Home / Kong Mesh
Edit
Report

Secure access across services

Uses: Kong Mesh
Related Documentation
Mesh Documentation
Tags
#tls #certificates #security #mtls #control-plane
Related Resources
Zone egress
MeshMultiZoneService
Mesh Observability

This page explains how access is secured across a Kong Mesh deployment:

Kong Mesh stores autogenerated certificates and other files in a working directory. The default directory is $HOME/.kuma. You can change it by setting the KUMA_GENERAL_WORK_DIR environment variable.

This section is not to be confused with the mTLS policy that you can apply to a Mesh to secure service-to-service traffic.

Data plane proxy to control plane communication

A data plane proxy connects to the control plane to fetch its configuration, including mTLS certificates.

Data plane proxy to control plane TLS

Because the data plane proxy and the control plane exchange sensitive information, all communication must be encrypted with TLS. By default, the control plane server that data plane proxies connect to is secured by TLS with autogenerated certificates.

We recommend that data plane proxies verify the identity of the control plane. To do so, they need to obtain the CA used to generate the control plane server’s certificate.

This CA is not the same CA used for service-to-service communication.

Override data plane proxy TLS certificates

If overridden, Kong Mesh uses the certificates to protect not only data plane proxy to control plane traffic, but also user to control plane traffic and control plane to control plane traffic.

To configure the control plane and data plane proxies with custom TLS certificates:

  1. Prepare certificates:

    Generate a TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt and /tmp/tls.key. Store the CA used to sign this pair in /tmp/ca.crt.

    You can also use kumactl to generate self-signed certificates:

    kumactl generate tls-certificate \
  --type=server \
  --hostname=$KUMA_CP_DNS_NAME \
  --cert-file=/tmp/tls.crt \
  --key-file=/tmp/tls.key

    Since tls.crt is a self-signed certificate, it also serves as the CA:

    cp /tmp/tls.crt /tmp/ca.crt
  2. Create a secret in the namespace where the control plane is installed: 
    kubectl create secret generic general-tls-certs -n kong-mesh-system \
  --from-file=tls.crt=/tmp/tls.crt \
  --from-file=tls.key=/tmp/tls.key \
  --from-file=ca.crt=/tmp/ca.crt
  3. Install or upgrade Kong Mesh with the generated certificates: 
    helm upgrade --install kong-mesh kong-mesh/kong-mesh \
  --namespace kong-mesh-system \
  --set controlPlane.tls.general.secretName=general-tls-certs \
  --set "controlPlane.tls.general.caBundle=$(cat /tmp/ca.crt | base64)"

    The data plane proxy injector in the control plane automatically provides the CA to the Kong Mesh sidecar so it can verify the control plane’s identity.

    If you get an error like the following, make sure you are using a supported certificate type (PEM) and that the certificate doesn’t contain incomplete or corrupted data:

    Warning  FailedCreate  3m39s (x18 over 14m)  replicaset-controller  Error creating: Internal error occurred: failed calling webhook "namespace-kuma-injector.kuma.io": could not get REST client: unable to load root certificates: unable to parse bytes as PEM block

Data plane proxy to control plane authentication

See Data plane proxy authentication and Zone proxy authentication.

Prometheus to control plane communication

You can enable TLS on the Monitoring Assignment Discovery Service. By default, it uses the same certificate as CP-to-DP communication, configured with the --tls-general options. You can enable it by using the KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_ENABLED=true environment variable.

  1. Prepare certificates:

    Generate a TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt and /tmp/tls.key. Store the CA used to sign this pair in /tmp/ca.crt.

    You can also use kumactl to generate self-signed certificates:

    kumactl generate tls-certificate \
  --type=server \
  --hostname=$KUMA_CP_DNS_NAME \
  --cert-file=/tmp/tls.crt \
  --key-file=/tmp/tls.key

    Since tls.crt is a self-signed certificate, it also serves as the CA:

    cp /tmp/tls.crt /tmp/ca.crt
  2. Create a secret in the namespace where the control plane is installed: 
    kubectl create secret generic general-tls-certs -n kong-mesh-system \
  --from-file=tls.crt=/tmp/tls.crt \
  --from-file=tls.key=/tmp/tls.key \
  --from-file=ca.crt=/tmp/ca.crt

  3. Point to this secret when installing Kong Mesh:

    helm upgrade --install kong-mesh kong-mesh/kong-mesh \
  --namespace kong-mesh-system \
  --set controlPlane.tls.general.secretName=general-tls-certs \
  --set "controlPlane.tls.general.caBundle=$(cat /tmp/ca.crt | base64)" \
  --set controlPlane.envVars.KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_ENABLED=true

Configure Kong Mesh’s Prometheus SD with the correct TLS settings using the Prometheus docs.

