Careful!

You are browsing documentation for a version of Kuma that is not the latest release.

Looking for even older versions? Learn more.

Use Kuma

After Kuma is installed, you can access the control plane via the following methods:

Access method Mode Permissions
Kuma GUI Kubernetes and Universal Read-only
HTTP API Kubernetes and Universal Read-only
kumactl Kubernetes Read-only
kumactl Universal Read and write
kubectl Kubernetes Read and write

By accessing the control plane using one of these methods, you can see the current Kuma configuration or with some methods, you can edit the configuration.

Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on the API port and defaults to :5681/gui.

To access Kuma we need to first port forward to the API with:

kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681

And then navigate to 127.0.0.1:5681/gui to see the GUI.

You will notice that Kuma automatically creates a Mesh entity with name default.

Kuma, being an application that improves the underlying connectivity between your services by making the underlying network more reliable, also comes with some networking requirements itself.

Control plane ports

First and foremost, the kuma-cp application is a server that offers a number of services - some meant for internal consumption by kuma-dp data plane proxies and some meant for external consumption by kumactl, the HTTP API, the GUI or other systems.

The number and type of exposed ports depends on the mode in which the control plane is running as:

Standalone control plane

This is the default, single zone mode, in which all of the following ports are enabled in kuma-cp

  • TCP
    • 5443: the port for the admission webhook, only enabled in Kubernetes. The default Kubernetes kuma-control-plane service exposes this port on 443.
    • 5676: the Monitoring Assignment server that responds to discovery requests from monitoring tools, such as Prometheus, that are looking for a list of targets to scrape metrics from.
    • 5678: the server for the control plane to data plane proxy communication (bootstrap configuration, xDS to retrieve data plane proxy configuration, SDS to retrieve mTLS certificates).
    • 5680: the HTTP server that returns the health status and metrics of the control plane.
    • 5681: the HTTP API server that is being used by kumactl. You can also use it to retrieve Kuma’s policies and, when running in universal, you can manage Dataplane resources. It also exposes the Kuma GUI at /gui
    • 5682: HTTPS version of the services available under 5681
    • 5683: gRPC Intercommunication CP server used internally by Kuma to communicate between CP instances.

Global control plane

When Kuma is run as a distributed service mesh, the global control plane exposes the following ports:

  • TCP
    • 5443: the port for the admission webhook, only enabled in Kubernetes. The default Kubernetes kuma-control-plane service exposes this port on 443.
    • 5680: the HTTP server that returns the health status of the control plane.
    • 5681: the HTTP API server that is being used by kumactl, and that you can also use to retrieve Kuma’s policies and - when running in universal - that you can use to apply new policies. Manipulating Dataplane resources is not possible. It also exposes the Kuma GUI at /gui
    • 5682: HTTPS version of the services available under 5681
    • 5683: gRPC Intercommunication CP server used internally by Kuma to communicate between CP instances.
    • 5685: the Kuma Discovery Service port, leveraged in multi-zone deployments

Zone control plane

When Kuma is run as a distributed service mesh, the zone control plane exposes the following ports:

  • TCP
    • 5443: the port for the admission webhook, only enabled in Kubernetes. The default Kubernetes kuma-control-plane service exposes this port on 443.
    • 5676: the Monitoring Assignment server that responds to discovery requests from monitoring tools, such as Prometheus, that are looking for a list of targets to scrape metrics from.
    • 5678: the server for the control plane to data plane proxy communication (bootstrap configuration, xDS to retrieve data plane proxy configuration, SDS to retrieve mTLS certificates).
    • 5680: the HTTP server that returns the health status and metrics of the control plane.
    • 5681: the HTTP API server that is being used by kumactl. You can also use it to retrieve Kuma’s policies and, when running in universal, you can manage Dataplane resources.
    • 5682: HTTPS version of the services available under 5681
    • 5683: gRPC Intercommunication CP server used internally by Kuma to communicate between CP instances.