diff --git a/app/_src/.repos/kuma b/app/_src/.repos/kuma index 596c8abfacb8..81a38864e54c 160000 --- a/app/_src/.repos/kuma +++ b/app/_src/.repos/kuma @@ -1 +1 @@ -Subproject commit 596c8abfacb8ad222a0d393d6bcd6d9656812a3c +Subproject commit 81a38864e54cd65e682ccba076eccd0191961a0b diff --git a/app/_src/mesh/features/acmpca.md b/app/_src/mesh/features/acmpca.md index 834f6b1777e0..376dca0cafd7 100644 --- a/app/_src/mesh/features/acmpca.md +++ b/app/_src/mesh/features/acmpca.md @@ -20,10 +20,8 @@ using a CA root certificate and key stored in a HashiCorp Vault server. * `acmpca`: {{site.mesh_product_name}} generates data plane certificates using Amazon Certificate Manager Private CA. -{% if_version gte:1.8.x -%} * [`certmanager`](/mesh/{{page.release}}/features/cert-manager/): {{site.mesh_product_name}} generates data plane certificates using Kubernetes [cert-manager](https://cert-manager.io) certificate controller. -{% endif_version %} ## ACM Private CA mode @@ -147,19 +145,5 @@ You must also make sure the global control plane can communicate with ACM Privat {% endif_version %} -{% if_version gte:2.0.x %} -[mtls-policy]: /mesh/{{page.release}}/policies/mutual-tls/ -{% if_version lte:2.1.x %} -[secrets]: /mesh/{{page.release}}/security/secrets/ -{% endif_version %} -{% if_version gte:2.2.x %} [secrets]: /mesh/{{page.release}}//production/secure-deployment/secrets/ -{% endif_version %} [http-api]: /mesh/{{page.release}}/reference/http-api/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[mtls-policy]: https://kuma.io/docs/1.8.x/policies/mutual-tls/ -[secrets]: https://kuma.io/docs/1.8.x/security/secrets/ -[http-api]: https://kuma.io/docs/1.8.x/reference/http-api -{% endif_version %} diff --git a/app/_src/mesh/features/cert-manager.md b/app/_src/mesh/features/cert-manager.md index e9bc1d639b7c..3980c4baf342 100644 --- a/app/_src/mesh/features/cert-manager.md +++ b/app/_src/mesh/features/cert-manager.md @@ -122,10 +122,4 @@ In a multi-zone environment, validation is performed on the global control plane {% endif_version %} -{% if_version gte:2.0.x %} [mtls-policy]: /mesh/{{page.release}}/policies/mutual-tls/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[mtls-policy]: https://kuma.io/docs/1.8.x/policies/mutual-tls/ -{% endif_version %} diff --git a/app/_src/mesh/features/kds-auth.md b/app/_src/mesh/features/kds-auth.md index 207518de8dd2..257388bea7d4 100644 --- a/app/_src/mesh/features/kds-auth.md +++ b/app/_src/mesh/features/kds-auth.md @@ -158,25 +158,7 @@ By default, a connection from the zone control plane to the global control plane You can still authenticate a control plane using the separate [Control Plane Token](/mesh/{{page.release}}/features/kds-auth/), but it is deprecated and will be removed in the future. - -{% if_version gte:2.0.x %} -{% if_version lte:2.1.x %} -[zone-proxy]: /mesh/{{page.release}}/security/zoneproxy-auth/ -[auth]: /mesh/{{page.release}}/security/certificates/#user-to-control-plane-communication -[certs]: /mesh/{{page.release}}/security/certificates/#control-plane-to-control-plane-multizone -{% endif_version %} -{% if_version gte:2.2.x %} [zone-proxy]: /mesh/{{page.release}}/production/cp-deployment/zoneproxy-auth [auth]: /mesh/{{page.release}}/production/secure-deployment/certificates/#data-plane-proxy-to-control-plane-communication [certs]: /mesh/{{page.release}}/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone -{% endif_version %} -{% endif_version %} - -{% if_version lte:1.9.x %} -[zone-proxy]: https://kuma.io/docs/1.8.x/security/zone-ingress-auth/ -[auth]: https://kuma.io/docs/1.8.x/security/certificates/#user-to-control-plane-communication -[certs]: https://kuma.io/docs/1.8.x/security/certificates/#control-plane-to-control-plane-multizone -{% endif_version %} - - diff --git a/app/_src/mesh/features/meshopa.md b/app/_src/mesh/features/meshopa.md index bb963a099752..cbf6de610113 100644 --- a/app/_src/mesh/features/meshopa.md +++ b/app/_src/mesh/features/meshopa.md @@ -59,164 +59,6 @@ To apply a policy with MeshOPA, you must do the following: - Provide a policy with the `appendPolicies` property. Policies are defined in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/). - Optionally provide custom configuration for the policy agent. -{% if_version lte:2.1.x %} - {:.note} - > **Note:** You cannot currently apply multiple OPA policies. This limitation will be addressed in the future. -{% endif_version %} - -You must also specify the HTTP protocol in your mesh configuration: - -{% navtabs %} -{% navtab Kubernetes %} - -Add the HTTP protocol annotation to the Kubernetes Service configuration, with `appProtocol` field. - -Example: - -```yaml -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: kong-mesh-example -spec: - selector: - app: web - ports: - - port: 8080 - appProtocol: http -``` - -{% endnavtab %} -{% navtab Universal %} - -Add the HTTP protocol tag to the `Dataplane` configuration. - -Example: - -```yaml -type: Dataplane -mesh: default -name: web -networking: - address: 192.168.0.1 - inbound: - - port: 80 - servicePort: 8080 - tags: - kuma.io/service: web - kuma.io/protocol: http # required for OPA support -``` - -{% endnavtab %} -{% endnavtabs %} - -For more information, see [the {{site.mesh_product_name}} documentation about protocol support][protocols]. - -{% if_version lte:2.1.x %} -### Inline - -{% navtabs %} -{% navtab Kubernetes %} - -```yaml -apiVersion: kuma.io/v1alpha1 -kind: MeshOPA -metadata: - name: mopa-1 - namespace: kong-mesh-system - labels: - kuma.io/mesh: default # optional, defaults to `default` if unset -spec: - targetRef: - kind: Mesh - default: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - appendPolicies: - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% navtab Universal %} - -```yaml -type: MeshOPA -mesh: default -name: mopa-1 -spec: - targetRef: - kind: Mesh - default: - agentConfig: # optional - inlineString: | # one of: inlineString, secret - decision_logs: - console: true - appendPolicies: # optional - - inlineString: | # one of: inlineString, secret - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {"valid": valid, "payload": payload} { - [_, encoded] := split(http_request.headers.authorization, " ") - [valid, _, payload] := io.jwt.decode_verify(encoded, {"secret": "secret"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == "GET" - token.payload.role == "admin" - } -``` - -{% endnavtab %} -{% endnavtabs %} -{% endif_version %} - -{% if_version gte:2.2.x %} ### Inline {% navtabs %} @@ -321,7 +163,6 @@ spec: {% endnavtab %} {% endnavtabs %} -{% endif_version %} ### With secrets @@ -347,24 +188,6 @@ Encoding the policy in a [Secret][secrets] provides some security for policies t 1. Pass the Secret to `MeshOPA`: -{% if_version lte:2.1.x %} - ```yaml - apiVersion: kuma.io/v1alpha1 - kind: MeshOPA - metadata: - name: mopa-1 - namespace: kong-mesh-system - labels: - kuma.io/mesh: default - spec: - targetRef: - kind: Mesh - default: - appendPolicies: - - secret: mopa-policy - ``` -{% endif_version %} -{% if_version gte:2.2.x %} ```yaml apiVersion: kuma.io/v1alpha1 kind: MeshOPA @@ -381,7 +204,6 @@ Encoding the policy in a [Secret][secrets] provides some security for policies t - rego: secret: mopa-policy ``` -{% endif_version %} {% endnavtab %} {% navtab Universal %} @@ -397,20 +219,6 @@ Encoding the policy in a [Secret][secrets] provides some security for policies t 1. Pass the Secret to `MeshOPA`: -{% if_version lte:2.1.x %} - ```yaml - type: MeshOPA - mesh: default - name: mopa-1 - spec: - targetRef: - kind: Mesh - default: - appendPolicies: - - secret: mopa-policy - ``` -{% endif_version %} -{% if_version gte:2.2.x %} ```yaml type: MeshOPA mesh: default @@ -423,7 +231,6 @@ Encoding the policy in a [Secret][secrets] provides some security for policies t - rego: secret: mopa-policy ``` -{% endif_version %} {% endnavtab %} {% endnavtabs %} @@ -434,20 +241,6 @@ Encoding the policy in a [Secret][secrets] provides