Kuma Star

Non-mesh traffic

Incoming

With mTLS enabled, external clients cannot access applications inside the mesh. To allow external clients to consume mesh services, consider using Permissive mTLS.

Outgoing

By default, Kuma permits all outgoing non-mesh traffic to pass through the data plane proxy without restrictions. For example, if a service sends a request to https://kuma.io, those requests won’t be blocked, even if a MeshTrafficPermission policy restricts mesh traffic.

This passthrough mode is enabled by default on all data plane proxies running in transparent mode. To disable it, apply the following MeshPassthrough policy:

Before disabling passthrough traffic, check the data plane proxy stats to ensure no traffic is flowing through the pass_through cluster. Otherwise, you may unintentionally block critical traffic, leading to system instability.

apiVersion: kuma.io/v1alpha1
kind: MeshPassthrough
metadata:
  name: disable-passthrough
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
    proxyTypes:
    - Sidecar
  default:
    passthroughMode: None

With this policy, non-mesh traffic is blocked, preventing external requests from leaving the mesh.

Configuring non-mesh traffic settings

Regular policies in Kuma apply only to mesh traffic, meaning non-mesh traffic cannot be directly targeted. However, if you need to modify the behavior of non-mesh traffic, you can achieve similar results using MeshProxyPatch policies. These allow you to adjust settings like circuit breakers and timeouts for traffic that bypasses the mesh.

If you need to change configuration for non-mesh traffic you can use a MeshProxyPatch.

Circuit Breaker

Default values:

maxConnections: 1024
maxPendingRequests: 1024
maxRequests: 1024
maxRetries: 3

MeshProxyPatch to change the defaults:

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-mpp-1
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  default:
    appendModifications:
    - cluster:
        operation: Patch
        match:
          name: outbound:passthrough:ipv4
        value: |
          circuit_breakers: {
            thresholds: [
              {
                max_connections: 2048,
                max_pending_requests: 2048,
                max_requests: 2048,
                max_retries: 4
              }
            ]
          }

Timeouts

Default values:

connectTimeout: 10s
tcp:
  idleTimeout: 1h

MeshProxyPatch to change the defaults:

apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
  name: custom-mpp-1
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  default:
    appendModifications:
    - cluster:
        operation: Patch
        match:
          name: outbound:passthrough:ipv4
        jsonPatches:
        - op: replace
          path: "/connectTimeout"
          value: 99s
    - networkFilter:
        operation: Patch
        match:
          name: envoy.filters.network.tcp_proxy
          listenerName: outbound:passthrough:ipv4
        value: |
          name: envoy.filters.network.tcp_proxy
          typedConfig:
            '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
            idleTimeout: "3h"