You are browsing documentation for an older version. See the latest documentation here.
MeshTrafficPermission
This policy uses new policy matching algorithm. Do not combine with TrafficPermission.
Mutual TLS has to be enabled to make MeshTrafficPermission work.
The MeshTrafficPermission
policy provides access control within the Mesh.
It allows you to define granular rules about which services can communicate with each other.
TargetRef support matrix
If you don’t understand this table you should read matching docs.
Configuration
Action
Kong Mesh allows configuring one of 3 actions for a group of service’s clients:
-
Allow
- allows incoming requests matching the fromtargetRef
. -
Deny
- denies incoming requests matching the fromtargetRef
-
AllowWithShadowDeny
- same asAllow
but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.
Examples
Service ‘payments’ allows requests from ‘orders’
Explanation
-
Top level
targetRef
selects data plane proxies that implementpayments
service. MeshTrafficPermissionallow-orders
will be configured on these proxies.targetRef: # 1 kind: MeshService name: payments
-
TargetRef
inside thefrom
array selects proxies that implementorder
service. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/service: orders
-
The action is
Allow
. All requests from serviceorders
will be allowed on servicepayments
.default: # 3 action: Allow
Deny all
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects all clients.- targetRef: # 2 kind: Mesh
-
The action is
Deny
. All requests from all services will be denied on all proxies in thedefault
mesh.default: # 3 action: Deny
Allow all
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
targetRef
inside the element of thefrom
array selects all clients within the mesh.- targetRef: # 2 kind: Mesh
-
The action is
Allow
. All requests from all services will be allow on all proxies in thedefault
mesh.default: # 3 action: Allow
Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects proxies that have labelkuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/zone: us-east
-
The action is
Allow
. All requests from the zoneus-east
will be allowed on all proxies.default: # 3 action: Allow
-
TargetRef
inside thefrom
array selects proxies that have tagskuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 4 kind: MeshSubset tags: env: dev
-
The action is
Deny
. All requests from the envdev
will be denied on all proxies.default: # 5 action: Deny
Order of rules inside the
from
array matters. Request from the proxy that has bothkuma.io/zone: east
andenv: dev
will be denied. This is because the rule withDeny
is later in thefrom
array than anyAllow
rules.