some security for policies t The following environment variables are available: -{% if_version lte:2.1.x %} - -| Variable | Type | What it configures | Default value {:width=25%:} | -| -------------------------- | --------- | --------------------------------------| ------------------- | -| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | -| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A | -| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` | -| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | -| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | -| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | `[plugins.envoy_ext_authz_grpc. query=data.envoy.authz.allow]` | - -{% endif_version %} -{% if_version gte:2.2.x %} - | Variable | Type | What it configures | Default value {:width=25%:} | | -------------------------- | --------- | --------------------------------------| ------------------- | | KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` | @@ -456,8 +249,6 @@ The following environment variables are available: | KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true | | KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` | | KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | nil | -{% endif_version %} - {% navtabs %} {% navtab kumactl %} @@ -654,7 +445,6 @@ spec: {% endnavtab %} {% endnavtabs %} -{% if_version gte:2.2.x %} ## Composing policies In your organization, the mesh operator may want to set a policy for subset of proxies in the mesh. @@ -752,7 +542,6 @@ It also configures the OPA agent decision path (`plugins.envoy_ext_authz_grpc.pa You can also add a rego policy which is not part of the decision. Set a `appendPolicies[*].ignoreDecision` to true so the rego policy won't be added to autogenerated decision policy. This way, the mesh operator can expose utility functions to service owner. -{% endif_version %} ## Example @@ -807,53 +596,6 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku 1. Apply a MeshOPA policy that requires a valid JWT token: -{% if_version lte:2.1.x %} - ```sh - echo " - apiVersion: kuma.io/v1alpha1 - kind: MeshOPA - metadata: - namespace: kong-mesh-system - name: mopa-1 - labels: - kuma.io/mesh: default - spec: - targetRef: - kind: Mesh - default: - appendPolicies: - - inlineString: | - package envoy.authz - - import input.attributes.request.http as http_request - - default allow = false - - token = {\"valid\": valid, \"payload\": payload} { - [_, encoded] := split(http_request.headers.authorization, \" \") - [valid, _, payload] := io.jwt.decode_verify(encoded, {\"secret\": \"secret\"}) - } - - allow { - is_token_valid - action_allowed - } - - is_token_valid { - token.valid - now := time.now_ns() / 1000000000 - token.payload.nbf <= now - now < token.payload.exp - } - - action_allowed { - http_request.method == \"GET\" - token.payload.role == \"admin\" - } - " | kubectl apply -f - - ``` -{% endif_version %} -{% if_version gte:2.2.x %} ```sh echo " apiVersion: kuma.io/v1alpha1 @@ -899,7 +641,6 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku } " | kubectl apply -f - ``` -{% endif_version %} 1. Make an invalid request from the frontend to the backend: @@ -983,20 +724,8 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. -{% if_version gte:2.0.x %} [protocols]: /mesh/{{page.release}}/policies/protocol-support-in-kong-mesh/ -{% if_version lte:2.1.x %} -[secrets]: /mesh/{{page.release}}/security/secrets/ -{% endif_version %} -{% if_version gte:2.2.x %} [secrets]: /mesh/{{page.release}}/production/secure-deployment/secrets/ -{% endif_version %} -{% endif_version %} - -{% if_version lte:1.9.x %} -[protocols]: https://kuma.io/docs/1.8.x/policies/protocol-support-in-kuma/ -[secrets]: https://kuma.io/docs/1.8.x/security/secrets/ -{% endif_version %} ## All policy options diff --git a/app/_src/mesh/features/opa.md b/app/_src/mesh/features/opa.md index c8e2e311bde8..b67ee6bf15d4 100644 --- a/app/_src/mesh/features/opa.md +++ b/app/_src/mesh/features/opa.md @@ -645,17 +645,5 @@ The following example shows how to deploy and test a sample OPA Policy on Kubern The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired. -{% if_version gte:2.0.x %} [protocols]: /mesh/{{page.release}}/policies/protocol-support-in-kong-mesh/ -{% if_version lte:2.1.x %} -[secrets]: /mesh/{{page.release}}/security/secrets/ -{% endif_version %} -{% if_version gte:2.2.x %} [secrets]: /mesh/{{page.release}}/production/secure-deployment/secrets/ -{% endif_version %} -{% endif_version %} - -{% if_version lte:1.9.x %} -[protocols]: https://kuma.io/docs/1.8.x/policies/protocol-support-in-kuma/ -[secrets]: https://kuma.io/docs/1.8.x/security/secrets/ -{% endif_version %} diff --git a/app/_src/mesh/features/rbac.md b/app/_src/mesh/features/rbac.md index 9de2c08662a2..7f78a529070a 100644 --- a/app/_src/mesh/features/rbac.md +++ b/app/_src/mesh/features/rbac.md @@ -23,29 +23,6 @@ For policies using the `targetRef` selector. You can specify which `targetRef` k {% navtabs %} {% navtab Kubernetes %} -{% if_version lte:2.0.x %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: role-1 -spec: - rules: - - types: ["MeshTrafficPermission", "MeshTrace", "MeshAccessLog"] # List of Kuma resource kinds that are granted access. If it's empty, access is granted to all kinds. - names: ["res-1"] # List of allowed type names that are granted access. If it's empty, access is granted to resources regardless of the name. - mesh: default # Grants access to the resources in the named mesh. It can only be used with the mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE"] # The action bound to a type. - when: # A set of qualifiers to receive access. Only one of them needs to be fulfilled to receive access. - - targetRef: # A condition on the targetRef section in policies 2.0 (like MeshAccessLog or MeshTrace). - kind: MeshService - name: backend - - targetRef: - kind: MeshSubset - tags: - k8s.kuma.io/namespace: kuma-demo -``` -{% endif_version %} -{% if_version gte:2.1.x %} ```yaml apiVersion: kuma.io/v1alpha1 kind: AccessRole @@ -79,29 +56,8 @@ spec: targetRef: kind: Mesh ``` -{% endif_version %} {% endnavtab %} {% navtab Universal %} -{% if_version lte:2.0.x %} -```yaml -type: AccessRole -name: role-1 -rules: -- types: ["MeshTrafficPermission", "MeshTrace", "MeshAccessLog"] # List of Kuma resource types that are granted access. If it's empty, access is granted to all types. - names: ["res-1"] # List of allowed type names that are granted access. If it's empty, access is granted to resources regardless of the name. - mesh: default # Grants access to the resources in the named mesh. It can only be used with the mesh-scoped resources. - access: ["CREATE", "UPDATE", "DELETE"] # The action bound to a type. - when: # A set of qualifiers to receive access. Only one of them needs to be fulfilled to receive access. - - targetRef: # A condition on the targetRef section in policies 2.0 (like MeshAccessLog or MeshTrace). - kind: MeshService - name: backend - - targetRef: - kind: MeshSubset - tags: - k8s.kuma.io/namespace: kuma-demo -``` -{% endif_version %} -{% if_version gte:2.1.x %} ```yaml type: AccessRole name: role-1 @@ -132,15 +88,12 @@ rules: targetRef: kind: Mesh ``` -{% endif_version %} {% endnavtab %} {% endnavtabs %} -{% if_version gte:2.1.x %} The lack of `targetRef`, `from`, or `to` means that a user can specify anything in this section. For example, the `when` element with a specific `from` section allows the user to pick anything for `targetRef` in the policy. If the policy contains multiple `to` elements, you must specify an RBAC qualifier for every single `to` element. -{% endif_version %} {% endnavtab %} {% navtab Source and Destination selectors %} {% navtabs %} @@ -279,42 +232,8 @@ Service owner is a part of team responsible for given service. Let's take a `bac {% navtabs %} {% navtab Kubernetes %} -{% if_version lte:2.0.x %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: