Deploy a single-zone control plane

In order to deploy Kuma in a single-zone deployment, the kuma-cp control plane must be started in zone mode:

This is the standard installation method. After the installation, make sure to restart application pods that are running such that the data plane objects can be generated and the proxies can be connected.

kumactl install control-plane \
  --set "controlPlane.mode=zone" \
  | kubectl apply -f -

With zone egress:

It’s possible to run ZoneEgress for single-zone deployment. In order to deploy Kuma with ZoneEgress run the install command with an additional parameter.

kumactl install control-plane \
  --set "controlPlane.mode=zone" \
  --set "egress.enabled=true" \
  | kubectl apply -f -

Once Kuma is up and running, data plane proxies can now connect directly to it.

When the mode is not specified, Kuma will always start in zone mode by default.

Optional: control plane authentication

Running administrative tasks (like generating auth tokens) requires authentication by token or a connection via localhost when interacting with the control plane.

You can authenticate by port-forwarding API service and extracting admin user token.

kubectl port-forward svc/kuma-control-plane -n kuma-system 5681:5681

export ADMIN_TOKEN=$(kubectl get secrets -n kuma-system admin-user-token -ojson | jq -r .data.value | base64 -d)

kumactl config control-planes add \
--address http://localhost:5681 \
--headers "authorization=Bearer $ADMIN_TOKEN" \
--name "zone-cp" \
--overwrite

Moving to a multi-zone deployment

You can transform a single-zone deployment into a multi-zone deployment by doing federation.