MeshTLS

This policy enables Kuma to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.

TargetRef support matrix

For mode
For tls ciphers/version

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`, `MeshSubset`
`from[].targetRef.kind`	`Mesh`

`targetRef`	Allowed kinds
`targetRef.kind`	`Mesh`
`from[].targetRef.kind`	`Mesh`

To learn more about the information in this table, see the matching docs.

Configuration

The following describes the default configuration settings of the MeshTLS policy:

tlsVersion: Defines TLS versions to be used by both client and server. Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.
tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.
mode: Defines the mTLS mode - Permissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.

Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.

Examples

apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: set-version-and-ciphers
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

type: MeshTLS
name: set-version-and-ciphers
mesh: default
spec:
  targetRef:
    kind: Mesh
  from:
  - targetRef:
      kind: Mesh
    default:
      tlsVersion:
        min: TLS13
        max: TLS13
      tlsCiphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384

Enable strict mode on specific subset

Kubernetes
Universal

apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
  name: strict-mode
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: redis
  from:
  - targetRef:
      kind: Mesh
    default:
      mode: Strict

type: MeshTLS
name: strict-mode
mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: redis
  from:
  - targetRef:
      kind: Mesh
    default:
      mode: Strict

MeshTLS

TargetRef support matrix

Configuration

Examples

Set specific TLS version and ciphers

Enable strict mode on specific subset

All policy options