind: Mesh
  11. default:
  12. appendModifications:
  13. - cluster:
  14. operation: Patch
  15. match:
  16. name: outbound:passthrough:ipv4
  17. jsonPatches:
  18. - op: replace
  19. path: "/connectTimeout"
  20. value: 99s
  21. - networkFilter:
  22. operation: Patch
  23. match:
  24. name: envoy.filters.network.tcp_proxy
  25. listenerName: outbound:passthrough:ipv4
  26. value: |
  27. name: envoy.filters.network.tcp_proxy
  28. typedConfig:
  29. '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
  30. idleTimeout: "3h"
  1. type: MeshProxyPatch
  2. mesh: default
  3. name: custom-mpp-1
  4. spec:
  5. targetRef:
  6. kind: Mesh
  7. default:
  8. appendModifications:
  9. - cluster:
  10. operation: Patch
  11. match:
  12. name: outbound:passthrough:ipv4
  13. jsonPatches:
  14. - op: replace
  15. path: "/connectTimeout"
  16. value: 99s
  17. - networkFilter:
  18. operation: Patch
  19. match:
  20. name: envoy.filters.network.tcp_proxy
  21. listenerName: outbound:passthrough:ipv4
  22. value: |
  23. name: envoy.filters.network.tcp_proxy
  24. typedConfig:
  25. '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
  26. idleTimeout: "3h"