# How Kuma chooses the right policy to apply
At any single moment, there might be multiple policies (of the same type) that match a connection between sources and destinations Dataplanes.
E.g., there might be a catch-all policy that sets the baseline for your organization
type: TrafficLog
mesh: default
name: catch-all-policy
sources:
- match:
service: '*'
destinations:
- match:
service: '*'
conf:
backend: logstash
2
3
4
5
6
7
8
9
10
11
Additionally, there might be a more focused use case-specific policy, e.g.
type: TrafficLog
mesh: default
name: web-to-backend-policy
sources:
- match:
service: web
cloud: aws
region: us
destinations:
- match:
service: backend
conf:
backend: splunk
2
3
4
5
6
7
8
9
10
11
12
13
What does Kuma do when it encounters multiple matching policies ?
The answer depends on policy type:
- since
TrafficPermissionrepresents a grant of access given to a particular clientservice,Kumaconceptually "aggregates" all such grants by applying ALLTrafficPermissionpolicies that match a connection betweensourcesanddestinationsDataplanes - for other policy types -
TrafficRoute,TrafficLog,HealthCheck- conceptual "aggregation" would be too complex for users to always keep in mind; that is whyKumachooses and applies only "the most specific" matching policy in that case
Going back to 2 TrafficLog policies described above:
- for connections between
webandbackendDataplanesKumawill choose and applyweb-to-backend-policypolicy as "the most specific" in that case - for connections between all other dataplanes
Kumawill choose and applycatch-all-policypolicy as "the most specific" in that case
"The most specific" policy is defined according to the following rules:
a policy that matches a connection between 2
Dataplanes by a greater number of tags is "more specific"E.g.,
web-to-backend-policypolicy matches a connection between 2Dataplanes by 4 tags (3 tags onsourcesand 1 tag ondestinations), whilecatch-all-policymatches only by 2 tags (1 tag onsourcesand 1 tag ondestinations)a policy that matches by the exact tag value is more specific than policy that matches by a
'*'(wildcard) tag valueE.g.,
web-to-backend-policypolicy matchessourcesbyservice: web, whilecatch-all-policymatches byservice: *if 2 policies match a connection between 2
Dataplanes by the same number of tags, then the one with a greater total number of matches by the exact tag value is "more specific" than the otherif 2 policies match a connection between 2
Dataplanes by the same number of tags, and the total number of matches by the exact tag value is the same for both policies, and the total number of matches by a'*'(wildcard) tag value is the same for both policies, then a "more specific" policy is the one whoose name comes first when ordered alphabetically
E.g.,
match by a greater number of tags
sources: - match: service: '*' cloud: aws region: us destinations: - match: service: '*'1
2
3
4
5
6
7
8is "more specific" than
sources: - match: service: '*' destinations: - match: service: '*'1
2
3
4
5
6match by the exact tag value
sources: - match: service: web destinations: - match: service: backend1
2
3
4
5
6is "more specific" than a match by a
'*'(wildcard)sources: - match: service: '*' destinations: - match: service: '*'1
2
3
4
5
6match with a greater total number of matches by the exact tag value
sources: - match: service: web version: v1 destinations: - match: service: backend1
2
3
4
5
6
7is "more specific" than
sources: - match: service: web version: '*' destinations: - match: service: backend1
2
3
4
5
6
7when 2 matches are otherwise "equally specific"
name: policy-1 sources: - match: service: web version: v1 destinations: - match: service: backend1
2
3
4
5
6
7
8policy-1is considered "more specific" only due to the alphabetical order of names"policy-1"and"policy-2"name: policy-2 sources: - match: service: web destinations: - match: service: backend cloud: aws1
2
3
4
5
6
7
8