Careful!

You are browsing documentation for a version of Kuma that is not the latest release.

Looking for even older versions? Learn more.

Use Kuma

After Kuma is installed, you can access the control plane via the following methods:

Access method Mode Permissions
Kuma user interface Kubernetes and Universal Read-only
HTTP API Kubernetes and Universal Read-only
kumactl Kubernetes Read-only
kumactl Universal Read and write
kubectl Kubernetes Read and write

By accessing the control plane using one of these methods, you can see the current Kuma configuration or with some methods, you can edit the configuration.

Kuma ships with a read-only GUI that you can use to retrieve Kuma resources. By default the GUI listens on the API port and defaults to :5681/gui.

To access Kuma we need to first port-forward the API service with:

kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681

And then navigate to 127.0.0.1:5681/gui to see the GUI.

You will notice that Kuma automatically creates a Mesh entity with name default.

Kuma - being an application that wants to improve the underlying connectivity between your services by making the underlying network more reliable - also comes with some networking requirements itself.

Control Plane ports

First and foremost, the kuma-cp application is a server that offers a number of services - some meant for internal consumption by kuma-dp data-planes, some meant for external consumption by kumactl, the HTTP API, the GUI or other systems.

The number and type of exposed ports depends on the mode in which the control plane is running as:

Global Control Plane

When Kuma is run as a distributed service mesh, the Global control plane exposes the following ports:

  • TCP
    • 5443: The port for the admission webhook, only enabled in Kubernetes. The default Kubernetes kuma-control-plane service exposes this port on 443.
    • 5680: the HTTP server that returns the health status of the control-plane.
    • 5681: the HTTP API server that is being used by kumactl, and that you can also use to retrieve Kuma’s policies and - when running in universal - that you can use to apply new policies. Manipulating the dataplane resources is not possible. It also exposes the Kuma GUI at /gui
    • 5682: HTTPS version of the services available under 5681
    • 5683: gRPC Intercommunication CP server used internally by Kuma to communicate between CP instances.
    • 5685: the Kuma Discovery Service port, leveraged in multi-zone deployment

Zone Control Plane

When Kuma is run as a distributed service mesh, the Zone control plane exposes the following ports:

  • TCP
    • 5443: The port for the admission webhook, only enabled in Kubernetes. The default Kubernetes kuma-control-plane service exposes this port on 443.
    • 5676: the Monitoring Assignment server that responds to discovery requests from monitoring tools, such as Prometheus, that are looking for a list of targets to scrape metrics from, e.g. a list of all dataplanes in the mesh.
    • 5678: the server for the control-plane to data-planes communication (bootstrap configuration, xDS to retrieve their configuration, SDS to retrieve mTLS certificates).
    • 5680: the HTTP server that returns the health status and metrics of the control-plane.
    • 5681: the HTTP API server that is being used by kumactl, and that you can also use to retrieve Kuma’s policies and - when running in universal - you can only manage the dataplane resources. When not connected to global, It also exposes the Kuma GUI at /gui

    • 5682: HTTPS version of the services available under 5681
    • 5683: gRPC Intercommunication CP server used internally by Kuma to communicate between CP instances.