Mesh Documentation

Learn how Kong Mesh works and how to configure it.

Overview of service mesh concepts and how Kong Mesh simplifies secure and reliable service-to-service communication using sidecar proxies and a control plane.

Bundled features for your service traffic and network configuration.

Changelog for supported Kong Mesh versions.

Explore the features included with Kong Mesh Enterprise, including mTLS backends, RBAC, FIPS support, and signed container images.

Run an instance of Kong Mesh in Universal mode with one command.

Guide to deploying Kong Mesh in Universal mode using Docker containers. Walks through installing the Control Plane, adding demo services, enabling mTLS, and configuring gateways.

Start learning how Kong Mesh works by running and securing a simple demo application that consists of two services.

Learn how to deploy Kong Mesh on Amazon ECS with IAM-based authentication and Universal mode support for Fargate and EC2.

This guide explains how to get started on Kong Mesh with Red Hat OpenShift, including installation, sidecar setup, and running a demo app.

Use Red Hat Universal Base Images (UBI) for running Kong Mesh components, available alongside standard Alpine-based images.

Learn how to provision a Global Control Plane, Mesh, and Kubernetes zone for Kong Mesh using Terraform and Konnect.

This guide explains how to import an existing Konnect Kong Mesh deployment into Terraform.

Learn how to install Mesh on an existing Kubernetes cluster, and deploy the Kong Mesh demo application.

Learn how to install Mesh Control plane on an existing Kubernetes cluster, and deploy the Kong Mesh demo application.

Learn how to install Mesh on Virtual Machines or Bare metal, and deploy the Kong Mesh demo application.

How to communicate with Mesh components

Understand the core concepts of Kong Mesh, including the Control Plane, Data Plane proxies, inbounds and outbounds, and resources like policies.

Understand the architecture of a Kong Mesh service mesh, including control plane and data plane components, Kubernetes and Universal modes, and how services integrate into the mesh.

Overview of how ingress (north/south) traffic flows through delegated and built-in gateways in Kong Mesh, with visuals and key differences.

Learn how data plane proxies connect to the control plane and discover Service endpoints for traffic routing.

Learn how to create and configure isolated service meshes using the Mesh resource in Kong Mesh, supporting multi-tenancy and gradual adoption.

Run Kong Mesh in a single zone with a standalone Control Plane and interconnected Data Plane proxies.

Group equivalent MeshServices across zones and expose a unified, zone-agnostic service with global failover capabilities.

Visual overview of your meshes, Data Planes, and policies using the Kong Mesh web-based GUI.

Reference for all Kubernetes annotations and labels available in Kong Mesh, including sidecar injection, mesh association, transparent proxy settings, and metrics configuration.

Understand data plane proxy components, Dataplane entities, inbounds, outbounds, tags, and how proxies receive configuration.

Configure data plane proxies on Kubernetes with automatic sidecar injection, tag generation, and custom container settings.

Configure data plane proxies on VMs or bare metal with manual Dataplane resource definitions and lifecycle management.

Understand how licensing works in Kong Mesh, including limits, behaviors, and how to apply a license in both Kubernetes and Universal modes.

Deploy a production-grade Kong Mesh installation on Kubernetes using Helm charts for single zone, multi-zone, or federated environments.

Reference guide for upgrading Kong Mesh across versions. Covers compatibility rules, upgrade order, and considerations for single-zone and multizone deployments.

Version specific upgrade notes

Migrate from old to new policies in Kong Mesh to improve flexibility and transparency.

Learn how policies in Kong Mesh configure Data Plane proxies by defining rules for traffic behavior, proxy targeting, and merging strategies. This reference covers `targetRef`, directional policies, producer/consumer scopes, and shadow mode simulation.

Learn how to define namespace-scoped producer and consumer policies in Kong Mesh using a demo application.

Configuring Mutual TLS for your workloads

The ExternalService policy allows services running inside the mesh to consume services that are not part of the mesh.

Set up access logs on every data plane proxy in a mesh.

Look for errors in the live traffic between data plane proxies and mark a as unhealthy if conditions are met.

Test services for resiliency by introducing errors.

Control the number of requests received by a service in a specific timeframe.

Run health checks between Services and mark Dataplanes as unhealthy when they are unhealthy.

Alter and redirect HTTP requests depending on where the request is coming from and where it's going to.

Configure the load balancing strategy for traffic between services in the mesh.

Gather traffic metrics across all data plane proxies in the mesh.

Integrate Open Policy Agent (OPA) to provide access control for your Services.

Configure traffic to external destinations that is allowed to pass outside the mesh.

Configuration low-level options for Envoy resources that Kong Mesh policies do not directly expose.

Enable per-instance service request limiting. Supports rate limiting of HTTP/HTTP2 requests and TCP connections.

Configure retry behaviour for HTTP, gRPC and TCP protocols.

Alter and redirect TCP requests depending on where the request is coming from and where it’s going to.

Specify the amount of time Dataplane will wait for a connection to be established.

Configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

Publish traces to a third party tracing solution.

Define what services can talk to other services.