User to control plane communication

Users and automation tools can interact with the control plane via the API Server using curl, kumactl, or similar tools. The API Server is exposed by default on HTTP (:5681) and HTTPS (:5682).

User to control plane TLS

The API Server HTTPS server is secured by default by autogenerated certificates.

Override user to control plane TLS certificates

To configure the API Server with custom TLS certificates:

  1. Prepare certificates:

    Generate a TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt and /tmp/tls.key. Store the CA used to sign this pair in /tmp/ca.crt.

    You can also use kumactl to generate self-signed certificates:

    kumactl generate tls-certificate \
  --type=server \
  --hostname=$KUMA_CP_DNS_NAME \
  --cert-file=/tmp/tls.crt \
  --key-file=/tmp/tls.key

    Since tls.crt is a self-signed certificate, it also serves as the CA:

    cp /tmp/tls.crt /tmp/ca.crt
  2. Create a secret in the namespace in which the control plane is installed: 
    kubectl create secret tls api-server-tls -n kong-mesh-system \
  --cert=/tmp/tls.crt \
  --key=/tmp/tls.key
  3. Install or upgrade Kong Mesh with the generated certificates: 
    helm upgrade --install kong-mesh kong-mesh/kong-mesh \
  --namespace kong-mesh-system \
  --set controlPlane.tls.apiServer.secretName=api-server-tls

    If you get an error like the following, make sure you are using a supported PEM certificate and that the certificate doesn’t contain incomplete or corrupted data:

    Warning  FailedCreate  3m39s (x18 over 14m)  replicaset-controller  Error creating: Internal error occurred: failed calling webhook "namespace-kuma-injector.kuma.io": could not get REST client: unable to load root certificates: unable to parse bytes as PEM block

User to control plane authentication

See API Server authentication.

Control plane to control plane (Multi-zone)

A zone control plane connects to a global control plane for policy configuration.

Control plane to control plane TLS

Because the global control plane and the zone control plane exchange sensitive information, all communication must be encrypted with TLS. By default, the global control plane server that zone control planes connect to is secured by TLS with autogenerated certificates.

We recommend that zone control planes verify the identity of the global control plane. To do so, they need to obtain the CA used to generate the global control plane server’s certificate.

Override control plane to control plane TLS certificates

To configure the global and zone control planes with custom TLS certificates:

  1. Prepare certificates:

    Generate a TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt and /tmp/tls.key. Store the CA used to sign this pair in /tmp/ca.crt.

    You can also use kumactl to generate self-signed certificates:

    kumactl generate tls-certificate \
  --type=server \
  --hostname=$KUMA_CP_DNS_NAME \
  --cert-file=/tmp/tls.crt \
  --key-file=/tmp/tls.key

    Since tls.crt is a self-signed certificate, it also serves as the CA:

    cp /tmp/tls.crt /tmp/ca.crt
  2. Create a secret for the global control plane: 
    kubectl create secret tls kds-server-tls -n kong-mesh-system \
  --cert=/tmp/tls.crt \
  --key=/tmp/tls.key
  3. Install or upgrade the global control plane with the generated certificates: 
    helm upgrade --install kong-mesh kong-mesh/kong-mesh \
  --namespace kong-mesh-system \
  --set controlPlane.tls.kdsGlobalServer.secretName=kds-server-tls
  4. Create a secret for the zone control plane: 
    kubectl create secret generic kds-ca-certs -n kong-mesh-system \
  --from-file=ca.crt=/tmp/ca.crt
  5. Install or upgrade the zone control plane with the CA: 
    helm upgrade --install kong-mesh kong-mesh/kong-mesh \
  --namespace kong-mesh-system \
  --set controlPlane.tls.kdsZoneClient.secretName=kds-ca-certs

Control plane to control plane authentication

Define firewall rules on the global control plane to only accept connections from known IPs of the zone control planes.

Third-party extensions, cloud implementations, or commercial offerings may extend authentication support.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support