旧バージョンのドキュメントを参照しています。最新のドキュメントはこちらをご参照ください。

MeshTLS

This policy enables Kong Mesh to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

TargetRef support matrix

targetRef For mode

targetRef For tls ciphers/version

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `MeshSubset`
`from[].targetRef.kind`	`Mesh`

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`
`from[].targetRef.kind`	`Mesh`

To learn more about the information in this table, see the matching docs.

Configuration

The following describes the default configuration settings of the MeshTLS policy:

tlsVersion: Defines TLS versions to be used by both client and server. Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.
tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.
mode: Defines the mTLS mode - Permissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.

Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.

Examples

Set specific TLS version and ciphers

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: set-version-and-ciphers
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

    
      type: MeshTLS
name: set-version-and-ciphers
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

    
  

Enable strict mode on specific subset

        
          Kubernetes
        
      

        
          Universal
        
      

    
      apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: strict-mode
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: redis
  from:
  - targetRef:
      kind: Mesh
    default:
      mode: Strict

    
      type: MeshTLS
name: strict-mode
mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: redis
  from:
  - targetRef:
      kind: Mesh
    default:
      mode: Strict

    
  

All policy options

Spec is the specification of the Kuma MeshTLS resource.

Type: object

Properties

from
- From list makes a match between clients and corresponding configurations
- Type: array
  - Items
  - Type: object
  - Properties
    - default
      - Default is a configuration specific to the group of clients referenced in'targetRef'
      - Type: object
      - Properties
        
        mode
        
        Mode defines the behavior of inbound listeners with regard to traffic encryption.
        
        Type: string
        
        The value is restricted to the following:
        
        "Permissive"
        
        "Strict"
        
        tlsCiphers
        
        TlsCiphers section for providing ciphers specification.
        
        Type: array
        
        Items
        
        Type: string
        
        The value is restricted to the following:
        
        "ECDHE-ECDSA-AES128-GCM-SHA256"
        
        "ECDHE-ECDSA-AES256-GCM-SHA384"
        
        "ECDHE-ECDSA-CHACHA20-POLY1305"
        
        "ECDHE-RSA-AES128-GCM-SHA256"
        
        "ECDHE-RSA-AES256-GCM-SHA384"
        
        "ECDHE-RSA-CHACHA20-POLY1305"
        
        tlsVersion
        
        Version section for providing version specification.
        
        Type: object
        
        Properties
        
        max
        
        Max defines maximum supported version. One of TLSAuto, TLS10, TLS11, TLS12, TLS13.
        
        Type: string
        
        The value is restricted to the following:
        
        "TLSAuto"
        
        "TLS10"
        
        "TLS11"
        
        "TLS12"
        
        "TLS13"
        
        Default: "TLSAuto"
        
        min
        
        Min defines minimum supported version. One of TLSAuto, TLS10, TLS11, TLS12, TLS13.
        
        Type: string
        
        The value is restricted to the following:
        
        "TLSAuto"
        
        "TLS10"
        
        "TLS11"
        
        "TLS12"
        
        "TLS13"
        
        Default: "TLSAuto"
    - targetRef required
      - TargetRef is a reference to the resource that represents a group ofclients.
      - Type: object
      - Properties
        
        kind
        
        Kind of the referenced resource
        
        Type: string
        
        The value is restricted to the following:
        
        "Mesh"
        
        "MeshSubset"
        
        "MeshGateway"
        
        "MeshService"
        
        "MeshExternalService"
        
        "MeshMultiZoneService"
        
        "MeshServiceSubset"
        
        "MeshHTTPRoute"
        
        labels
        
        Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
        
        Type: object
        
        This schema accepts additional properties.
        
        Properties
        
        mesh
        
        Mesh is reserved for future use to identify cross mesh resources.
        
        Type: string
        
        name
        
        Name of the referenced resource. Can only be used with kinds: MeshService,MeshServiceSubset and MeshGatewayRoute
        
        Type: string
        
        namespace
        
        Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
        
        Type: string
        
        proxyTypes
        
        ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
        
        Type: array
        
        Item Count: ≥ 1
        
        Items
        
        Type: string
        
        The value is restricted to the following:
        
        "Sidecar"
        
        "Gateway"
        
        sectionName
        
        SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
        
        Type: string
        
        tags
        
        Tags used to select a subset of proxies by tags. Can only be used with kindsMeshSubset and MeshServiceSubset
        
        Type: object
        
        This schema accepts additional properties.
        
        Properties
targetRef
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined in-place.
- Type: object
- Properties
  - kind
    - Kind of the referenced resource
    - Type: string
    - The value is restricted to the following:
      1. "Mesh"
      2. "MeshSubset"
      3. "MeshGateway"
      4. "MeshService"
      5. "MeshExternalService"
      6. "MeshMultiZoneService"
      7. "MeshServiceSubset"
      8. "MeshHTTPRoute"
  - labels
    - Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
    - Type: object
    - This schema accepts additional properties.
    - Properties
  - mesh
    - Mesh is reserved for future use to identify cross mesh resources.
    - Type: string
  - name
    - Name of the referenced resource. Can only be used with kinds: MeshService,MeshServiceSubset and MeshGatewayRoute
    - Type: string
  - namespace
    - Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
    - Type: string
  - proxyTypes
    - ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
    - Type: array
    - Item Count: ≥ 1
      - Items
      - Type: string
      - The value is restricted to the following:
        
        "Sidecar"
        
        "Gateway"
  - sectionName
    - SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
    - Type: string
  - tags
    - Tags used to select a subset of proxies by tags. Can only be used with kindsMeshSubset and MeshServiceSubset
    - Type: object
    - This schema accepts additional properties.
    - Properties

Generated with json-schema-md-doc Sat May 10 2025 17:08:53 GMT+0000 (Coordinated Universal Time)