From ab3dba0c790f467abc47fe6ef9b2d1d5050a7772 Mon Sep 17 00:00:00 2001 From: slonka Date: Wed, 10 Jun 2026 10:37:31 +0200 Subject: [PATCH 1/2] Add experimental MeshTrafficPermission docs Signed-off-by: slonka --- .../issue-identity-with-meshidentity-spire.md | 2 +- .../mesh/issue-identity-with-meshidentity.md | 2 +- app/_mesh_policies/meshidentity/index.md | 5 +- .../allow-observability-namespace.yaml | 17 ++++ .../examples/deny-malicious-namespace.yaml | 17 ++++ ...ny-observability-on-backend-admin-api.yaml | 22 +++++ .../index.md | 96 +++++++++++++++++++ app/_mesh_policies/meshtrust/index.md | 4 +- 8 files changed, 158 insertions(+), 7 deletions(-) create mode 100644 app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml create mode 100644 app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml create mode 100644 app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml create mode 100644 app/_mesh_policies/meshtrafficpermission_experimental/index.md diff --git a/app/_how-tos/mesh/issue-identity-with-meshidentity-spire.md b/app/_how-tos/mesh/issue-identity-with-meshidentity-spire.md index 078e2b6ec1..530446f37e 100644 --- a/app/_how-tos/mesh/issue-identity-with-meshidentity-spire.md +++ b/app/_how-tos/mesh/issue-identity-with-meshidentity-spire.md @@ -57,7 +57,7 @@ next_steps: - text: Issue identity with the bundled provider url: /mesh/issue-identity-with-meshidentity/ - text: MeshTrafficPermission with SPIFFE ID matchers - url: /mesh/policies/meshtrafficpermission/ + url: /mesh/policies/meshtrafficpermission_experimental/ --- {:.warning} diff --git a/app/_how-tos/mesh/issue-identity-with-meshidentity.md b/app/_how-tos/mesh/issue-identity-with-meshidentity.md index db508852d9..f3c012a207 100644 --- a/app/_how-tos/mesh/issue-identity-with-meshidentity.md +++ b/app/_how-tos/mesh/issue-identity-with-meshidentity.md @@ -39,7 +39,7 @@ next_steps: - text: Issue identity with the Spire provider url: /mesh/issue-identity-with-meshidentity-spire/ - text: MeshTrafficPermission with SPIFFE ID matchers - url: /mesh/policies/meshtrafficpermission/ + url: /mesh/policies/meshtrafficpermission_experimental/ --- {:.warning} diff --git a/app/_mesh_policies/meshidentity/index.md b/app/_mesh_policies/meshidentity/index.md index 0bd4359717..f17ba6b480 100644 --- a/app/_mesh_policies/meshidentity/index.md +++ b/app/_mesh_policies/meshidentity/index.md @@ -24,8 +24,8 @@ related_resources: url: /mesh/meshservice/ - text: MeshTLS url: /mesh/policies/meshtls/ - - text: MeshTrafficPermission - url: /mesh/policies/meshtrafficpermission/ + - text: MeshTrafficPermission with SPIFFE ID matchers + url: /mesh/policies/meshtrafficpermission_experimental/ --- {:.warning} @@ -197,4 +197,3 @@ This field is required and must specify one of the supported provider types: * `Bundled`: Certificates are issued by {{site.mesh_product_name}}'s control plane, either autogenerated or supplied by the user. * `Spire`: Certificates are issued directly by a SPIRE Agent through SDS. - diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml new file mode 100644 index 0000000000..9844bc9fef --- /dev/null +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml @@ -0,0 +1,17 @@ +title: 'Allow traffic from a namespace' +description: 'Use MeshTrafficPermission to allow requests from every workload in a namespace by matching a SPIFFE ID prefix.' + +weight: 800 + +namespace: kuma-demo +config: + type: MeshTrafficPermission + name: allow-observability-ns + mesh: default + spec: + rules: + - default: + allow: + - spiffeID: + type: Prefix + value: spiffe://default.default.mesh.local/ns/observability diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml new file mode 100644 index 0000000000..405030a33f --- /dev/null +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml @@ -0,0 +1,17 @@ +title: 'Deny traffic from a namespace' +description: 'Use MeshTrafficPermission to deny requests from every workload in a namespace by matching a SPIFFE ID prefix.' + +weight: 900 + +namespace: kuma-demo +config: + type: MeshTrafficPermission + name: deny-malicious-ns + mesh: default + spec: + rules: + - default: + deny: + - spiffeID: + type: Prefix + value: spiffe://default.default.mesh.local/ns/malicious diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml new file mode 100644 index 0000000000..0ae0d9dbd8 --- /dev/null +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml @@ -0,0 +1,22 @@ +title: 'Override a mesh-wide allow rule on a service port' +description: 