apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/namespace: ns-1
- tags:
kuma.io/namespace: ns-2
By default, any Pod can join any mesh by changing its kuma.io/mesh annotation.
We can restrict that by relying on autogenerated k8s.kuma.io/namespace tag.
In this example, only data plane proxies from ns-1 and ns-2 can join a default mesh.
If there is another mesh without any requirements, Pods from ns-1 and ns-2 namespaces can also join that mesh.
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
team: '*'
cloud: '*'
restrictions:
- tags:
legacy: '*'
By using these constraints, we can enforce consistency of tags in Kong Mesh deployment.
With the example above, every data plane proxy must have non-empty team and cloud tags and cannot have legacy tag.
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: demo
spec:
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
type: Mesh
name: default
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: east
---
type: Mesh
name: demo
constraints:
dataplaneProxy:
requirements:
- tags:
kuma.io/zone: west
This way, only data plane proxies from the east zone can join default mesh and only data plane proxies from the west zone can join demo mesh.