Home / Kong Mesh / Mesh Policies Hub
Edit
Report

Mesh Trust

Overview Examples Configuration reference
Related Documentation
Mesh Documentation
Minimum Version
Kong Mesh - 2.12
Tags
#mtls #security #certificates
Related Resources
Mesh Identity
Mesh TLS
Mesh Traffic Permission

MeshTrust is experimental. It works only on Kubernetes and requires MeshService to be enabled.

The MeshTrust resource lets mesh applications accept encrypted traffic from different trust domains. You can configure MeshTrust with a certificate that Kong Mesh uses to validate incoming traffic.

Use cases:

  • Deploying a gateway without a sidecar
  • Accepting mTLS traffic from applications running outside the mesh

If you use SPIRE as the identity provider, MeshTrust has no effect because SPIRE provides the trust directly.

Autogenerated MeshTrust

By default, MeshIdentity creates a corresponding MeshTrust resource automatically from its own definition. To identify an autogenerated resource, check the origin field in the spec:

spec:
  ...
  origin:
    kri: kri_mid_default_default_kuma-system_my-identity_

Multi-zone

Each zone uses a different trust domain by default to increase security. As a result, cross-zone traffic fails unless you manually copy the MeshTrust between zones.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support