MeshTrafficPermission
This policy uses new policy matching algorithm. Do not combine with TrafficPermission.
TargetRef support matrix
targetRef |
Allowed kinds |
|---|---|
targetRef.kind |
Mesh, MeshSubset, MeshService, MeshServiceSubset |
from[].targetRef.kind |
Mesh, MeshSubset, MeshServiceSubset |
If you don’t understand this table you should read matching docs.
Configuration
Action
Kuma allows configuring one of 3 actions for a group of service’s clients:
Allow- allows incoming requests matching the fromtargetRef.Deny- denies incoming requests matching the fromtargetRefAllowWithShadowDeny- same asAllowbut will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.
Examples
Service ‘payments’ allows requests from ‘orders’
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-system
name: allow-orders
spec:
targetRef: # 1
kind: MeshService
name: payments
from:
- targetRef: # 2
kind: MeshSubset
tags:
kuma.io/service: orders
default: # 3
action: Allow
Explanation
-
Top level
targetRefselects data plane proxies that implementpaymentsservice. MeshTrafficPermissionallow-orderswill be configured on these proxies.targetRef: # 1 kind: MeshService name: payments -
TargetRefinside thefromarray selects proxies that implementorderservice. These proxies will be subjected to the action fromdefault.action.- targetRef: # 2 kind: MeshSubset tags: kuma.io/service: orders -
The action is
Allow. All requests from serviceorderswill be allowed on servicepayments.default: # 3 action: Allow
Deny all
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-system
name: deny-all
spec:
targetRef: # 1
kind: Mesh
from:
- targetRef: # 2
kind: Mesh
default: # 3
action: Deny
Explanation
-
Top level
targetRefselects all proxies in the mesh.targetRef: # 1 kind: Mesh -
TargetRefinside thefromarray selects all clients.- targetRef: # 2 kind: Mesh -
The action is
Deny. All requests from all services will be denied on all proxies in thedefaultmesh.default: # 3 action: Deny
Allow all
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: allow-all
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: Mesh
default:
action: Allow
Explanation
-
Top level
targetRefselects all proxies in the mesh.targetRef: # 1 kind: Mesh -
targetRefinside the element of thefromarray selects all clients within the mesh.- targetRef: # 2 kind: Mesh -
The action is
Allow. All requests from all services will be allow on all proxies in thedefaultmesh.default: # 3 action: Allow
Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
namespace: kuma-system
name: example-with-tags
spec:
targetRef: # 1
kind: Mesh
from:
- targetRef: # 2
kind: MeshSubset
tags:
kuma.io/zone: us-east
default: # 3
action: Allow
- targetRef: # 4
kind: MeshSubset
tags:
env: dev
default: # 5
action: Deny
Apply the configuration with kubectl apply -f [..].
Explanation
-
Top level
targetRefselects all proxies in the mesh.targetRef: # 1 kind: Mesh -
TargetRefinside thefromarray selects proxies that have labelkuma.io/zone: us-east. These proxies will be subjected to the action fromdefault.action.- targetRef: # 2 kind: MeshSubset tags: kuma.io/zone: us-east -
The action is
Allow. All requests from the zoneus-eastwill be allowed on all proxies.default: # 3 action: Allow -
TargetRefinside thefromarray selects proxies that have tagskuma.io/zone: us-east. These proxies will be subjected to the action fromdefault.action.- targetRef: # 4 kind: MeshSubset tags: env: dev -
The action is
Deny. All requests from the envdevwill be denied on all proxies.default: # 5 action: Deny
Order of rules inside the from array matters.
Request from the proxy that has both kuma.io/zone: east and env: dev will be denied.
This is because the rule with Deny is later in the from array than any Allow rules.