Careful!
You are browsing documentation for the next version of Kuma. Use this version at your own risk.
Using Kuma
Kuma provides comprehensive features for securing, managing, and observing your service mesh. This section covers practical guides for implementing common patterns and configuring essential policies.
Zero trust and application security
Secure service-to-service communication and control access:
- Mutual TLS - Enable automatic encryption and authentication between services
- MeshTrust - Configure certificate authorities and trust domains
- MeshIdentity - Manage workload identities and certificate issuance
- External services - Integrate and secure connections to external dependencies
Start with mutual TLS to establish zero-trust security across your mesh.
Resiliency and reliability
Build reliable applications that handle failures gracefully:
- Data plane health - Configure health checks and circuit breakers
- Service health probes - Define health checks for Kubernetes and Universal deployments
- MeshCircuitBreaker - Prevent cascading failures
- MeshHealthCheck - Actively monitor service health
- MeshRetry - Configure automatic request retries
- MeshTimeout - Set request timeout limits
Combine these policies to create resilient services that automatically recover from failures.
Managing incoming traffic
Configure ingress and expose services outside the mesh:
- Gateway overview - Understand ingress patterns in Kuma
- Built-in gateways - Use Kuma’s native gateway solution
- Delegated gateways - Integrate third-party ingress controllers
- Kubernetes Gateway API - Use standard Kubernetes Gateway API resources
- Built-in gateway on Kubernetes - Deploy gateway pods on Kubernetes
- Configuring listeners - Define gateway listeners for different protocols
- Configuring routes - Route traffic from gateways to services
Choose built-in gateways for a consistent experience or delegated gateways to use existing infrastructure.
Monitoring and observability
Gain visibility into mesh behavior and service interactions:
- observability guide - Set up metrics, logs, and traces
- MeshMetric - Collect metrics with Prometheus or OpenTelemetry
- MeshAccessLog - Configure access logging
- MeshTrace - Enable distributed tracing
Integrate with monitoring tools like Prometheus, Grafana, Jaeger, or Datadog for comprehensive observability.
Traffic routing and shaping
Control how requests flow between services:
- MeshHTTPRoute - Route and manipulate HTTP traffic with advanced matching
- MeshTCPRoute - Route TCP traffic to backend services
- MeshLoadBalancingStrategy - Configure load balancing algorithms
- Protocol support - Understand HTTP/2, grpc, and websocket support
- MeshRateLimit - Protect services from traffic spikes
Use routing policies for traffic splitting, canary deployments, and A/B testing.
Service discovery and networking
Configure how services discover and communicate with each other:
- Networking overview - Service discovery and DNS configuration
- Service discovery - How Kuma discovers services
- MeshService - Define services for precise control
- MeshMultiZoneService - Configure cross-zone services
- DNS - Built-in DNS for service name resolution
- Transparent proxying - Automatic traffic interception
- Non-mesh traffic - Handle traffic outside the mesh
Start with service discovery to understand how Kuma tracks services.
Common use cases
Secure microservices
- Enable mutual TLS for encryption
- Configure MeshTrafficPermission for access control
- Set up MeshAccessLog for audit trails
Build resilient applications
- Configure MeshTimeout to prevent hanging requests
- Enable MeshRetry for automatic retries
- Add MeshCircuitBreaker to prevent cascading failures
- Configure MeshHealthCheck to remove unhealthy instances
Expose services with ingress
- Choose between built-in or delegated gateways
- Deploy and configure gateway instances
- Create MeshHTTPRoute or MeshTCPRoute policies
- Apply security policies to gateway traffic
Monitor and debug
- Deploy Prometheus and Grafana for metrics
- Configure MeshMetric to collect data plane metrics
- Enable MeshTrace for distributed tracing
- Use Inspect API to debug policy application
Next steps
- Secure your mesh: Start with mutual TLS for zero-trust security
- Add resilience: Configure timeout, retry, and circuit breaker policies
- Enable observability: Set up metrics and tracing
- Configure ingress: Choose a gateway solution to expose services