Reachable Backends

Reachable Backends provides similar functionality to Reachable Services, but it applies to resources such as MeshService, MeshExternalService, and MeshMultiZoneService.

By default, each data plane proxy can access all other services in the mesh, which affects performance and increases resource consumption. Defining a specific set of services your application communicates with allows Kuma to reduce the configuration size and operate more efficiently.

Unlike Reachable Services, Reachable Backends uses a structured model that allows dynamic selection based on multiple attributes, including labels, instead of relying on a predefined, static list. This makes it more flexible and scalable, especially in environments with frequently changing workloads.

Model

• refs: Lists the resources your application needs to connect with, including:
  • kind: Type of resource. Options include:
    • MeshService
    • MeshExternalService
    • MeshMultiZoneService
  • name: Name of the resource. Mutually exclusive with labels.
  • namespace: (Kubernetes only) Namespace where the resource is located.
  • labels: A list of labels used to match resources. When specified, it selects all workloads that have these labels, rather than a single named resource. Mutually exclusive with name.
  • port: (Optional) Port for the service, used with MeshService and MeshMultiZoneService.

apiVersion: apps/v1
kind: Pod
metadata:
  name: demo-app
  namespace: kuma-demo
  annotations:
    kuma.io/reachable-backends: |
      refs:
      - kind: MeshService
        name: redis
        namespace: kuma-demo
        port: 8080
      - kind: MeshMultiZoneService
        labels:
          kuma.io/display-name: test-server
      - kind: MeshExternalService
        name: mes-http
        namespace: kuma-system
...

name: {{ name }}
networking:
  address: {{ address }}
  inbound:
  - port: {{ port }}
    tags:
      kuma.io/service: demo-app
  transparentProxying:
    redirectPortInbound: 15006
    redirectPortOutbound: 15001
    reachableBackends:
      refs:
      - kind: MeshService
        name: redis
      - kind: MeshMultiZoneService
        labels:
          kuma.io/display-name: test-server
      - kind: MeshExternalService
        name: mes-http

Examples

demo-app communicates only with redis on port 6379

apiVersion: apps/v1
kind: Pod
metadata:
  name: demo-app
  namespace: kuma-demo
  annotations:
    kuma.io/reachable-backends: |
      refs:
      - kind: MeshService
        name: redis
        namespace: kuma-demo
        port: 6379
...

type: Dataplane
mesh: default
name: {{ name }}
networking:
  address: {{ address }}
  inbound:
  - port: {{ port }}
    tags:
      kuma.io/service: demo-app
  transparentProxying:
    redirectPortInbound: 15006
    redirectPortOutbound: 15001
    reachableBackends:
      refs:
      - kind: MeshService
        name: redis
        port: 6379

demo-app doesn’t need to communicate with any service

apiVersion: apps/v1
kind: Pod
metadata:
  name: demo-app
  namespace: kuma-demo
  annotations:
    kuma.io/reachable-backends: |
      refs: []
...

type: Dataplane
mesh: default
name: {{ name }}
networking:
  address: {{ address }}
  inbound:
  - port: {{ port }}
    tags:
      kuma.io/service: demo-app
  transparentProxying:
    redirectPortInbound: 15006
    redirectPortOutbound: 15001
    reachableBackends:
      refs: []

demo-app communicates with all MeshServices in the kuma-demo namespace

apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
  namespace: kuma-demo
  annotations:
    kuma.io/reachable-backends: |
      refs:
      - kind: MeshService
        labels:
          k8s.kuma.io/namespace: kuma-demo
...

type: Dataplane
mesh: default
name: {{ name }}
networking:
  address: {{ address }}
  inbound:
  - port: {{ port }}
    tags:
      kuma.io/service: demo-app
  transparentProxying:
    redirectPortInbound: 15006
    redirectPortOutbound: 15001
    reachableBackends:
      refs:
      - kind: MeshService
        labels:
          k8s.kuma.io/namespace: kuma-demo
...