Home / Kong Mesh
Edit
Report

Configuring your mesh and multi-tenancy

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Minimum Version
Kong Mesh - 2.6
Tags
#service-mesh
Related Resources
Data plane proxy
Mesh observability
Multi-zone deployment
Install Kong Mesh

The Mesh resource lets you create multiple isolated service meshes within the same Kong Mesh cluster, allowing you to operate in environments that require more than one mesh for security, segmentation, or governance reasons.

You can create a mesh per line of business, per team, per application, or per environment. Multiple meshes allow organizations to adopt a service mesh gradually without requiring all teams to coordinate, and provide an extra layer of security and segmentation. For example, policies applied to one mesh don’t affect other meshes.

Mesh is the parent resource of every other resource in Kong Mesh, including:

To use Kong Mesh, at least one mesh must exist. There is no limit to the number of meshes that can be created.

When a data plane proxy connects to the control plane (kuma-cp), it specifies which Mesh resource it belongs to. A data plane proxy can only belong to one mesh at a time.

When starting a new Kong Mesh cluster from scratch, a default mesh is created automatically.

In addition to creating virtual service meshes, the Mesh resource is also used for:

  • Mutual TLS, to secure and encrypt service traffic and assign an identity to the data plane proxies within the mesh.
  • Zone egress, to define whether ZoneEgress should be used for cross-zone and external service communication.
  • Non-mesh traffic, to define whether passthrough mode should be used for the non-mesh traffic.

If you need cross-mesh communication, you must use an intermediary API Gateway. For more information, see Built-in gateways in Kong Mesh.

Creating a mesh

To create a Mesh resource, you only need to specify a name:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default

Apply the configuration with kubectl apply -f [..].

Creating resources in a mesh

When creating other resources, you can add them to the mesh in the following ways.

Data plane proxies

When starting a data plane proxy, specify which mesh it belongs to:

Use the kuma.io/mesh annotation in a Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
  namespace: kuma-example
spec:
  template:
    metadata:
      annotations:
        # indicates to Kong Mesh which Mesh the data plane proxy belongs to
        kuma.io/mesh: default

A Mesh resource can span multiple Kubernetes namespaces. Any Kong Mesh resource in the cluster which specifies a particular mesh will be part of that mesh.

v2.13+ Namespace-mesh constraint

A single Kubernetes namespace can’t contain Pods in multiple meshes. This limitation exists because Workload resources are mesh-scoped and generated from the app.kubernetes.io/name label, which can cause resource collisions when the same workload name is used across different meshes in the same namespace.

When Kong Mesh detects multiple meshes in a single namespace, it:

  • Emits a Kubernetes warning event on the namespace
  • Skips Workload resource generation for affected workloads
  • Logs an error message

To prevent this configuration issue proactively, you can enable the runtime flag runtime.kubernetes.disallowMultipleMeshesPerNamespace. When enabled, the admission webhook rejects Pod creation and Pod updates if the namespace already contains data planes in a different mesh.

We recommend keeping all pods in a single namespace within the same mesh.

You can control which data plane proxies are allowed to join the mesh using mesh constraints.

Policies

When creating new policies, you must also specify which mesh they belong to:

Use the kuma.io/mesh label:

apiVersion: kuma.io/v1alpha1
kind: MeshHTTPRoute
metadata:
  name: route-1
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default

Kong Mesh consumes all policies on the cluster and joins each to an individual mesh, based on this label.

Default resources

To help users get started, Kong Mesh creates the following default policies:

  • MeshTimeout for all gateways
  • MeshTimeout for all sidecar resources
  • MeshRetry
  • MeshCircuitBreaker
apiVersion: kuma.io/v1alpha1
kind: MeshTimeout
metadata:
  name: mesh-gateways-timeout-all-default
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
    proxyTypes:
    - Gateway
  to:
  - targetRef:
      kind: Mesh
    default:
      idleTimeout: 1h
      http:
        streamIdleTimeout: 5s
  from:
  - targetRef:
      kind: Mesh
    default:
      idleTimeout: 5m
      http:
        streamIdleTimeout: 5s
        requestHeadersTimeout: 500ms
---
apiVersion: kuma.io/v1alpha1
kind: MeshTimeout
metadata:
  name: mesh-timeout-all-default
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
    proxyTypes:
    - Sidecar
  to:
  - targetRef:
      kind: Mesh
    default:
      connectionTimeout: 5s
      idleTimeout: 1h
      http:
        requestTimeout: 15s
        streamIdleTimeout: 30m
  from:
  - targetRef:
      kind: Mesh
    default:
      connectionTimeout: 10s
      idleTimeout: 2h
      http:
        requestTimeout: 0s
        streamIdleTimeout: 1h
        maxStreamDuration: 0s
---
apiVersion: kuma.io/v1alpha1
kind: MeshRetry
metadata:
  name: mesh-retry-all-default
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  to:
  - targetRef:
      kind: Mesh
    default:
      tcp:
        maxConnectAttempt: 5
      http:
        numRetries: 5
        perTryTimeout: 16s
        backOff:
          baseInterval: 25ms
          maxInterval: 250ms
      grpc:
        numRetries: 5
        perTryTimeout: 16s
        backOff:
          baseInterval: 25ms
          maxInterval: 250ms
---
apiVersion: kuma.io/v1alpha1
kind: MeshCircuitBreaker
metadata:
  name: mesh-circuit-breaker-all-default
  namespace: kong-mesh-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  to:
  - targetRef:
      kind: Mesh
    default:
      connectionLimits:
        maxConnections: 1024
        maxPendingRequests: 1024
        maxRetries: 3
        maxRequests: 1024

Skipping default resource creation

To prevent these policies from being added when creating a mesh, set skipCreatingInitialPolicies:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  skipCreatingInitialPolicies: ['*']

You can also skip creating the default mesh by setting the following parameter when configuring the control plane: KUMA_DEFAULTS_SKIP_MESH_CREATION=true.

Mesh schema

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support