Override a mesh-wide allow rule on a service portv2.12+
Use MeshTrafficPermission to deny traffic from a namespace on a specific service port, even when a mesh-wide allow rule exists.
Configuration
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
name: deny-observability-ns
namespace: kong-mesh-demo
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Dataplane
labels:
app: backend
sectionName: backend-admin-api
rules:
- default:
deny:
- spiffeID:
type: Prefix
value: spiffe://default.default.mesh.local/ns/observabilityCopied!
type: MeshTrafficPermission
name: deny-observability-ns
mesh: default
spec:
targetRef:
kind: Dataplane
labels:
app: backend
sectionName: backend-admin-api
rules:
- default:
deny:
- spiffeID:
type: Prefix
value: spiffe://default.default.mesh.local/ns/observabilityCopied!
Adjust konnect_mesh_control_plane.my_meshcontrolplane.id and konnect_mesh.my_mesh.name according to your current configuration.
resource "konnect_mesh_traffic_permission" "deny_observability_ns" {
provider = konnect-beta
type = "MeshTrafficPermission"
name = "deny-observability-ns"
spec = {
target_ref = {
kind = "Dataplane"
labels = {
app = "backend"
}
section_name = "backend-admin-api"
}
rules = [
{
default = {
deny = [
{
spiffe_id = {
type = "Prefix"
value = "spiffe://default.default.mesh.local/ns/observability"
}
}
]
}
}
]
}
labels = {
"kuma.io/mesh" = konnect_mesh.my_mesh.name
}
cp_id = konnect_mesh_control_plane.my_meshcontrolplane.id
mesh = konnect_mesh.my_mesh.name
}
Copied!