Using Kuma

Kuma provides comprehensive features for securing, managing, and observing your service mesh. This section covers practical guides for implementing common patterns and configuring essential policies.

Zero trust and application security

Secure service-to-service communication and control access:

• Mutual TLS - Enable automatic encryption and authentication between services
• MeshTrust - Configure certificate authorities and trust domains
• MeshIdentity - Manage workload identities and certificate issuance
• External services - Integrate and secure connections to external dependencies

Start with mutual TLS to establish zero-trust security across your mesh.

Resiliency and reliability

Build reliable applications that handle failures gracefully:

• Data plane health - Configure health checks and circuit breakers
• Service health probes - Define health checks for Kubernetes and Universal deployments
• MeshCircuitBreaker - Prevent cascading failures
• MeshHealthCheck - Actively monitor service health
• MeshRetry - Configure automatic request retries
• MeshTimeout - Set request timeout limits

Combine these policies to create resilient services that automatically recover from failures.

Managing incoming traffic

Configure ingress and expose services outside the mesh:

• Gateway overview - Understand ingress patterns in Kuma
• Built-in gateways - Use Kuma’s native gateway solution
• Delegated gateways - Integrate third-party ingress controllers
• Kubernetes Gateway API - Use standard Kubernetes Gateway API resources
• Built-in gateway on Kubernetes - Deploy gateway pods on Kubernetes
• Configuring listeners - Define gateway listeners for different protocols
• Configuring routes - Route traffic from gateways to services

Choose built-in gateways for a consistent experience or delegated gateways to use existing infrastructure.

Monitoring and observability

Gain visibility into mesh behavior and service interactions:

• observability guide - Set up metrics, logs, and traces
• MeshMetric - Collect metrics with Prometheus or OpenTelemetry
• MeshAccessLog - Configure access logging
• MeshTrace - Enable distributed tracing

Integrate with monitoring tools like Prometheus, Grafana, Jaeger, or Datadog for comprehensive observability.

Traffic routing and shaping

Control how requests flow between services:

• MeshHTTPRoute - Route and manipulate HTTP traffic with advanced matching
• MeshTCPRoute - Route TCP traffic to backend services
• MeshLoadBalancingStrategy - Configure load balancing algorithms
• Protocol support - Understand HTTP/2, grpc, and websocket support
• MeshRateLimit - Protect services from traffic spikes

Use routing policies for traffic splitting, canary deployments, and A/B testing.

Service discovery and networking

Configure how services discover and communicate with each other:

• Networking overview - Service discovery and DNS configuration
• Service discovery - How Kuma discovers services
• MeshService - Define services for precise control
• MeshMultiZoneService - Configure cross-zone services
• DNS - Built-in DNS for service name resolution
• Transparent proxying - Automatic traffic interception
• Non-mesh traffic - Handle traffic outside the mesh

Start with service discovery to understand how Kuma tracks services.

Common use cases

Secure microservices

1. Enable mutual TLS for encryption
2. Configure MeshTrafficPermission for access control
3. Set up MeshAccessLog for audit trails

Build resilient applications

1. Configure MeshTimeout to prevent hanging requests
2. Enable MeshRetry for automatic retries
3. Add MeshCircuitBreaker to prevent cascading failures
4. Configure MeshHealthCheck to remove unhealthy instances

Expose services with ingress

1. Choose between built-in or delegated gateways
2. Deploy and configure gateway instances
3. Create MeshHTTPRoute or MeshTCPRoute policies
4. Apply security policies to gateway traffic

Monitor and debug

1. Deploy Prometheus and Grafana for metrics
2. Configure MeshMetric to collect data plane metrics
3. Enable MeshTrace for distributed tracing
4. Use Inspect API to debug policy application

Next steps

• Secure your mesh: Start with mutual TLS for zero-trust security
• Add resilience: Configure timeout, retry, and circuit breaker policies
• Enable observability: Set up metrics and tracing
• Configure ingress: Choose a gateway solution to expose services