# Mutual TLS

This policy enables automatic encrypted mTLS traffic for all the services in a Mesh.

Kuma ships with a builtin CA (Certificate Authority) which is initialized with an auto-generated root certificate. The root certificate is unique for every Mesh and it used to sign identity certificates for every data-plane. Kuma also supports third-party CA.

The mTLS feature is used for AuthN/Z as well: each data-plane is being assigned with a workload identity certificate, which is SPIFFE compatible. This certificate has a SAN set to spiffe://<mesh name>/<service name>. When Kuma enforces policies that require an identity, like TrafficPermission, it will extract the SAN from the client certificate and use it for every identity matching operation.

By default, mTLS is not enabled. You can enable Mutual TLS by updating the Mesh policy with the mtls setting.

On Universal with builtin CA:

type: Mesh
name: default
mtls:
  enabled: true
  ca:
    builtin: {}
1
2
3
4
5
6

You can apply this configuration with kumactl apply -f [file-path].

On Kubernetes with builtin CA:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabled: true
    ca:
      builtin: {}
1
2
3
4
5
6
7
8
9

You can apply this configuration with kubectl apply -f [file-path].

Along with the self-signed certificates (builtin), Kuma also supports third-party certificates (provided). To use a third-party CA, change the mesh resource to use the provided CA. And then you can utilize kumactl manage ca to add or delete your certificates

On Universal with provided CA:

type: Mesh
name: default
mtls:
  enabled: true
  ca:
    provided: {}
1
2
3
4
5
6

On Kubernetes with provided CA:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabled: true
    ca:
      provided: {}
1
2
3
4
5
6
7
8
9

With mTLS enabled, traffic is restricted by default. Remember to apply a TrafficPermission policy to permit connections between Dataplanes.

Last Updated: 2/27/2020, 7:22:31 PM