Kuma Star

MeshTrafficPermission

MeshIdentity has to be enabled to make MeshTrafficPermission work.

Overview

MeshTrafficPermission policy defines which clients are allowed or denied access to services inside a mesh based on their identities. By default, if no policy is present, all requests are denied.

It enables:

  • denying all requests by default, or blocking specific clients (by SPIFFE ID) so that no service owner can override them
  • allowing groups of clients, such as everything in the observability namespace, to access all services by default, while still letting individual services opt out
  • giving service owners control to allow specific clients, and the ability to block abusive ones even if they were previously allowed

Here is a common example:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: my-app-permissions
  namespace: kuma-system
  labels:
    kuma.io/mesh: my-mesh
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: my-app
  rules:
  - default:
      deny:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/legacy-ns
      - spiffeID:
          type: Exact
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/test/sa/client
      allow:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local

With this policy in place, workloads labeled app: my-app will reject connections from identities under the legacy-ns namespace as well as the specific test/client identity, while continuing to accept connections from all other identities within the my-mesh.us-east-2.mesh.local trust domain.

Configuration

MeshTrafficPermission policy provides a way to specify 3 lists:

  • deny list – list of matches for clients that must always be denied.
  • allow list – list of matchers for clients that are explicitly allowed.
  • allowWithShadowDeny list – list of matchers that are allowed, but also logged as if they were denied. Useful for testing a policy to ensure no legitimate clients are denied.

Evaluation rules are:

  1. If a request matches at least one deny matcher – DENY.
  2. Else, if it matches at least one allow or allowWithShadowDeny matcher – ALLOW.
  3. If no matchers apply – DENY (default).

Examples

Denying requests from a group of clients mesh-wide

During the incident, if one of the namespaces is compromised, Mesh Operator can apply the following policy:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: deny-malicious-ns
  namespace: kuma-system
  labels:
    kuma.io/mesh: my-mesh
spec:
  rules:
  - default:
      deny:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/malicious

Such policy when applied globally prevents any service in the mesh my-mesh to receive requests from any client in malicious namespace. There is no way for Service Owner to opt-out from this rule.

Allowing requests from a group of clients mesh-wide

By default, when there are no MeshTrafficPermission policies, all requests are denied. Mesh Operator can apply the following policy mesh-wide:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-observability-ns
  namespace: kuma-system
  labels:
    kuma.io/mesh: my-mesh
spec:
  rules:
  - default:
      allow:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/observability

This policy allows any client in observability namespace to consume any service in my-mesh. Service Owner can opt-out and deny requests from observability if they need to:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: deny-observability-ns
  namespace: backend-ns
  labels:
    kuma.io/mesh: my-mesh
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: backend
    sectionName: backend-admin-api
  rules:
  - default:
      deny:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/observability

The following policy overrides the rules specified in allow-observability-ns and denies requests from clients in observability namespace on backend-admin-api port of backend app.

See also

  • MeshIdentity - Configure workload identities (required)
  • MeshTrust - Configure trust between different domains
  • MeshTLS - Configure TLS modes and ciphers

All policy options

targetRef object
TargetRef is a reference to the resource the policy takes an effect on. The resource could be either...
kind enum required
Kind of the referenced resource
Values: Mesh | MeshSubset | MeshGateway | MeshService | MeshExternalService | MeshMultiZoneService | MeshServiceSubset | MeshHTTPRoute | Dataplane
name string
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
namespace string
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
labels object
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
sectionName string
SectionName is used to target specific section of resource. For example, you can target port from Me...
mesh string
Mesh is reserved for future use to identify cross mesh resources.
proxyTypes array
ProxyTypes specifies the data plane types that are subject to the policy. When not specified, all da...
tags object
Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshS...
rules array
Rules defines inbound permissions configuration
Allow definees a list of matches for which access will be allowed
SpiffeID defines a matcher configuration for SpiffeID matching
type enum required
Type defines how to match incoming traffic by SpiffeID. `Exact` or `Prefix` are allowed.
Values: Exact | Prefix
value string required
Value is SpiffeId of a client that needs to match for the configuration to be applied
AllowWithShadowDeny defines a list of matches for which access will be allowed but emits logs as if ...
SpiffeID defines a matcher configuration for SpiffeID matching
type enum required
Type defines how to match incoming traffic by SpiffeID. `Exact` or `Prefix` are allowed.
Values: Exact | Prefix
value string required
Value is SpiffeId of a client that needs to match for the configuration to be applied
Deny defines a list of matches for which access will be denied
SpiffeID defines a matcher configuration for SpiffeID matching
type enum required
Type defines how to match incoming traffic by SpiffeID. `Exact` or `Prefix` are allowed.
Values: Exact | Prefix
value string required
Value is SpiffeId of a client that needs to match for the configuration to be applied
from array
From list makes a match between clients and corresponding configurations
TargetRef is a reference to the resource that represents a group of clients.
kind enum required
Kind of the referenced resource
Values: Mesh | MeshSubset | MeshGateway | MeshService | MeshExternalService | MeshMultiZoneService | MeshServiceSubset | MeshHTTPRoute | Dataplane
name string
Name of the referenced resource. Can only be used with kinds: `MeshService`, `MeshServiceSubset` and...
namespace string
Namespace specifies the namespace of target resource. If empty only resources in policy namespace wi...
labels object
Labels are used to select group of MeshServices that match labels. Either Labels or Name and Namespa...
sectionName string
SectionName is used to target specific section of resource. For example, you can target port from Me...
mesh string
Mesh is reserved for future use to identify cross mesh resources.
proxyTypes array
ProxyTypes specifies the data plane types that are subject to the policy. When not specified, all da...
tags object
Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshS...
Default is a configuration specific to the group of clients referenced in 'targetRef'
action enum
Action defines a behavior for the specified group of clients:
Values: Allow | Deny | AllowWithShadowDeny