Home / How-to Guides
Edit
Report

Restrict Kong Mesh permissions to selected namespaces on Kubernetes

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Related Resources
Manage control plane permissions on Kubernetes
Minimum Version
Kong Mesh - 2.11
TL;DR

Create a namespace, then set kuma.namespaceAllowList to the name of the namespace to use when installing Kong Mesh.

Prerequisites

Helm

You will need Helm, a package manager for Kubernetes.

A running Kubernetes cluster

This guide requires a running Kubernetes cluster. If you already have a Kubernetes cluster running, you can skip this step. It can be a cluster running locally, like Docker, or in a public cloud like AWS EKS, GCP GKE, etc.

For example, if you are using minikube:

minikube start -p mesh-zone

Install Kong Mesh which manages a single namespace

By default, Kong Mesh deployed on Kubernetes has permissions to observe and react to events from resources across the entire cluster. While this behavior simplifies initial setup and testing, it might be too permissive for production environments. Limiting Kong Mesh’s access to only necessary namespaces helps enhance security and prevents potential impact on unrelated applications.

Run the following commands to create a first namespace and install an instance of Kong Mesh restricted to that namespace.

  1. Create and label the namespace: 
    kubectl create namespace first-namespace
kubectl label namespace first-namespace kuma.io/sidecar-injection=enabled
  2. Install Kong Mesh: 
    helm upgrade \
  --install \
  --create-namespace \
  --namespace kong-mesh-system \
  --set "kuma.namespaceAllowList={first-namespace}" \
  kong-mesh kong-mesh/kong-mesh
  3. Deploy a test workload: 
    kubectl run nginx --image=nginx --port=80 --namespace first-namespace

Verify that the first namespace is working
  1. Check that the control plane is managing the workload: 
    kubectl get dataplanes --namespace first-namespace

    Expected output:

    NAME    KUMA.IO/SERVICE             KUMA.IO/SERVICE
nginx   nginx_first-namespace_svc

  2. Check that the pod has the sidecar injected:

    You may need to wait a few minutes for the pods to initialize.

    kubectl get pods --namespace first-namespace

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
nginx   2/2     Running   0          2m5s

  3. Verify the required RoleBinding:

    kubectl get rolebindings --namespace first-namespace

    Expected output:

    NAME                                ROLE                                            AGE
kong-mesh-control-plane-workloads   ClusterRole/kong-mesh-control-plane-workloads   3m46s

This confirms that:

  • A Dataplane was created.
  • The pod includes the kuma-sidecar.
  • A RoleBinding named kong-mesh-control-plane-workloads grants elevated access to the control plane.

Create a second namespace in which Kong Mesh doesn’t run
  1. Create and label the namespace: 
    kubectl create namespace second-namespace
kubectl label namespace second-namespace kuma.io/sidecar-injection=enabled
  2. Deploy the same test workload in the second namespace: 
    kubectl run nginx --image=nginx --port=80 --namespace second-namespace

Verify the second namespace is not working

Check that the control plane is not managing resources in second-namespace.

  1. Check the data planes in the second namespace: 
    kubectl get dataplanes --namespace second-namespace

    Expected output:

    No resources found in second-namespace namespace.
  2. Check the pods: 
    kubectl get pods --namespace second-namespace

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          42s

    This indicates the pod is running without the kuma-sidecar.

  3. Check the role bindings: 
    kubectl get rolebindings --namespace second-namespace

    Expected output:

    No resources found in second-namespace namespace.

This confirms that:

  • The control plane does not have permission to manage this namespace.
  • The pod was started without sidecar injection.
  • No RoleBinding was created to grant control plane access.

Update Kong Mesh to also manage the second namespace
  1. Update Kong Mesh to include second-namespace: 
    helm upgrade \
  --install \
  --create-namespace \
  --namespace kong-mesh-system \
  --set "kuma.namespaceAllowList={first-namespace,second-namespace}" \
  kong-mesh kong-mesh/kong-mesh
  2. Delete the old pod and recreate it to trigger sidecar injection: 
    kubectl delete pod --namespace second-namespace --all
kubectl run nginx --image=nginx --port=80 --namespace second-namespace

Verify the second namespace is now working
  1. Check that the control plane is now managing the workload in second-namespace: 
    kubectl get dataplanes --namespace second-namespace

    Expected output:

    NAME    KUMA.IO/SERVICE              KUMA.IO/SERVICE
nginx   nginx_second-namespace_svc

  2. Verify that the pod now includes a sidecar:

    You may need to wait a few minutes for the pods to initialize.

    kubectl get pods --namespace second-namespace

    Expected output:

    NAME    READY   STATUS    RESTARTS   AGE
nginx   2/2     Running   0          30s
  3. Check that the required RoleBinding has been created: 
    kubectl get rolebindings --namespace second-namespace

    Expected output:

    NAME                                ROLE                                            AGE
kong-mesh-control-plane-workloads   ClusterRole/kong-mesh-control-plane-workloads   30s

This confirms that:

  • The control plane has the correct permissions in second-namespace
  • The pod was injected with the kuma-sidecar
  • The namespace is now fully integrated with the mesh

Cleanup

Clean up Mesh

To clean up your environment, remove the Docker containers, network, temporary directory, and the control plane configuration. Run the following command:

kubectl config delete-context mesh-zone
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support