Kuma Star

Careful!

You are browsing documentation for a version of Kuma that is not the latest release.

Non-mesh traffic

Incoming

When mTLS is enabled, clients from outside the mesh can’t reach the applications inside the mesh. If you want to allow external clients to consume mesh services see the Permissive mTLS mode.

Without transparent proxying TLS check on Envoy can be bypassed. You should take action to secure the application ports.

Outgoing

In its default setup, Kuma allows any non-mesh traffic to pass Envoy without applying any policy. For instance if a service needs to send a request to http://example.com, all requests won’t be logged even if a traffic logging is enabled in the mesh where the service is deployed. The passthrough mode is enabled by default on all the dataplane proxies in transparent mode in a Mesh. This behavior can be changed by setting the networking.outbound.passthrough in the Mesh resource. Example:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  networking:
    outbound:
      passthrough: false

When networking.outbound.passthrough is false, no traffic to any non-mesh resource can leave the Mesh.

Since version 2.8.x, you can take advantage of a new policy, MeshPassthrough, which allows you to enable passthrough traffic for a specific group of sidecars and only for specific destinations.

Before setting networking.outbound.passthrough to false, double-check Envoy stats that no traffic is flowing through pass_through cluster. Otherwise, you will block the traffic which may cause the instability of the system.

Policies don’t apply to non-mesh traffic

If you need to change configuration for non-mesh traffic you can use a MeshProxyPatch.

Circuit Breaker

Default values:

maxConnections: 1024
maxPendingRequests: 1024
maxRequests: 1024
maxRetries: 3

MeshProxyPatch to change the defaults:

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-mpp-1
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  default:
    appendModifications:
    - cluster:
        operation: Patch
        match:
          name: outbound:passthrough:ipv4
        value: |
          circuit_breakers: {
            thresholds: [
              {
                max_connections: 2048,
                max_pending_requests: 2048,
                max_requests: 2048,
                max_retries: 4
              }
            ]
          }

Timeouts

Default values:

connectTimeout: 10s
tcp:
  idleTimeout: 1h

MeshProxyPatch to change the defaults:

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-mpp-1
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  default:
    appendModifications:
    - cluster:
        operation: Patch
        match:
          name: outbound:passthrough:ipv4
        jsonPatches:
        - op: replace
          path: "/connectTimeout"
          value: 99s
    - networkFilter:
        operation: Patch
        match:
          name: envoy.filters.network.tcp_proxy
          listenerName: outbound:passthrough:ipv4
        value: |
          name: envoy.filters.network.tcp_proxy
          typedConfig:
            '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            idleTimeout: "3h"