'Use MeshTrafficPermission to deny traffic from a namespace on a specific service port, even when a mesh-wide allow rule exists.' + +weight: 700 + +namespace: kuma-demo +config: + type: MeshTrafficPermission + name: deny-observability-ns + mesh: default + spec: + targetRef: + kind: Dataplane + labels: + app: backend + sectionName: backend-admin-api + rules: + - default: + deny: + - spiffeID: + type: Prefix + value: spiffe://default.default.mesh.local/ns/observability diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/index.md b/app/_mesh_policies/meshtrafficpermission_experimental/index.md new file mode 100644 index 0000000000..fa7953bc9a --- /dev/null +++ b/app/_mesh_policies/meshtrafficpermission_experimental/index.md @@ -0,0 +1,96 @@ +--- +title: MeshTrafficPermission with SPIFFE ID matchers +name: MeshTrafficPermissions +description: Control service-to-service access using SPIFFE identities with allow, deny, and shadow deny rules. +products: + - mesh +content_type: plugin +type: policy +icon: policy.svg +tags: + - access-control + - authorization + - security +min_version: + mesh: '2.12' +related_resources: + - text: Issue identity with the MeshIdentity bundled provider + url: /mesh/issue-identity-with-meshidentity/ + - text: Issue identity with MeshIdentity Spire provider + url: /mesh/issue-identity-with-meshidentity-spire/ + - text: MeshIdentity policy + url: /mesh/policies/meshidentity/ + - text: MeshTrust policy + url: /mesh/policies/meshtrust/ + - text: MeshTLS policy + url: /mesh/policies/meshtls/ +--- + +{:.warning} +> This resource is experimental. +> Enable [MeshIdentity](/mesh/policies/meshidentity/) before you apply `MeshTrafficPermission`. + +## Overview + +`MeshTrafficPermission` defines which clients can access services inside a mesh based on their SPIFFE identities. +If no `MeshTrafficPermission` applies, the default behavior is to deny all requests. + +You can use `MeshTrafficPermission` to: + +* deny requests from specific clients or namespaces so service owners cannot override that deny rule +* allow groups of clients, such as all workloads in a namespace, to access services by default +* shadow-deny traffic so you can validate a policy before you enforce it + +The following example shows a common rule set: + +{% policy_yaml namespace=kuma-demo %} + +```yaml +type: MeshTrafficPermission +name: my-app-permissions +mesh: my-mesh +spec: + targetRef: + kind: Dataplane + labels: + app: my-app + rules: + - default: + deny: + - spiffeID: + type: Prefix + value: "spiffe://my-mesh.us-east-2.mesh.local/ns/legacy-ns" + - spiffeID: + type: Exact + value: "spiffe://my-mesh.us-east-2.mesh.local/ns/test/sa/client" + allow: + - spiffeID: + type: Prefix + value: "spiffe://my-mesh.us-east-2.mesh.local" +``` + +{% endpolicy_yaml %} + +With this policy in place, workloads labeled `app: my-app` reject connections from identities in the `legacy-ns` namespace +and from the specific `test/client` identity, while continuing to accept other identities in the `my-mesh.us-east-2.mesh.local` +[trust domain](/mesh/policies/meshtrust/). + +## Configuration + +`MeshTrafficPermission` uses three matcher lists: + +* `deny`: Clients that must always be denied +* `allow`: Clients that are explicitly allowed +* `allowWithShadowDeny`: Clients that are allowed, but also logged as if they were denied + +`allowWithShadowDeny` helps you test a new policy before you enforce a deny rule. + +Requests are evaluated in this order: + +1. If a request matches at least one `deny` matcher, the result is `DENY`. +1. Otherwise, if a request matches at least one `allow` or `allowWithShadowDeny` matcher, the result is `ALLOW`. +1. If no matcher applies, the result is `DENY`. + +See the **Examples** tab for ready-to-apply policies that deny namespace-wide traffic, +allow namespace-wide traffic, and override a mesh-wide allow rule on a specific service port. +Use the **Configuration reference** tab for the complete schema. diff --git a/app/_mesh_policies/meshtrust/index.md b/app/_mesh_policies/meshtrust/index.md index d0396aad5a..9be4a5de3a 100644 --- a/app/_mesh_policies/meshtrust/index.md +++ b/app/_mesh_policies/meshtrust/index.md @@ -18,8 +18,8 @@ related_resources: url: /mesh/policies/meshidentity/ - text: Mesh TLS url: /mesh/policies/meshtls/ - - text: Mesh Traffic Permission - url: /mesh/policies/meshtrafficpermission/ + - text: MeshTrafficPermission with SPIFFE ID matchers + url: /mesh/policies/meshtrafficpermission_experimental/ --- {:.warning} From d7b94018d9877b3374a7ecd32058755cc537e499 Mon Sep 17 00:00:00 2001 From: Lucie Milan Date: Mon, 15 Jun 2026 12:27:00 +0200 Subject: [PATCH 2/2] review --- .../allow-observability-namespace.yaml | 2 +- .../examples/deny-malicious-namespace.yaml | 2 +- ...ny-observability-on-backend-admin-api.yaml | 2 +- .../index.md | 22 ++++++++----------- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml index 9844bc9fef..2d532b26f0 100644 --- a/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/allow-observability-namespace.yaml @@ -3,7 +3,7 @@ description: 'Use MeshTrafficPermission to allow requests from every workload in weight: 800 -namespace: kuma-demo +namespace: kong-mesh-demo config: type: MeshTrafficPermission name: allow-observability-ns diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml index 405030a33f..05af1ba0f4 100644 --- a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-malicious-namespace.yaml @@ -3,7 +3,7 @@ description: 'Use MeshTrafficPermission to deny requests from every workload in weight: 900 -namespace: kuma-demo +namespace: kong-mesh-demo config: type: MeshTrafficPermission name: deny-malicious-ns diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml index 0ae0d9dbd8..93dd0ed646 100644 --- a/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml +++ b/app/_mesh_policies/meshtrafficpermission_experimental/examples/deny-observability-on-backend-admin-api.yaml @@ -3,7 +3,7 @@ description: 'Use MeshTrafficPermission to deny traffic from a namespace on a sp weight: 700 -namespace: kuma-demo +namespace: kong-mesh-demo config: type: MeshTrafficPermission name: deny-observability-ns diff --git a/app/_mesh_policies/meshtrafficpermission_experimental/index.md b/app/_mesh_policies/meshtrafficpermission_experimental/index.md index fa7953bc9a..92ace77488 100644 --- a/app/_mesh_policies/meshtrafficpermission_experimental/index.md +++ b/app/_mesh_policies/meshtrafficpermission_experimental/index.md @@ -30,20 +30,18 @@ related_resources: > This resource is experimental. > Enable [MeshIdentity](/mesh/policies/meshidentity/) before you apply `MeshTrafficPermission`. -## Overview - `MeshTrafficPermission` defines which clients can access services inside a mesh based on their SPIFFE identities. If no `MeshTrafficPermission` applies, the default behavior is to deny all requests. You can use `MeshTrafficPermission` to: -* deny requests from specific clients or namespaces so service owners cannot override that deny rule +* deny requests from specific clients or namespaces so service owners can't override that deny rule * allow groups of clients, such as all workloads in a namespace, to access services by default * shadow-deny traffic so you can validate a policy before you enforce it The following example shows a common rule set: -{% policy_yaml namespace=kuma-demo %} +{% policy_yaml namespace=kong-mesh-demo %} ```yaml type: MeshTrafficPermission @@ -79,18 +77,16 @@ and from the specific `test/client` identity, while continuing to accept other i `MeshTrafficPermission` uses three matcher lists: -* `deny`: Clients that must always be denied -* `allow`: Clients that are explicitly allowed -* `allowWithShadowDeny`: Clients that are allowed, but also logged as if they were denied - -`allowWithShadowDeny` helps you test a new policy before you enforce a deny rule. +* `deny`: Clients that must always be denied. +* `allow`: Clients that are explicitly allowed. +* `allowWithShadowDeny`: Clients that are allowed, but also logged as if they were denied. This lets you test a new policy before you enforce a deny rule. -Requests are evaluated in this order: +The policy evaluates requests in this order: 1. If a request matches at least one `deny` matcher, the result is `DENY`. -1. Otherwise, if a request matches at least one `allow` or `allowWithShadowDeny` matcher, the result is `ALLOW`. +1. If a request matches no `deny` matcher and at least one `allow` or `allowWithShadowDeny` matcher, the result is `ALLOW`. 1. If no matcher applies, the result is `DENY`. -See the **Examples** tab for ready-to-apply policies that deny namespace-wide traffic, +See the [Examples](./examples/) tab for ready-to-apply policies that deny namespace-wide traffic, allow namespace-wide traffic, and override a mesh-wide allow rule on a specific service port. -Use the **Configuration reference** tab for the complete schema. +See the [Configuration reference](./reference/) tab for the complete schema.