Careful!
You are browsing documentation for a version of Kuma that is not the latest release.
Looking for even older versions? Learn more.
MeshTrafficPermission
This policy uses new policy matching algorithm. Do not combine with TrafficPermission.
TargetRef support matrix
targetRef |
Allowed kinds |
---|---|
targetRef.kind |
Mesh , MeshSubset , MeshService , MeshServiceSubset |
from[].targetRef.kind |
Mesh , MeshSubset , MeshServiceSubset |
If you don’t understand this table you should read matching docs.
Configuration
Action
Kuma allows configuring one of 3 actions for a group of service’s clients:
Allow
- allows incoming requests matching the fromtargetRef
.Deny
- denies incoming requests matching the fromtargetRef
AllowWithShadowDeny
- same asAllow
but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.
Examples
Service ‘payments’ allows requests from ‘orders’
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: allow-orders
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: MeshService
name: payments
from:
- targetRef:
kind: MeshSubset
tags:
kuma.io/service: orders
default:
action: Allow
Explanation
-
Top level
targetRef
selects data plane proxies that implementpayments
service. MeshTrafficPermissionallow-orders
will be configured on these proxies.targetRef: # 1 kind: MeshService name: payments
-
TargetRef
inside thefrom
array selects proxies that implementorder
service. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/service: orders
-
The action is
Allow
. All requests from serviceorders
will be allowed on servicepayments
.default: # 3 action: Allow
Deny all
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: deny-all
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: Mesh
default:
action: Deny
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects all clients.- targetRef: # 2 kind: Mesh
-
The action is
Deny
. All requests from all services will be denied on all proxies in thedefault
mesh.default: # 3 action: Deny
Allow all
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: allow-all
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: Mesh
default:
action: Allow
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
targetRef
inside the element of thefrom
array selects all clients within the mesh.- targetRef: # 2 kind: Mesh
-
The action is
Allow
. All requests from all services will be allow on all proxies in thedefault
mesh.default: # 3 action: Allow
Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: example-with-tags
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
from:
- targetRef:
kind: MeshSubset
tags:
kuma.io/zone: us-east
default:
action: Allow
- targetRef:
kind: MeshSubset
tags:
env: dev
default:
action: Deny
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects proxies that have labelkuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/zone: us-east
-
The action is
Allow
. All requests from the zoneus-east
will be allowed on all proxies.default: # 3 action: Allow
-
TargetRef
inside thefrom
array selects proxies that have tagskuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 4 kind: MeshSubset tags: env: dev
-
The action is
Deny
. All requests from the envdev
will be denied on all proxies.default: # 5 action: Deny
Order of rules inside the from
array matters.
Request from the proxy that has both kuma.io/zone: east
and env: dev
will be denied.
This is because the rule with Deny
is later in the from
array than any Allow
rules.