MeshTLS
This policy enables Kuma to configure TLS mode, ciphers and version. Backends and default mode values are taken from the Mesh object.
TargetRef support matrix
targetRef |
Allowed kinds |
|---|---|
targetRef.kind |
Mesh, Dataplane |
To learn more about the information in this table, see the matching docs.
Configuration
The following describes the default configuration settings of the MeshTLS policy:
tlsVersion: Defines TLS versions to be used by both client and server. Allowed values:TLSAuto,TLS10,TLS11,TLS12,TLS13.tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values:ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305.mode: Defines the mTLS mode -Permissivemode encrypts outbound connections the same way asStrictmode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values:Strict,Permissive.
Setting the TLS version and ciphers on both the client and server makes it harder to misconfigure. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.
Examples
Set specific TLS version and ciphers
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: set-version-and-ciphers
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Mesh
rules:
- default:
tlsVersion:
min: TLS13
max: TLS13
tlsCiphers:
- ECDHE-ECDSA-AES256-GCM-SHA384
Enable strict mode on specific subset
apiVersion: kuma.io/v1alpha1
kind: MeshTLS
metadata:
name: strict-mode
namespace: kuma-system
labels:
kuma.io/mesh: default
spec:
targetRef:
kind: Dataplane
labels:
app: redis
rules:
- default:
mode: Strict