The following examples show common Mesh configurations for both Kubernetes and Universal deployments.
Define a minimal mesh with no additional configuration:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
Enable mTLS using a built-in certificate authority that Kong Mesh generates and rotates automatically:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
dpCert:
rotation:
expiration: 24h
conf:
caCert:
RSAbits: 2048
expiration: 10y
type: Mesh
name: default
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
dpCert:
rotation:
expiration: 24h
conf:
caCert:
RSAbits: 2048
expiration: 10y
Enable mTLS using your own root certificate and key, stored in secrets:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: provided
dpCert:
rotation:
expiration: 24h
conf:
cert:
secret: my-ca-cert
key:
secret: my-ca-key
type: Mesh
name: default
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: provided
dpCert:
rotation:
expiration: 24h
conf:
cert:
secret: my-ca-cert
key:
secret: my-ca-key
Accept both mTLS and plaintext traffic during a migration to mTLS:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
mode: PERMISSIVE
type: Mesh
name: default
mtls:
enabledBackend: ca-1
backends:
- name: ca-1
type: builtin
mode: PERMISSIVE
PERMISSIVE mode is not secure because it accepts plaintext traffic. Use it only during migration, then switch to STRICT.
Route cross-zone and external traffic through ZoneEgress:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
routing:
zoneEgress: true
type: Mesh
name: default
routing:
zoneEgress: true
Block traffic to unknown destinations:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
networking:
outbound:
passthrough: false
type: Mesh
name: default
networking:
outbound:
passthrough: false
Skip all default policy creation:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
skipCreatingInitialPolicies: ['*']
type: Mesh
name: default
skipCreatingInitialPolicies: ['*']
Allow only pods from specific namespaces:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
k8s.kuma.io/namespace: team-a
- tags:
k8s.kuma.io/namespace: team-b
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
k8s.kuma.io/namespace: team-a
- tags:
k8s.kuma.io/namespace: team-b
Restrict the mesh to specific zones in a multi-zone deployment:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: production
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: us-east
- tags:
kuma.io/zone: us-west
restrictions:
- tags:
env: development
type: Mesh
name: production
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: us-east
- tags:
kuma.io/zone: us-west
restrictions:
- tags:
env: development
Enable automatic MeshService generation:
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
meshServices:
mode: Exclusive
type: Mesh
name: default
meshServices:
mode: Exclusive