# Mutual TLS
This policy enables automatic encrypted mTLS traffic for all the services in a Mesh
.
Kuma ships with a builtin
CA (Certificate Authority) which is initialized with an auto-generated root certificate. The root certificate is unique for every Mesh
and it used to sign identity certificates for every data-plane. Kuma also supports third-party CA.
The mTLS feature is used for AuthN/Z as well: each data-plane is being assigned with a workload identity certificate, which is SPIFFE compatible. This certificate has a SAN set to spiffe://<mesh name>/<service name>
. When Kuma enforces policies that require an identity, like TrafficPermission
, it will extract the SAN from the client certificate and use it for every identity matching operation.
By default, mTLS is not enabled. You can enable Mutual TLS by updating the Mesh
policy with the mtls
setting.
On Universal with builtin
CA:
type: Mesh
name: default
mtls:
enabled: true
ca:
builtin: {}
2
3
4
5
6
You can apply this configuration with kumactl apply -f [file-path]
.
On Kubernetes with builtin
CA:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabled: true
ca:
builtin: {}
2
3
4
5
6
7
8
9
You can apply this configuration with kubectl apply -f [file-path]
.
Along with the self-signed certificates (builtin
), Kuma also supports third-party certificates (provided
). To use a third-party CA, change the mesh resource to use the provided
CA. And then you can utilize kumactl manage ca
to add or delete your certificates
On Universal with provided
CA:
type: Mesh
name: default
mtls:
enabled: true
ca:
provided: {}
2
3
4
5
6
On Kubernetes with provided
CA:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabled: true
ca:
provided: {}
2
3
4
5
6
7
8
9
With mTLS enabled, traffic is restricted by default. Remember to apply a TrafficPermission
policy to permit connections
between Dataplanes.