このページは、まだ日本語ではご利用いただけません。翻訳中です。
旧バージョンのドキュメントを参照しています。 最新のドキュメントはこちらをご参照ください。
MeshTrafficPermission (beta)
This policy uses new policy matching algorithm and is in beta state, it should not be mixed with TrafficPermission.
TargetRef support matrix
TargetRef type | top level | to | from |
---|---|---|---|
Mesh | ✅ | ❌ | ✅ |
MeshSubset | ✅ | ❌ | ✅ |
MeshService | ✅ | ❌ | ✅ |
MeshServiceSubset | ✅ | ❌ | ✅ |
If you don’t understand this table you should read matching docs.
Configuration
Action
Kong Mesh allows configuring one of 3 actions for a group of service’s clients:
-
ALLOW
- allows incoming requests matching the fromtargetRef
. -
DENY
- denies incoming requests matching the fromtargetRef
-
ALLOW_WITH_SHADOW_DENY
- same asALLOW
but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.
Examples
Service ‘payments’ allows requests from ‘orders’
Explanation
-
Top level
targetRef
selects data plane proxies that implementpayments
service. MeshTrafficPermissionallow-orders
will be configured on these proxies.targetRef: # 1 kind: MeshService name: payments
-
TargetRef
inside thefrom
array selects proxies that implementorder
service. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshService name: orders
-
The action is
ALLOW
. All requests from serviceorders
will be allowed on servicepayments
.default: # 3 action: ALLOW
Deny all
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects all clients.- targetRef: # 2 kind: Mesh
-
The action is
DENY
. All requests from all services will be denied on all proxies in thedefault
mesh.default: # 3 action: DENY
Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment
Explanation
-
Top level
targetRef
selects all proxies in the mesh.targetRef: # 1 kind: Mesh
-
TargetRef
inside thefrom
array selects proxies that have labelkuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 2 kind: MeshSubset tags: kuma.io/zone: us-east
-
The action is
ALLOW
. All requests from the zoneus-east
will be allowed on all proxies.default: # 3 action: ALLOW
-
TargetRef
inside thefrom
array selects proxies that have tagskuma.io/zone: us-east
. These proxies will be subjected to the action fromdefault.action
.- targetRef: # 4 kind: MeshSubset tags: env: dev
-
The action is
DENY
. All requests from the envdev
will be denied on all proxies.default: # 5 action: DENY
Order of rules inside the
from
array matters. Request from the proxy that has bothkuma.io/zone: east
andenv: dev
will be denied. This is because the rule withDENY
is later in thefrom
array than anyALLOW
rules.