Restrict Kong Mesh permissions to selected namespaces on Kubernetes
Create a namespace, then set kuma.namespaceAllowList
to the name of the namespace to use when installing Kong Mesh.
Prerequisites
A running Kubernetes cluster
This guide requires a running Kubernetes cluster. If you already have a Kubernetes cluster running, you can skip this step. It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.
For example, if you are using minikube:
minikube start -p mesh-zone
Install Kong Mesh which manages a single namespace
By default, Kong Mesh deployed on Kubernetes has permissions to observe and react to events from resources across the entire cluster. While this behavior simplifies initial setup and testing, it might be too permissive for production environments. Limiting Kong Mesh’s access to only necessary namespaces helps enhance security and prevents potential impact on unrelated applications.
Run the following commands to create a first namespace and install an instance of Kong Mesh restricted to that namespace.
- Create and label the namespace:
kubectl create namespace first-namespace kubectl label namespace first-namespace kuma.io/sidecar-injection=enabled
Copied! - Install Kong Mesh:
helm upgrade \ --install \ --create-namespace \ --namespace kong-mesh-system \ --set "kuma.namespaceAllowList={first-namespace}" \ kong-mesh kong-mesh/kong-mesh
Copied! - Deploy a test workload:
kubectl run nginx --image=nginx --port=80 --namespace first-namespace
Copied!
Verify that the first namespace is working
- Check that the control plane is managing the workload:
kubectl get dataplanes --namespace first-namespace
Copied!Expected output:
NAME KUMA.IO/SERVICE KUMA.IO/SERVICE nginx nginx_first-namespace_svc
-
Check that the pod has the sidecar injected:
You may need to wait a few minutes for the pods to initialize.
kubectl get pods --namespace first-namespace
Copied!Expected output:
NAME READY STATUS RESTARTS AGE nginx 2/2 Running 0 2m5s
-
Verify the required RoleBinding:
kubectl get rolebindings --namespace first-namespace
Copied!Expected output:
NAME ROLE AGE kong-mesh-control-plane-workloads ClusterRole/kong-mesh-control-plane-workloads 3m46s
This confirms that:
- A
Dataplane
was created. - The pod includes the
kuma-sidecar
. - A
RoleBinding
namedkong-mesh-control-plane-workloads
grants elevated access to the control plane.
Create a second namespace in which Kong Mesh doesn’t run
- Create and label the namespace:
kubectl create namespace second-namespace kubectl label namespace second-namespace kuma.io/sidecar-injection=enabled
Copied! - Deploy the same test workload in the second namespace:
kubectl run nginx --image=nginx --port=80 --namespace second-namespace
Copied!
Verify the second namespace is not working
Check that the control plane is not managing resources in second-namespace
.
- Check the data planes in the second namespace:
kubectl get dataplanes --namespace second-namespace
Copied!Expected output:
No resources found in second-namespace namespace.
- Check the pods:
kubectl get pods --namespace second-namespace
Copied!Expected output:
NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 42s
This indicates the pod is running without the
kuma-sidecar
. - Check the role bindings:
kubectl get rolebindings --namespace second-namespace
Copied!Expected output:
No resources found in second-namespace namespace.
This confirms that:
- The control plane does not have permission to manage this namespace.
- The pod was started without sidecar injection.
- No
RoleBinding
was created to grant control plane access.
Update Kong Mesh to also manage the second namespace
- Update Kong Mesh to include
second-namespace
:helm upgrade \ --install \ --create-namespace \ --namespace kong-mesh-system \ --set "kuma.namespaceAllowList={first-namespace,second-namespace}" \ kong-mesh kong-mesh/kong-mesh
Copied! - Delete the old pod and recreate it to trigger sidecar injection:
kubectl delete pod --namespace second-namespace --all kubectl run nginx --image=nginx --port=80 --namespace second-namespace
Copied!
Verify the second namespace is now working
- Check that the control plane is now managing the workload in
second-namespace
:kubectl get dataplanes --namespace second-namespace
Copied!Expected output:
NAME KUMA.IO/SERVICE KUMA.IO/SERVICE nginx nginx_second-namespace_svc
-
Verify that the pod now includes a sidecar:
You may need to wait a few minutes for the pods to initialize.
kubectl get pods --namespace second-namespace
Copied!Expected output:
NAME READY STATUS RESTARTS AGE nginx 2/2 Running 0 30s
- Check that the required
RoleBinding
has been created:kubectl get rolebindings --namespace second-namespace
Copied!Expected output:
NAME ROLE AGE kong-mesh-control-plane-workloads ClusterRole/kong-mesh-control-plane-workloads 30s
This confirms that:
- The control plane has the correct permissions in
second-namespace
- The pod was injected with the
kuma-sidecar
- The namespace is now fully integrated with the mesh
Cleanup
Clean up Mesh
To clean up your environment, remove the Docker containers, network, temporary directory, and the control plane configuration. Run the following command:
kubectl config delete-context mesh-zone