Configure Data Plane proxy membership

Uses: Kong Mesh

Usage

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  constraints:
    dataplaneProxy:
      requirements:
      - tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
          kuma.io/zone: east
      restrictions:
      - tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
          kuma.io/service: backend

type: Mesh
name: default
constraints:
  dataplaneProxy:
    requirements:
      - tags: # set of required tags. You can specify '*' in value to require non-empty value of tag
          kuma.io/zone: east
    restrictions:
      - tags: # set of restricted tags. You can specify '*' in value to restrict tag with any value
          kuma.io/service: backend

Example use cases

Restrict which Pods in Kubernetes namespaces can join a Mesh

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  constraints:
    dataplaneProxy:
      requirements:
      - tags:
          kuma.io/namespace: ns-1
      - tags:
          kuma.io/namespace: ns-2

type: Mesh
name: default
constraints:
  dataplaneProxy:
    requirements:
      - tags:
          kuma.io/namespace: ns-1
      - tags:
          kuma.io/namespace: ns-2

By default, any Pod can join any mesh by changing its kuma.io/mesh annotation. We can restrict that by relying on autogenerated k8s.kuma.io/namespace tag. In this example, only data plane proxies from ns-1 and ns-2 can join a default mesh. If there is another mesh without any requirements, Pods from ns-1 and ns-2 namespaces can also join that mesh.

Enforce consistency of tags

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  constraints:
    dataplaneProxy:
      requirements:
      - tags:
          team: '*'
          cloud: '*'
      restrictions:
      - tags:
          legacy: '*'

type: Mesh
name: default
constraints:
  dataplaneProxy:
    requirements:
      - tags:
          team: '*'
          cloud: '*'
    restrictions:
      - tags:
          legacy: '*'

By using these constraints, we can enforce consistency of tags in Kong Mesh deployment. With the example above, every data plane proxy must have non-empty team and cloud tags and cannot have legacy tag.

Multizone mesh segmentation

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  constraints:
    dataplaneProxy:
      requirements:
      - tags:
          kuma.io/zone: east
---
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: demo
spec:
  constraints:
    dataplaneProxy:
      requirements:
        - tags:
            kuma.io/zone: west

type: Mesh
name: default
constraints:
  dataplaneProxy:
    requirements:
    - tags:
        kuma.io/zone: east
---
type: Mesh
name: demo
constraints:
  dataplaneProxy:
    requirements:
      - tags:
          kuma.io/zone: west

This way, only data plane proxies from the east zone can join default mesh and only data plane proxies from the west zone can join demo mesh.