問題を報告するこのページは、まだ日本語ではご利用いただけません。翻訳中です。
旧バージョンのドキュメントを参照しています。 最新のドキュメントはこちらをご参照ください。
MeshPassthrough
This policy uses new policy matching algorithm.
This policy enables Kong Mesh to configure traffic to external destinations that is allowed to pass outside the mesh. When using this policy, the passthrough mode flag is ignored.
TargetRef support matrix
To learn more about the information in this table, see the matching docs.
Configuration
This policy doesn’t work with sidecars without transparent-proxy.
The following describes the default configuration settings of the MeshPassthrough policy:
-
passthroughMode: (Optional) Defines behaviour for handling traffic. Allowed values:All,NoneandMatched. Default:None-
Allenables all traffic to pass through. -
Matchedallows only the traffic defined inappendMatch. -
Nonedisallows all traffic.
-
-
appendMatch: List of destinations that are allowed to pass through. WhenpassthroughModeisAllorNonethis list is not used. It only takes effect whenpassthroughModeisMatched.-
type: Defines what type of destination is allowed. EitherDomain,IPorCIDR. -
value: Destination address based on the definedtype. -
port: Port at which external destination is available. When not defined it caches all traffic to the address. -
protocol: Defines protocol of the external destination.-
tcp: Can’t be used whentypeisDomain(at TCP level we are not able to distinguish domain, in this case it is going to hijack whole traffic on this port). -
tls: Should be used when TLS traffic is originated by the client application. httphttp2grpc
-
-
Wildcard DNS matching
MeshPassthrough policy allows you to create a match for a wildcard subdomain.
Currently, support for partial subdomain matching is not implemented. For example, a match for
*w.example.comwill be rejected.
Security
It is advised that the Mesh Operator is responsible for managing the MeshPassthrough policy.
This policy can introduce traffic outside of the mesh or even the cluster, and the Mesh Operator should be aware of this.
If you want to restrict access to MeshPassthrough to specific services, you must choose them manually.
If you rely on tags in the top-level targetRef you might consider securing them by using one of the following techniques:
- Make sure that service owners can’t freely modify them (using something like
kyverno,OPAor similar) - Accept the risk of being able to “impersonate” a passthrough label and rely on auditing to figure out any violations.
Limitations
- Due to the nature of some traffic, it is not possible to combine certain protocols on the same port. You can create a
MeshPassthroughpolicy that handlestcp,tls, and one ofhttp,http2, orgrpctraffic on the same port. Layer 7 protocols cannot be distinguished, which could introduce unexpected behavior. - It is currently not possible to route passthrough traffic through the zone egress. However, this feature will be implemented in the future.
- Gateways are currently not supported.
