This section walks through configuring Kong Mesh to limit its access to specific namespaces. You’ll deploy test workloads, verify control plane behavior, and then expand access to additional namespaces.
kubectl create namespace first-namespace
kubectl label namespace first-namespace kuma.io/sidecar-injection=enabled
helm upgrade \
--install \
--create-namespace \
--namespace kong-mesh-system \
--set "kuma.namespaceAllowList={first-namespace}" \
kong-mesh kong-mesh/kong-mesh
kubectl run nginx --image=nginx --port=80 --namespace first-namespace
Check that the control plane is managing the workload:
kubectl get dataplanes --namespace first-namespace
Expected:
NAME KUMA.IO/SERVICE KUMA.IO/SERVICE
nginx nginx_first-namespace_svc
Then check that the pod has the sidecar injected:
kubectl get pods --namespace first-namespace
Expected:
NAME READY STATUS RESTARTS AGE
nginx 2/2 Running 0 2m5s
Then verify the required RoleBinding:
kubectl get rolebindings --namespace first-namespace
Expected:
NAME ROLE AGE
kong-mesh-control-plane-workloads ClusterRole/kong-mesh-control-plane-workloads 3m46s
This confirms that:
- A
Dataplane
was created
- The pod includes the
kuma-sidecar
- A
RoleBinding
named kong-mesh-control-plane-workloads
grants elevated access to the control plane
kubectl create namespace second-namespace
kubectl label namespace second-namespace kuma.io/sidecar-injection=enabled
kubectl run nginx --image=nginx --port=80 --namespace second-namespace
Check that the control plane is not managing resources in second-namespace
.
Run the following commands:
kubectl get dataplanes --namespace second-namespace
Expected output:
No resources found in second-namespace namespace.
This means no Dataplane
was created.
kubectl get pods --namespace second-namespace
Expected output:
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 42s
This indicates the pod is running without the kuma-sidecar
.
kubectl get rolebindings --namespace second-namespace
Expected output:
No resources found in second-namespace namespace.
This confirms that:
- The control plane does not have permission to manage this namespace
- The pod was started without sidecar injection
- No
RoleBinding
was created to grant control plane access
helm upgrade \
--install \
--create-namespace \
--namespace kong-mesh-system \
--set "kuma.namespaceAllowList={first-namespace,second-namespace}" \
kong-mesh kong-mesh/kong-mesh
Delete the old pod and recreate it to trigger sidecar injection:
kubectl delete pod --namespace second-namespace --all
kubectl run nginx --image=nginx --port=80 --namespace second-namespace
Check that the control plane is now managing the workload in second-namespace
:
kubectl get dataplanes --namespace second-namespace
You should see a Dataplane
resource for the new pod, confirming it is part of the mesh.
Next, verify that the pod now includes a sidecar:
kubectl get pods --namespace second-namespace
Expected output:
NAME READY STATUS RESTARTS AGE
nginx 2/2 Running 0 30s
Finally, check that the required RoleBinding
has been created:
kubectl get rolebindings --namespace second-namespace
Expected output:
NAME ROLE AGE
kong-mesh-control-plane-workloads ClusterRole/kong-mesh-control-plane-workloads 30s
This confirms that:
- The control plane has the correct permissions in
second-namespace
- The pod was injected with the
kuma-sidecar
- The namespace is now fully integrated with the mesh