Featured image for a blog article titled Kuma 2.8 release with MeshExternalService, MeshPassthrough and more....

We’re excited to announce the release of Kuma 2.8, featuring new and exciting capabilities such as MeshExternalService, MeshPassthrough policy, along with numerous improvements and groundwork for future developments.

Notable features

In Kuma 2.8.x external services were fully redesigned with 2 distinct policies:

  • MeshExternalService which is easier and more flexible than the previous ExternalService.
  • MeshPassthrough which provides a way to dynamically escape the mesh. This is especially useful, for allowing wildcard domains or when using SaaS providers which already provide their own security.

We believe this level of flexibility will make integrations between what lives inside and outside the mesh very straightforward.

Feel free to check our release notes for the full list of changes.

MeshExternalService

Since 2.7.x we’ve started a strong redesign of how services are defined in Kuma. We started by introducing MeshService which brings and easier way to define and track a service. In 2.8.x MeshExternalService provides a way to define a service which doesn’t run with sidecars. It’s very clearly defined and HostnameGenerator enables you to define how to reach the service.

The following example shows how to expose httpbin as a service inside the mesh accessible through the address mes-http.svc.meshext.local:80.

apiVersion: kuma.io/v1alpha1
kind: HostnameGenerator
metadata:
  name: example
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  selector:
    meshExternalService:
      matchLabels:
        kuma.io/origin: zone
  template: "{{ .DisplayName }}.svc.meshext.local"
---
apiVersion: kuma.io/v1alpha1
kind: MeshExternalService
metadata:
  name: mes-http
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  match:
    type: HostnameGenerator
    port: 80
    protocol: http
  endpoints:
    - address: httpbin.org
      port: 80

In the coming releases of Kuma we’ll be providing a default HostnameGenerator and potential extensions for integrating with complex infrastructure like AWS lambda.

MeshPassthrough

MeshPassthrough enables users to allow traffic to exit the mesh directly at the sidecar. This feature has existed in Kuma for a long time. However, as we were discussing with users it was becoming clear that it wasn’t granular enough. With the advent of advanced policy matching we realised that it was easy to build a policy that would enable users to specify powerful passthrough rules. In 2.8 we’re excited to finally ship a new policy: MeshPassthrough.

Use cases for using passthrough mode are:

  • Use SaaS platforms that already provide security and observability (Aiven, Confluent cloud are example of these).
  • Traffic internal to the organization that isn’t secured by the mesh yet.
  • Progressive migration to the Mesh.

Policies can be composed together :

apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: passthrough-mongo
  labels:
    kuma.io/mesh: default 
spec:
  targetRef:
    kind: MeshSubset
    tags:
      mongo-allowed: "true" 
  default:
    passthroughMode: Matched
    appendMatch:
    - type: Domain
      value: "*.h80seek.mongodb.net"
      port: 27017
      protocol: tls
apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: passthrough-confluent
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      kafka-allowed: "true"
  default:
    passthroughMode: Matched
    appendMatch:
      - type: Domain
        value: "*.europe-west1.gcp.confluent.cloud"
        port: 9092
        protocol: tls

Here depending on the labels on your data plane proxy you may be able to access directly mongo, confluent cloud or both.

With these two new features we’re hoping that migrating existing services to the mesh will become easier. This is a workflow we’re focusing on and we’d love to hear from your experience.

Upgrading

We strongly suggest upgrading to Kuma 2.8.0. Upgrading is easy through kumactl or Helm.

Be sure to carefully read the upgrade Guide and the version specific upgrade notes before upgrading Kuma.

Join the community

Join us on our community channels, including official Slack chat, to learn more about Kuma. The community channels are useful for getting up and running with Kuma, as well as for learning how to contribute to and discuss the project roadmap. Kuma is a CNCF Sandbox project: neutral, open and inclusive.

The community call is hosted on the second Wednesday of every Month at 8:30 AM PDT. And don’t forget to follow Kuma on Twitter and star it on GitHub!

Get Community Updates

Sign up for our Kuma community newsletter to get the most recent updates and product announcements.