Kuma Star

MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

TargetRef support matrix

targetRef Allowed kinds
targetRef.kind Mesh, MeshSubset, MeshService, MeshServiceSubset
from[].targetRef.kind Mesh, MeshSubset, MeshService, MeshServiceSubset

If you don’t understand this table you should read matching docs.

Configuration

Action

Kuma allows configuring one of 3 actions for a group of service’s clients:

  • Allow - allows incoming requests matching the from targetRef.
  • Deny - denies incoming requests matching the from targetRef
  • AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-system
  name: allow-orders
spec:
  targetRef: # 1
    kind: MeshService
    name: payments
  from:
    - targetRef: # 2
        kind: MeshService
        name: orders
      default: # 3
        action: Allow

Explanation

  1. Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.

     targetRef: # 1
   kind: MeshService
   name: payments

  2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
     kind: MeshService
     name: orders

  3. The action is Allow. All requests from service orders will be allowed on service payments.

     default: # 3
   action: Allow

Deny all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-system
  name: deny-all
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: Mesh
      default: # 3
        action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
   kind: Mesh

  2. TargetRef inside the from array selects all clients.

     - targetRef: # 2
     kind: Mesh

  3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

     default: # 3
   action: Deny

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-system
  name: example-with-tags
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
      default: # 3
        action: Allow
    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
      default: # 5
        action: Deny

Apply the configuration with kubectl apply -f [..].

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
   kind: Mesh

  2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
     kind: MeshSubset
     tags:
       kuma.io/zone: us-east

  3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

     default: # 3
   action: Allow

  4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 4
     kind: MeshSubset
     tags:
       env: dev

  5. The action is Deny. All requests from the env dev will be denied on all proxies.

     default: # 5
   action: Deny

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options