Deny traffic from a namespacev2.12+
Use MeshTrafficPermission to deny requests from every workload in a namespace by matching a SPIFFE ID prefix.
Configuration
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: deny-malicious-ns
namespace: kong-mesh-demo
labels:
kuma.io/mesh: default
spec:
rules:
- default:
deny:
- spiffeID:
type: Prefix
value: spiffe://default.default.mesh.local/ns/maliciousCopied!
type: MeshTrafficPermission
name: deny-malicious-ns
mesh: default
spec:
rules:
- default:
deny:
- spiffeID:
type: Prefix
value: spiffe://default.default.mesh.local/ns/maliciousCopied!
Adjust konnect_mesh_control_plane.my_meshcontrolplane.id and konnect_mesh.my_mesh.name according to your current configuration.
resource "konnect_mesh_traffic_permission" "deny_malicious_ns" {
provider = konnect-beta
type = "MeshTrafficPermission"
name = "deny-malicious-ns"
spec = {
rules = [
{
default = {
deny = [
{
spiffe_id = {
type = "Prefix"
value = "spiffe://default.default.mesh.local/ns/malicious"
}
}
]
}
}
]
}
labels = {
"kuma.io/mesh" = konnect_mesh.my_mesh.name
}
cp_id = konnect_mesh_control_plane.my_meshcontrolplane.id
mesh = konnect_mesh.my_mesh.name
}
Copied!