You are browsing documentation for a version of Kuma that is not the latest release.
Looking for even older versions? Learn more.
This policy provides access control rules that can be applied on our service traffic to determine what traffic is allowed across the Mesh via configurable sources and destinations.
TrafficPermission policy only works when Mutual TLS is enabled on the
When Mutual TLS is disabled, Kuma will not enforce any
TrafficPermission and by default it will allow all service traffic to work. Even if Mutual TLS is disabled, we can still create and edit
TrafficPermission resources that will go into effect once Mutual TLS is enabled on the Mesh.
The reason why this policy only works when Mutual TLS is enabled in the Mesh is because only in this scenario Kuma can validate the identity of the service traffic via the usage of data plane proxy certificates.
On the other end when Mutual TLS is disabled, Kuma cannot extract the service identity from the request and therefore cannot perform any validation.
Kuma creates a default
TrafficPermission policy that allows all the communication between all the services when a new
Mesh is created.
You can determine what source services are allowed to consume specific destination services. The service field is mandatory in both sources and destinations.
Match-All: You can match any value of a tag by using
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: allow-all-traffic spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'
We will apply the configuration with
kubectl apply -f [..].
You can use any Tag in both
destinations selector, which makes
TrafficPermissions quite powerful when it comes to creating a secure environment for our services.
TrafficPermission is an Inbound Connection Policy.
You can use all the tags in both