You are browsing documentation for a version of Kuma that is not the latest release.
Looking for even older versions? Learn more.
This policy allows services running inside the mesh to consume services that are not part of the mesh. The
ExternalService resource allows you to declare specific external resources by name within the mesh, instead of implementing the default passthrough mode. Passthrough mode allows access to any non-mesh host by specifying its domain name or IP address, without the ability to apply any traffic policies. The
ExternalService resource enables the same observability, security, and traffic manipulation for external traffic as for services entirely inside the mesh
When you enable this policy, you should also disable passthrough mode for the mesh and enable the data plane proxy builtin DNS name resolution.
A simple HTTPS external service can be defined:
apiVersion: kuma.io/v1alpha1 kind: ExternalService mesh: default metadata: namespace: default name: httpbin spec: tags: kuma.io/service: httpbin kuma.io/protocol: http networking: address: httpbin.org:443 tls: enabled: true
Then apply the configuration with
kubectl apply -f [..].
Accessing the External Service
Consuming the defined service from within the mesh for both Kubernetes and Universal deployments (assuming transparent proxy) can be done:
- With the
.meshnaming of the service
curl httpbin.mesh. With this approach, specify port 80.
- With the real name and port, in this case
curl httpbin.org:443. This approach works only with the data plane proxy builtin DNS name resolution.
Although the external service is HTTPS, it’s consumed as plain HTTP. This is possible because of
To access the service over TLS, set the service protocol to
kuma.io/protocol: tcp and
networking.tls.enbaled=false, or else omit it entirely.
Available policy fields
tagsthe external service can include an arbitrary number of tags, where
kuma.io/serviceis mandatory. The special
kuma.io/protocoltag is also taken into account and supports the standard Kuma protocol values. It designates the specific protocol for the service.
- ` networking` describes the networking configuration of the external service
addressis the address where the external service can be reached.
tlsis the section to configure the TLS originator when consuming the external service
enabledturns on and off the TLS origination. Defaults to
caCertthe CA certificate for the external service TLS verification
clientCertthe client certificate for mTLS
clientKeythe client key for mTLS
As with other services, avoid duplicating service names under
kuma.io/service with already existing ones. A good practice is to derive the tag value from the domain name or IP of the actual external service.