MeshTLS

This policy enables Kuma to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

TargetRef support matrix

To learn more about the information in this table, see the matching docs.

Configuration

The following describes the default configuration settings of the MeshTLS policy:

• tlsVersion: Defines TLS versions to be used by both client and server. Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.
• tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.
• mode: Defines the mTLS mode - Permissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.

Examples

Set specific TLS version and ciphers

apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: set-version-and-ciphers
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  rules:
  - default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

type: MeshTLS
name: set-version-and-ciphers
mesh: default
spec:
  targetRef:
    kind: Mesh
  rules:
  - default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

Enable strict mode on specific subset

apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: strict-mode
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: redis
  rules:
  - default:
      mode: Strict

type: MeshTLS
name: strict-mode
mesh: default
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: redis
  rules:
  - default:
      mode: Strict

All policy options