Traffic Permissions is an inbound policy. Dataplanes whose configuration is modified are in the
This policy provides access control rules to define the traffic that is allowed within the Mesh .
Traffic permissions requires Mutual TLS enabled on the [ Mesh . Mutual TLS is required for Kuma to validate the service identity with data plane proxy certificates. If Mutual TLS is disabled, Kuma allows all service traffic.
TrafficPermission policy that Kuma creates when you install allows all communication between all services in the new
Mesh. Make sure to configure your policies to allow appropriate access to each of the services in your mesh.
As of version 1.2.0, traffic permissions support the
ExternalService resource. This lets you configure access control for traffic to services outside the mesh.
To specify which source services can consume which destination services, provide the appropriate values for
kuma.io/service. This value is required for sources and destinations.
Match all: You can match any value of a tag by using
* – for example, like
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: allow-all-traffic spec: sources: - match: kuma.io/service: '*' destinations: - match: kuma.io/service: '*'
Apply the configuration with
kubectl apply -f [..].
You can use any
destinations selectors. This approach supports fine-grained access control that lets you define the right levels of security for your services.
Access to External Services
TrafficPermission policy can also be used to restrict traffic to services outside the mesh.
Kuma deployed with transparent proxying
Meshconfigured to disable passthrough mode
These settings lock down traffic to and from the mesh, which means that requests to any unknown destination are not allowed. The mesh can’t rely on mTLS, because there is no data plane proxy on the destination side.
First, define the
ExternalService for a service that is not in the mesh.
apiVersion: kuma.io/v1alpha1 kind: ExternalService mesh: default metadata: name: httpbin spec: tags: kuma.io/service: httpbin kuma.io/protocol: http networking: address: httpbin.org:443 tls: enabled: true
Then apply the
TrafficPermission policy. In the destination section, specify all the tags defined in
For example, to enable the traffic from the data plane proxies of service
backend to the new
apiVersion: kuma.io/v1alpha1 kind: TrafficPermission mesh: default metadata: name: backend-to-httpbin spec: sources: - match: kuma.io/service: web_default_svc_80 - match: kuma.io/service: backend_default_svc_80 destinations: - match: kuma.io/service: httpbin
ExternalService follows the same rules for matching policies as any other service in the mesh – Kuma selects the most specific
TrafficPermission for every