Restrict Kong Mesh permissions to selected namespaces on Kubernetes

Uses: Kong Mesh
Related Documentation
Minimum Version
Kong Mesh - 2.11
TL;DR

Create a namespace, then set kuma.namespaceAllowList to the name of the namespace to use when installing Kong Mesh.

Prerequisites

You will need Helm, a package manager for Kubernetes.

This guide requires a running Kubernetes cluster. If you already have a Kubernetes cluster running, you can skip this step. It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.

For example, if you are using minikube:

minikube start -p mesh-zone

Install Kong Mesh which manages a single namespace

By default, Kong Mesh deployed on Kubernetes has permissions to observe and react to events from resources across the entire cluster. While this behavior simplifies initial setup and testing, it might be too permissive for production environments. Limiting Kong Mesh’s access to only necessary namespaces helps enhance security and prevents potential impact on unrelated applications.

Run the following commands to create a first namespace and install an instance of Kong Mesh restricted to that namespace.

  1. Create and label the namespace:
    kubectl create namespace first-namespace
    kubectl label namespace first-namespace kuma.io/sidecar-injection=enabled
    
  2. Install Kong Mesh:
    helm upgrade \
      --install \
      --create-namespace \
      --namespace kong-mesh-system \
      --set "kuma.namespaceAllowList={first-namespace}" \
      kong-mesh kong-mesh/kong-mesh
    
  3. Deploy a test workload:
    kubectl run nginx --image=nginx --port=80 --namespace first-namespace
    

Verify that the first namespace is working

  1. Check that the control plane is managing the workload:
    kubectl get dataplanes --namespace first-namespace
    

    Expected output:

    NAME    KUMA.IO/SERVICE             KUMA.IO/SERVICE
    nginx   nginx_first-namespace_svc
    
  2. Check that the pod has the sidecar injected:

    You may need to wait a few minutes for the pods to initialize.

    kubectl get pods --namespace first-namespace
    

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
    nginx   2/2     Running   0          2m5s
    
  3. Verify the required RoleBinding:

    kubectl get rolebindings --namespace first-namespace
    

    Expected output:

    NAME                                ROLE                                            AGE
    kong-mesh-control-plane-workloads   ClusterRole/kong-mesh-control-plane-workloads   3m46s
    

This confirms that:

  • A Dataplane was created.
  • The pod includes the kuma-sidecar.
  • A RoleBinding named kong-mesh-control-plane-workloads grants elevated access to the control plane.

Create a second namespace in which Kong Mesh doesn’t run

  1. Create and label the namespace:
    kubectl create namespace second-namespace
    kubectl label namespace second-namespace kuma.io/sidecar-injection=enabled
    
  2. Deploy the same test workload in the second namespace:
    kubectl run nginx --image=nginx --port=80 --namespace second-namespace
    

Verify the second namespace is not working

Check that the control plane is not managing resources in second-namespace.

  1. Check the data planes in the second namespace:
    kubectl get dataplanes --namespace second-namespace
    

    Expected output:

    No resources found in second-namespace namespace.
    
  2. Check the pods:
    kubectl get pods --namespace second-namespace
    

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
    nginx   1/1     Running   0          42s
    

    This indicates the pod is running without the kuma-sidecar.

  3. Check the role bindings:
    kubectl get rolebindings --namespace second-namespace
    

    Expected output:

    No resources found in second-namespace namespace.
    

This confirms that:

  • The control plane does not have permission to manage this namespace.
  • The pod was started without sidecar injection.
  • No RoleBinding was created to grant control plane access.

Update Kong Mesh to also manage the second namespace

  1. Update Kong Mesh to include second-namespace:
    helm upgrade \
      --install \
      --create-namespace \
      --namespace kong-mesh-system \
      --set "kuma.namespaceAllowList={first-namespace,second-namespace}" \
      kong-mesh kong-mesh/kong-mesh
    
  2. Delete the old pod and recreate it to trigger sidecar injection:
    kubectl delete pod --namespace second-namespace --all
    kubectl run nginx --image=nginx --port=80 --namespace second-namespace
    

Verify the second namespace is now working

  1. Check that the control plane is now managing the workload in second-namespace:
    kubectl get dataplanes --namespace second-namespace
    

    Expected output:

    NAME    KUMA.IO/SERVICE              KUMA.IO/SERVICE
    nginx   nginx_second-namespace_svc   
    
  2. Verify that the pod now includes a sidecar:

    You may need to wait a few minutes for the pods to initialize.

    kubectl get pods --namespace second-namespace
    

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
    nginx   2/2     Running   0          30s
    
  3. Check that the required RoleBinding has been created:
    kubectl get rolebindings --namespace second-namespace
    

    Expected output:

    NAME                                ROLE                                            AGE
    kong-mesh-control-plane-workloads   ClusterRole/kong-mesh-control-plane-workloads   30s
    

This confirms that:

  • The control plane has the correct permissions in second-namespace
  • The pod was injected with the kuma-sidecar
  • The namespace is now fully integrated with the mesh

Cleanup

To clean up your environment, remove the Docker containers, network, temporary directory, and the control plane configuration. Run the following command:

kubectl config delete-context mesh-zone
Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!