MeshTLS
This policy enables Kuma to configure TLS mode, ciphers and version.
Backends and default mode values are taken from the Mesh object .
TargetRef support matrix
targetRefAllowed kinds
targetRef.kindMesh, Dataplane, MeshSubset(deprecated)
targetRefAllowed kinds
targetRef.kindMesh
from[].targetRef.kindMesh
To learn more about the information in this table, see the matching docs .
Configuration
The following describes the default configuration settings of the MeshTLS policy:
tlsVersionboth client and server . Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.tlsCiphersboth client and server . Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.modePermissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.
Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure.
If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh , deploying two applications within it, and testing whether communication is working.
If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it.
In that case, please open an issue .
Examples
Set specific TLS version and ciphers
apiVersion : kuma.io/v1alpha1
kind : MeshTLS
metadata :
name : set-version-and-ciphers
namespace : kuma-system
labels :
kuma.io/mesh : default
spec :
targetRef :
kind : Mesh
rules :
- default :
tlsVersion :
min : TLS13
max : TLS13
tlsCiphers :
- ECDHE-ECDSA-AES256-GCM-SHA384
type : MeshTLS
name : set-version-and-ciphers
mesh : default
spec :
targetRef :
kind : Mesh
rules :
- default :
tlsVersion :
min : TLS13
max : TLS13
tlsCiphers :
- ECDHE-ECDSA-AES256-GCM-SHA384
Enable strict mode on specific subset
apiVersion : kuma.io/v1alpha1
kind : MeshTLS
metadata :
name : strict-mode
namespace : kuma-system
labels :
kuma.io/mesh : default
spec :
targetRef :
kind : Dataplane
labels :
app : redis
rules :
- default :
mode : Strict
type : MeshTLS
name : strict-mode
mesh : default
spec :
targetRef :
kind : Dataplane
labels :
app : redis
rules :
- default :
mode : Strict
See also
All policy options
TargetRef is a reference to the resource the policy takes an effect on. The resource could be either...
show more
Kind of the referenced resource
Values: Mesh | MeshSubset | MeshGateway | MeshService | MeshExternalService | MeshMultiZoneService | MeshServiceSubset | MeshHTTPRoute | Dataplane
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
show more
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
show more
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
show more
SectionName is used to target specific section of resource. For example, you can target port from Me...
show more
Mesh is reserved for future use to identify cross mesh resources.
ProxyTypes specifies the data plane types that are subject to the policy. When not specified, all da...
show more
Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshS...
show more
Rules defines inbound tls configurations. Currently limited to selecting all inbound traffic, as L7 ...
show more
Default contains configuration of the inbound tls
Mode defines the behavior of inbound listeners with regard to traffic encryption.
Values: Permissive | Strict
TlsCiphers section for providing ciphers specification.
Version section for providing version specification.
Max defines maximum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
Values: TLSAuto | TLS10 | TLS11 | TLS12 | TLS13
Default: "TLSAuto"
Min defines minimum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
Values: TLSAuto | TLS10 | TLS11 | TLS12 | TLS13
Default: "TLSAuto"
From list makes a match between clients and corresponding configurations
TargetRef is a reference to the resource that represents a group of clients.
Kind of the referenced resource
Values: Mesh | MeshSubset | MeshGateway | MeshService | MeshExternalService | MeshMultiZoneService | MeshServiceSubset | MeshHTTPRoute | Dataplane
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
show more
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
show more
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
show more
SectionName is used to target specific section of resource. For example, you can target port from Me...
show more
Mesh is reserved for future use to identify cross mesh resources.
ProxyTypes specifies the data plane types that are subject to the policy. When not specified, all da...
show more
Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshS...
show more
Default is a configuration specific to the group of clients referenced in 'targetRef'
Mode defines the behavior of inbound listeners with regard to traffic encryption.
Values: Permissive | Strict
TlsCiphers section for providing ciphers specification.
Version section for providing version specification.
Max defines maximum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
Values: TLSAuto | TLS10 | TLS11 | TLS12 | TLS13
Default: "TLSAuto"
Min defines minimum supported version. One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
Values: TLSAuto | TLS10 | TLS11 | TLS12 | TLS13
Default: "TLSAuto"