Configure Kong Mesh to use Amazon Certificate Manager as a Certificate Authority for mTLS, including setup steps and authentication options.

Use Kubernetes cert-manager as an mTLS backend for issuing Data Plane certificates in Kong Mesh

Declare external resources that services in the mesh can consume, enabling TLS, routing, and hostname customization.

Group MeshServices across zones into a single multizone service with zone-agnostic hostnames and load balancing.

Define and manage services within the mesh, replacing kuma.io/service tags for clearer service targeting and routing.

Customize hostnames for MeshService resources using templated HostnameGenerator policies.

Configure Kong Mesh to use HashiCorp Vault as a Certificate Authority for mTLS, including setup steps and authentication options.

This guide walks through setting up MeshGatewayInstance and MeshGateway resources, defining Routes with MeshHTTPRoute, configuring permissions, and securing the gateway with TLS.

Learn about built-in gateways with Kong Mesh using MeshGateway, MeshGatewayInstance, and Dataplane resources in both Kubernetes and Universal environments.

Reference for configuring built-in listeners using MeshGateway, including listener setup, TLS termination, hostnames, and cross-mesh support.

Reference for configuring HTTP and TCP routing through builtin gateways using MeshHTTPRoute and MeshTCPRoute, including hostname matching and weighted backends.

This guide walks through setting up a built-in Kubernetes gateway, defining Routes, securing traffic with TLS, and configuring permissions.

Guide to running builtin gateway pods with MeshGatewayInstance in Kubernetes and customizing deployments and services.

Learn how to use Kubernetes Gateway API with Kong Mesh, including support for built-in gateways, HTTP/TCP routing, TLS, GAMMA, and multi-zone limitations.

Guide to configuring delegated gateways in Kong Mesh, allowing external API gateways to handle ingress while Kong Mesh manages egress to the mesh.

Set up Kong Gateway as a delegated gateway for to expose internal services to external traffic.

Use Control Plane scoped tokens to authenticate zone Control Planes in a multi-zone Kong Mesh deployment.

Learn how Kong Mesh secures communication between Data Plane proxies, control planes, and users, including TLS configuration and certificate management across deployments.

Use AccessRole and AccessRoleBinding resources in Kong Mesh to implement fine-grained, role-based access to policies and actions.

Authenticate to the Kong Mesh API server using user tokens. Learn about admin tokens, signing keys, token revocation, and configuration.

Reference guide to authentication methods for Data Plane proxies in Kong Mesh, including Kubernetes service accounts, dataplane tokens, revocation, and offline token issuance.

How to configure zone proxy authentication methods in multi-zone mode.

This guide explains how to manage control plane permissions on Kubernetes

This guide explains how to limit Kong Mesh to specific namespaces, giving you greater control over security and resource management.

Rotate the mTLS backend in Kong Mesh to transition between Certificate Authorities securely and with zero downtime.

Store and manage secrets securely in Kong Mesh, including mesh-scoped and global-scoped secrets for use in mTLS, policies, and external services.

Progressively roll in mutual TLS with the MeshTLS policy in Kong Mesh without disrupting traffic.

Track all user and system actions in Kong Mesh using the AccessAudit resource and configurable backends

Verify the build provenance of signed Kong Mesh binary artifacts.

Learn how to verify build provenance for signed Kong Mesh Docker container images using Cosign or slsa-verifier.

Learn how to verify signed Kong Mesh Docker images using Cosign and GitHub OIDC identity for increased trust.

Learn how to configure observability in Kong Mesh using Prometheus, Grafana, Jaeger, Loki, and Datadog.

Collect and export metrics from Kong Mesh with OpenTelemetry and visualize them using Prometheus and Grafana.

Learn about health mechanisms in Kong Mesh including circuit breakers, Service probes, and health checks for managing traffic based on Service health.

Configure ZoneEgress proxies to isolate outgoing traffic to other zones or external services.

Configure ZoneIngress proxies to enable cross-zone communication in multi-zone deployments.

Reference for the CLI tools included in Kong Mesh, including usage examples and commands for kumactl, kuma-cp, and kuma-dp.

View and download software bill of materials (SBOMs) for Kong Mesh binaries and Docker images, including license, dependency, and security information.

Configuration Reference

Enable or disable data collection in Kong Mesh. Understand what telemetry is collected and how to configure reporting.

Control which Data Plane proxies can join a mesh using requirements and restrictions. Useful for enforcing tag consistency, namespace control, and zone-based segmentation.

Learn how to configure the Kong Mesh control plane using environment variables or YAML, with details on store types (memory, Kubernetes, PostgreSQL) and configuration inspection.

Learn how Kong Mesh DNS works with virtual IPs and service naming to enable transparent proxying.

Learn how to enable or disable IPv6 support in Kong Mesh.

Reference guide to performance tuning in Kong Mesh, including configuration trimming, Postgres tuning, XDS snapshot generation, profiling, and Envoy concurrency.

Understand how Kong addresses and patches vulnerabilities in Kong Mesh binaries, third-party dependencies, and Docker images.

Understand the lifecycle and version support guidelines for Kong Mesh, including supported release timelines.