Home / Kong Mesh
Edit
Report

Manage control plane permissions on Kubernetes

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Minimum Version
Kong Mesh - 2.11
Tags
#kubernetes #control-plane #access-control
Related Resources
Restrict permissions to selected namespaces on Kubernetes

By default, Kong Mesh deployed on Kubernetes reacts to events and observes all resources at the cluster scope. This approach benefits first-time users who want to explore its functionality and simplifies migration. However, in production environments, restricting access to specific resources can enhance security and ensure that Kong Mesh doesn’t impact running applications.

Restrict permissions to selected namespaces

You can define a list of namespaces that the Kong Mesh control plane can access. When this list is set, Kong Mesh will only have permissions in those selected namespaces and in its own system namespace. It won’t be able to access or manage resources in any other namespace.

To restrict Kong Mesh to a specific set of namespaces, set the kuma.namespaceAllowList option during installation:

kumactl install control-plane \
  --set "kuma.namespaceAllowList={first-namespace,second-namespace}" \
  | kubectl apply -f -

This will create a RoleBinding in each listed namespace, binding the kong-mesh-control-plane-workloads ClusterRole to that namespace. It will also configure Kong Mesh’s mutating and validating webhooks to only work within the specified namespaces.

Manually manage RBAC resources

If your environment restricts creating cluster-scoped resources (ClusterRole or ClusterRoleBinding), or if you prefer to manage permissions yourself, you can disable automatic resource creation during installation.

Before installing Kong Mesh, you must manually create the following resources:

  • ClusterRole and ClusterRoleBinding used by the control plane
  • Role and RoleBinding within the control plane namespace
  • RoleBindings in selected namespaces when using namespaceAllowList (optional)

You can find the complete set of required manifests here:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kong-mesh-control-plane
rules:
- apiGroups:
  - ''
  resources:
  - namespaces
  - pods
  - nodes
  - services
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gateways
  - referencegrants
  - httproutes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - gateway.networking.k8s.io
  resources:
  - gatewayclasses/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - kuma.io
  resources:
  - dataplanes
  - dataplaneinsights
  - meshes
  - zones
  - zoneinsights
  - zoneingresses
  - zoneingressinsights
  - zoneegresses
  - zoneegressinsights
  - meshinsights
  - serviceinsights
  - proxytemplates
  - ratelimits
  - trafficpermissions
  - trafficroutes
  - timeouts
  - retries
  - circuitbreakers
  - virtualoutbounds
  - containerpatches
  - externalservices
  - faultinjections
  - healthchecks
  - trafficlogs
  - traffictraces
  - meshgateways
  - meshgatewayroutes
  - meshgatewayinstances
  - meshgatewayconfigs
  - meshaccesslogs
  - meshcircuitbreakers
  - meshfaultinjections
  - meshglobalratelimits
  - meshhealthchecks
  - meshhttproutes
  - meshloadbalancingstrategies
  - meshmetrics
  - meshopas
  - meshpassthroughs
  - meshproxypatches
  - meshratelimits
  - meshretries
  - meshtcproutes
  - meshtimeouts
  - meshtlses
  - meshtraces
  - meshtrafficpermissions
  - hostnamegenerators
  - meshexternalservices
  - meshidentities
  - meshmultizoneservices
  - meshservices
  - meshtrusts
  - workloads
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - kuma.io
  resources:
  - meshgatewayinstances/status
  - meshgatewayinstances/finalizers
  - meshes/finalizers
  - dataplanes/finalizers
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create

These manifests include the kong-mesh-control-plane-workloads binding, granting the control plane write access to resources across all namespaces.

All required resources must be created before installing Kong Mesh.

Disable automatic resource creation

To skip creation of all resources, use kuma.skipRBAC=true during installation:

kumactl install control-plane \
  --set "kuma.skipRBAC=true" \
  | kubectl apply -f -

To skip only cluster-scoped resources kuma.controlPlane.skipClusterRoleCreation=true:

kumactl install control-plane \
  --set "kuma.controlPlane.skipClusterRoleCreation=true" \
  | kubectl apply -f -

If you choose to manage Kong Mesh’s RBAC resources yourself, make sure to keep them in sync during upgrades. When a new version of Kong Mesh is released, roles and role bindings may change, and it’s your responsibility to update them accordingly.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support