Traffic Permissions

    The policy only works when Mutual TLS is enabled on the .

    When Mutual TLS is disabled, Kuma will not enforce any TrafficPermission and by default it will allow all service traffic to work. Even if Mutual TLS is disabled, we can still create and edit TrafficPermission resources that will go into effect once Mutual TLS is enabled on the Mesh.

    The reason why this policy only works when is enabled in the Mesh is because only in this scenario Kuma can validate the identity of the service traffic via the usage of data plane proxy certificates.

    Kuma creates a default TrafficPermission policy that allows all the communication between all the services when a new Mesh is created.

    You can determine what source services are allowed to consume specific destination services. The service field is mandatory in both sources and destinations.

    Match-All: You can match any value of a tag by using *, like .

    1. type: TrafficPermission
    2. mesh: default
    3. sources:
    5. destinations:
    6.       kuma.io/service: '*'

    We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

    You can use any in the destinations selector, which makes TrafficPermissions quite powerful when it comes to creating a secure environment for our services.

    For the time being the field only allows the service tag. This limitation will be removed in the future.