MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

TargetRef support matrix

targetRef Allowed kinds
targetRef.kind Mesh, MeshSubset, MeshService, MeshServiceSubset
from[].targetRef.kind Mesh, MeshSubset, MeshServiceSubset

If you don’t understand this table you should read matching docs.

Configuration

Action

Kuma allows configuring one of 3 actions for a group of service’s clients:

  • Allow - allows incoming requests matching the from targetRef.
  • Deny - denies incoming requests matching the from targetRef
  • AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-orders
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshService
    name: payments
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/service: orders
    default:
      action: Allow

Explanation

  1. Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.

     targetRef: # 1
       kind: MeshService
       name: payments
    
  2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
         kind: MeshSubset
         tags: 
           kuma.io/service: orders
    
  3. The action is Allow. All requests from service orders will be allowed on service payments.

     default: # 3
       action: Allow
    

Deny all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: deny-all
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
       kind: Mesh
    
  2. TargetRef inside the from array selects all clients.

     - targetRef: # 2
         kind: Mesh
    
  3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

     default: # 3
       action: Deny
    

Allow all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-all
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
       kind: Mesh
    
  2. targetRef inside the element of the from array selects all clients within the mesh.

     - targetRef: # 2
         kind: Mesh
    
  3. The action is Allow. All requests from all services will be allow on all proxies in the default mesh.

     default: # 3
       action: Allow
    

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: example-with-tags
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: MeshSubset
      tags:
        kuma.io/zone: us-east
    default:
      action: Allow
  - targetRef:
      kind: MeshSubset
      tags:
        env: dev
    default:
      action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
       kind: Mesh
    
  2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
         kind: MeshSubset
         tags:
           kuma.io/zone: us-east
    
  3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

     default: # 3
       action: Allow
    
  4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 4
         kind: MeshSubset
         tags:
           env: dev
    
  5. The action is Deny. All requests from the env dev will be denied on all proxies.

     default: # 5
       action: Deny
    

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options