MeshTLS

This policy enables Kuma to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

TargetRef support matrix

targetRefAllowed kinds
targetRef.kindMesh, MeshSubset
from[].targetRef.kindMesh
targetRefAllowed kinds
targetRef.kindMesh
from[].targetRef.kindMesh

To learn more about the information in this table, see the matching docs.

Configuration

The following describes the default configuration settings of the MeshTLS policy:

  • tlsVersion: Defines TLS versions to be used by both client and server. Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.
  • tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.
  • mode: Defines the mTLS mode - Permissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.

Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.

Examples

Set specific TLS version and ciphers

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTLS
  3. metadata:
  4.   name: set-version-and-ciphers
  5.   namespace: kuma-system
  6.   labels:
  7.     kuma.io/mesh: default
  8. spec:
  9.   targetRef:
  10.     kind: Mesh
  11.   from:
  12.   - targetRef:
  13.       kind: Mesh
  14.     default:
  15.       tlsVersion:
  16.         min: TLS13
  17.         max: TLS13
  18.       tlsCiphers:
  19.       - ECDHE-ECDSA-AES256-GCM-SHA384
  1. type: MeshTLS
  2. name: set-version-and-ciphers
  3. mesh: default
  4. spec:
  5.   targetRef:
  6.     kind: Mesh
  7.   from:
  8.   - targetRef:
  9.       kind: Mesh
  10.     default:
  11.       tlsVersion:
  12.         min: TLS13
  13.         max: TLS13
  14.       tlsCiphers:
  15.       - ECDHE-ECDSA-AES256-GCM-SHA384

Enable strict mode on specific subset

  1. apiVersion: kuma.io/v1alpha1
  2. kind: MeshTLS
  3. metadata:
  4.   name: strict-mode
  5.   namespace: kuma-system
  6.   labels:
  7.     kuma.io/mesh: default
  8. spec:
  9.   targetRef:
  10.     kind: MeshSubset
  11.     tags:
  12.       app: redis
  13.   from:
  14.   - targetRef:
  15.       kind: Mesh
  16.     default:
  17.       mode: Strict
  1. type: MeshTLS
  2. name: strict-mode
  3. mesh: default
  4. spec:
  5.   targetRef:
  6.     kind: MeshSubset
  7.     tags:
  8.       app: redis
  9.   from:
  10.   - targetRef:
  11.       kind: Mesh
  12.     default:
  13.       mode: Strict

All policy options