MeshTrafficPermission with SPIFFE ID matchers

This resource is experimental. Enable MeshIdentity before you apply MeshTrafficPermission.

MeshTrafficPermission defines which clients can access services inside a mesh based on their SPIFFE identities. If no MeshTrafficPermission applies, the default behavior is to deny all requests.

You can use MeshTrafficPermission to:

• deny requests from specific clients or namespaces so service owners can’t override that deny rule
• allow groups of clients, such as all workloads in a namespace, to access services by default
• shadow-deny traffic so you can validate a policy before you enforce it

The following example shows a common rule set:

apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  name: my-app-permissions
  namespace: kong-mesh-demo
  labels:
    kuma.io/mesh: my-mesh
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: my-app
  rules:
  - default:
      deny:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/legacy-ns
      - spiffeID:
          type: Exact
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/test/sa/client
      allow:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local

type: MeshTrafficPermission
name: my-app-permissions
mesh: my-mesh
spec:
  targetRef:
    kind: Dataplane
    labels:
      app: my-app
  rules:
  - default:
      deny:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/legacy-ns
      - spiffeID:
          type: Exact
          value: spiffe://my-mesh.us-east-2.mesh.local/ns/test/sa/client
      allow:
      - spiffeID:
          type: Prefix
          value: spiffe://my-mesh.us-east-2.mesh.local

resource "konnect_mesh_traffic_permission" "my_app_permissions" {
  provider = konnect-beta
  type = "MeshTrafficPermission"
  name = "my-app-permissions"
  spec = {
    target_ref = {
      kind = "Dataplane"
      labels = {
        app = "my-app"
      }
    }
    rules = [
      {
        default = {
          deny = [
            {
              spiffe_id = {
                type = "Prefix"
                value = "spiffe://my-mesh.us-east-2.mesh.local/ns/legacy-ns"
              }
            },
            {
              spiffe_id = {
                type = "Exact"
                value = "spiffe://my-mesh.us-east-2.mesh.local/ns/test/sa/client"
              }
            }
          ]
          allow = [
            {
              spiffe_id = {
                type = "Prefix"
                value = "spiffe://my-mesh.us-east-2.mesh.local"
              }
            }
          ]
        }
      }
    ]
  }
  labels   = {
  "kuma.io/mesh" = konnect_mesh.my_mesh.name
  }
  cp_id    = konnect_mesh_control_plane.my_meshcontrolplane.id
  mesh     = konnect_mesh.my_mesh.name
}

With this policy in place, workloads labeled app: my-app reject connections from identities in the legacy-ns namespace and from the specific test/client identity, while continuing to accept other identities in the my-mesh.us-east-2.mesh.local trust domain.

MeshTrafficPermission uses three matcher lists:

• deny: Clients that must always be denied.
• allow: Clients that are explicitly allowed.
• allowWithShadowDeny: Clients that are allowed, but also logged as if they were denied. This lets you test a new policy before you enforce a deny rule.

The policy evaluates requests in this order:

1. If a request matches at least one deny matcher, the result is DENY.
2. If a request matches no deny matcher and at least one allow or allowWithShadowDeny matcher, the result is ALLOW.
3. If no matcher applies, the result is DENY.

See the Examples tab for ready-to-apply policies that deny namespace-wide traffic, allow namespace-wide traffic, and override a mesh-wide allow rule on a specific service port. See the Configuration reference tab for the complete schema.