コンテンツにスキップ
|
Kong Mesh
2.9.x (最新)
report-issue問題を報告する

このページは、まだ日本語ではご利用いただけません。翻訳中です。

MeshTrafficPermission

This policy uses new policy matching algorithm. Do not combine with TrafficPermission.

TargetRef support matrix

targetRef Allowed kinds
targetRef.kind Mesh, MeshSubset, MeshService, MeshServiceSubset
from[].targetRef.kind Mesh, MeshSubset, MeshServiceSubset

MeshTrafficPermission isn’t supported on builtin gateways. If applied via spec.targetRef.kind: MeshService, it has no effect.

MeshTrafficPermission isn’t supported on delegated gateways.

If you don’t understand this table you should read matching docs.

Configuration

Action

Kong Mesh allows configuring one of 3 actions for a group of service’s clients:

  • Allow - allows incoming requests matching the from targetRef.
  • Deny - denies incoming requests matching the from targetRef
  • AllowWithShadowDeny - same as Allow but will log as if request is denied, this is useful for rolling new restrictive policies without breaking things.

Examples

Service ‘payments’ allows requests from ‘orders’

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: allow-orders
spec:
  targetRef: # 1
    kind: MeshService
    name: payments
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
           kuma.io/service: orders
      default: # 3
        action: Allow

type: MeshTrafficPermission
name: allow-orders
mesh: default
spec:
  targetRef: # 1
    kind: MeshService
    name: payments
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags: 
          kuma.io/service: orders
      default: # 3
        action: Allow

Explanation

  1. Top level targetRef selects data plane proxies that implement payments service. MeshTrafficPermission allow-orders will be configured on these proxies.

     targetRef: # 1
   kind: MeshService
   name: payments

  2. TargetRef inside the from array selects proxies that implement order service. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
     kind: MeshSubset
     tags: 
       kuma.io/service: orders

  3. The action is Allow. All requests from service orders will be allowed on service payments.

     default: # 3
   action: Allow

Deny all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: deny-all
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: Mesh
      default: # 3
        action: Deny

type: MeshTrafficPermission
name: deny-all
mesh: default
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: Mesh
      default: # 3
        action: Deny

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
   kind: Mesh

  2. TargetRef inside the from array selects all clients.

     - targetRef: # 2
     kind: Mesh

  3. The action is Deny. All requests from all services will be denied on all proxies in the default mesh.

     default: # 3
   action: Deny

Allow all

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: allow-all
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

type: MeshTrafficPermission
name: allow-all
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      action: Allow

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
   kind: Mesh

  2. targetRef inside the element of the from array selects all clients within the mesh.

     - targetRef: # 2
     kind: Mesh

  3. The action is Allow. All requests from all services will be allow on all proxies in the default mesh.

     default: # 3
   action: Allow

Allow requests from zone ‘us-east’, deny requests from ‘dev’ environment

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kong-mesh-system
  name: example-with-tags
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
      default: # 3
        action: Allow
    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
      default: # 5
        action: Deny

Apply the configuration with kubectl apply -f [..].

type: MeshTrafficPermission
name: example-with-tags
mesh: default
spec:
  targetRef: # 1
    kind: Mesh
  from:
    - targetRef: # 2
        kind: MeshSubset
        tags:
          kuma.io/zone: us-east
      default: # 3
        action: Allow
    - targetRef: # 4
        kind: MeshSubset
        tags:
          env: dev
      default: # 5
        action: Deny

Apply the configuration with kumactl apply -f [..] or with the HTTP API.

Explanation

  1. Top level targetRef selects all proxies in the mesh.

     targetRef: # 1
   kind: Mesh

  2. TargetRef inside the from array selects proxies that have label kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 2
     kind: MeshSubset
     tags:
       kuma.io/zone: us-east

  3. The action is Allow. All requests from the zone us-east will be allowed on all proxies.

     default: # 3
   action: Allow

  4. TargetRef inside the from array selects proxies that have tags kuma.io/zone: us-east. These proxies will be subjected to the action from default.action.

     - targetRef: # 4
     kind: MeshSubset
     tags:
       env: dev

  5. The action is Deny. All requests from the env dev will be denied on all proxies.

     default: # 5
   action: Deny

Order of rules inside the from array matters. Request from the proxy that has both kuma.io/zone: east and env: dev will be denied. This is because the rule with Deny is later in the from array than any Allow rules.

All policy options