All Mesh Documentation

Learn how Kong Mesh works and how to configure it.

Bundled features for your service traffic and network configuration.

Release notes for supported Kong Mesh versions.

Explore the features included with Kong Mesh Enterprise, including mTLS backends, RBAC, FIPS support, and signed container images.

Understand how Kong addresses and patches vulnerabilities in Kong Mesh binaries, third-party dependencies, and Docker images.

Understand the lifecycle and version support guidelines for Kong Mesh, including supported release timelines.

Run an instance of Kong Mesh in Universal mode with one command.

Learn about the requirements for running Kong Mesh, including supported platforms, sizing guidelines, and Kubernetes setup.

Guide to deploying Kong Mesh in Universal mode using Docker containers. Walks through installing the Control Plane, adding demo services, enabling mTLS, and configuring gateways.

Step-by-step guide to deploy Kong Mesh on Kubernetes using Helm and Minikube. Includes demo app setup, GUI exploration, and enabling mTLS for zero-trust security.

Learn how to deploy Kong Mesh on Amazon ECS with IAM-based authentication and Universal mode support for Fargate and EC2.

This guide explains how to get started on Kong Mesh with Red Hat OpenShift, including installation, sidecar setup, and running a demo app.

Use Red Hat Universal Base Images (UBI) for running Kong Mesh components, available alongside standard Alpine-based images.

Manage service meshes and Control Planes in Konnect.

Overview of service mesh concepts and how Kong Mesh simplifies secure and reliable service-to-service communication using sidecar proxies and a Control Plane.

Understand the core concepts of Kong Mesh, including the Control Plane, Data Plane proxies, inbounds and outbounds, and resources like policies.

Understand the architecture of a Kong Mesh mesh, including control and Data Plane components, Kubernetes and Universal modes, and how services integrate into the mesh.

Overview of how ingress (north/south) traffic flows through delegated and built-in gateways in Kong Mesh, with visuals and key differences.

Visual overview of your meshes, Data Planes, and policies using the Kong Mesh web-based GUI.

Understand how licensing works in Kong Mesh, including limits, behaviors, and how to apply a license in both Kubernetes and Universal modes.

Deploy a production-grade Kong Mesh installation on Kubernetes using Helm charts for single zone, multi-zone, or federated environments.

Reference guide for upgrading Kong Mesh across versions. Covers compatibility rules, upgrade order, and considerations for single-zone and multizone deployments.

Version specific upgrade notes

Migrate from old to new policies in Kong Mesh to improve flexibility and transparency.

Learn how policies in Kong Mesh configure Data Plane proxies by defining rules for traffic behavior, proxy targeting, and merging strategies. This reference covers `targetRef`, directional policies, producer/consumer scopes, and shadow mode simulation.

This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data

Connection timeout specifies the amount of time DP will wait for a TCP connection to be established.

With the MeshAccessLog policy you can easily set up access logs on every data plane proxy in a mesh.

This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data

With the MeshFaultInjection policy you can easily test your microservices against resiliency.

This policy adds global rate limit support for Kong Mesh.

The `MeshHTTPRoute` policy allows altering and redirecting HTTP requests depending on where the request is coming from and where it's going to.

This policy enables Kong Mesh to configure the load balancing strategy for traffic between services in the mesh.

Kong Mesh facilitates consistent traffic metrics across all data plane proxies in your mesh.

Kong Mesh integrates the Open Policy Agent (OPA) to provide access control for your Services.

This policy enables Kong Mesh to configure traffic to external destinations that is allowed to pass outside the mesh.

The `MeshProxyPatch` provides configuration options for low-level Envoy resources that Kong Mesh policies do not directly expose.

This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.

This policy enables Kong Mesh to know how to behave if there are failed requests which could be retried.

The MeshTCPRoute policy allows you to alter and redirect TCP requests depending on where the request is coming from and where it’s going to.

This policy enables Kong Mesh to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

This policy enables publishing traces to a third party tracing solution.

The `MeshTrafficPermission` policy provides access control within Mesh.

Configure Kong Mesh to use Amazon Certificate Manager as a Certificate Authority for mTLS, including setup steps and authentication options.

Use Kubernetes cert-manager as an mTLS backend for issuing Data Plane certificates in Kong Mesh

Configure Kong Mesh to use HashiCorp Vault as a Certificate Authority for mTLS, including setup steps and authentication options.

Deploy a built-in gateway in to expose internal mesh services to external traffic. This guide walks through setting up MeshGatewayInstance and MeshGateway resources, defining routes with MeshHTTPRoute, configuring permissions, and securing the gateway with TLS.

Overview and deployment guide for configuring a built-in gateway with Kong Mesh using MeshGateway, MeshGatewayInstance, and Dataplane resources in both Kubernetes and Universal environments.

Reference for configuring built-in listeners using MeshGateway, including listener setup, TLS termination, hostnames, and cross-mesh support.

Reference for configuring HTTP and TCP routing through builtin gateways using MeshHTTPRoute and MeshTCPRoute, including hostname matching and weighted backends.

Guide to configuring delegated gateways in Kong Mesh, allowing external API gateways to handle ingress while Kong Mesh manages egress to the mesh.

Set up Kong Gateway as a delegated gateway for to expose internal services to external traffic. This guide covers installing the Kong Ingress Controller, enabling sidecar injection, creating routes, configuring permissions with MeshTrafficPermission, and verifying traffic access.

Use Control Plane scoped tokens to authenticate zone Control Planes in a multi-zone Kong Mesh deployment.

Use AccessRole and AccessRoleBinding resources in Kong Mesh to implement fine-grained, role-based access to policies and actions.

Authenticate to the Kong Mesh API server using user tokens. Learn about admin tokens, signing keys, token revocation, and configuration.

Reference guide to authentication methods for Data Plane proxies in Kong Mesh, including Kubernetes service accounts, dataplane tokens, revocation, and offline token issuance.

How to configure zone proxy authentication methods in multi-zone mode.

Reference for the CLI tools included in Kong Mesh, including usage examples and commands for kumactl, kuma-cp, and kuma-dp.

Track all user and system actions in Kong Mesh using the AccessAudit resource and configurable backends

Verify the build provenance of signed Kong Mesh binary artifacts.

Learn how to verify build provenance for signed Kong Mesh Docker container images using Cosign or slsa-verifier.

Learn how to verify signed Kong Mesh Docker images using Cosign and GitHub OIDC identity for increased trust.

View and download software bill of materials (SBOMs) for Kong Mesh binaries and Docker images, including license, dependency, and security information.

Configuration Reference

Enable or disable data collection in Kong Mesh. Understand what telemetry is collected and how to configure reporting.