backend-owner -spec: - rules: - - mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend - - mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endif_version %} [//]: # (MeshTCPRoute was added in `2.3.0`) -{% if_version gte:2.1.x lte:2.2.x %} +{% if_version eq:2.2.x %} ```yaml apiVersion: kuma.io/v1alpha1 kind: AccessRole @@ -398,39 +317,8 @@ spec: {% endif_version %} {% endnavtab %} {% navtab Universal %} -{% if_version lte:2.0.x %} -```yaml -type: AccessRole -name: backend-owner -rules: -- mesh: default - types: ["TrafficPermission", "RateLimit"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficRoute", "HealthCheck", "CircuitBreaker", "FaultInjection", "Retry", "Timeout", "TrafficLog"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - sources: - match: - kuma.io/service: backend - - destinations: - match: - kuma.io/service: backend -- mesh: default - types: ["TrafficTrace", "ProxyTemplate"] - access: ["CREATE", "DELETE", "UPDATE"] - when: - - selectors: - match: - kuma.io/service: backend -``` -{% endif_version %} [//]: # (MeshTCPRoute was added in `2.3.0`) -{% if_version gte:2.1.x lte:2.2.x %} +{% if_version eq:2.2.x %} ```yaml type: AccessRole name: backend-owner @@ -509,18 +397,6 @@ rules: {% endnavtab %} {% endnavtabs %} -{% if_version lte:2.0.x %} -This way a service owners can: -* Modify `RateLimit` and `TrafficPermission` that allows/restrict access to the backend service. - This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies (`TrafficRoute`, `HealthCheck`, `CircuitBreaker`, `FaultInjection`, `Retry`, `Timeout`, `RateLimit`, `TrafficLog`) - that matches backend service that connects to other services. This changes the configuration of data plane proxy that implements `backend` service. -* Modify connection policies that matches any service that consumes backend service. - This changes the configuration of data plane proxies that are connecting to backend, but the configuration only affects connections to backend service. - It's useful because the service owner of backend has the best knowledge what (`Timeout`, `HealthCheck`) should be applied when communicating with their service. -* Modify `TrafficTrace` or `ProxyTemplate` that matches backend service. This changes the configuration of data plane proxy that implements `backend` service. -{% endif_version %} -{% if_version gte:2.1.x %} * Modify `MeshRateLimit` and `MeshTrafficPermission` that allows/restricts access to the backend service. This changes the configuration of the data plane proxy that implements the `backend` service. * Modify connection policies (`MeshHTTPRoute`, {% if_version gte:2.3.x inline:true %}`MeshTCPRoute`, {% endif_version %}`MeshHealthCheck`, `MeshCircuitBreaker`, `MeshFaultInjection`, `MeshRetry`, `MeshTimeout`, `MeshRateLimit`, `MeshAccessLog`) @@ -529,7 +405,6 @@ This way a service owners can: This changes the configuration of data plane proxies that are connecting to the backend, but the configuration only affects connections to the backend service. It's useful because the service owner of the backend knows what (`MeshTimeout`, `MeshHealthCheck`) should be applied when communicating with their service. * Modify the `MeshTrace` or `MeshProxyPatch` that matches the backend service. This changes the configuration of the data plane proxy that implements the `backend` service. -{% endif_version %} {:.note} > **Note**: When giving users `UPDATE` permission, remember to add `UPDATE` permission to all selectors they can switch between. For example, if a user only has access to `sources` selector, they won't be able to update policy with `destinations` selector or new `targetRef` selectors. Likewise, when a user only has access to the `targetRef` kind `MeshService`, they won't be able to update the policy to use a different `targetRef` kind. @@ -537,26 +412,10 @@ This way a service owners can: ### Observability operator We may also have an infrastructure team which is responsible for the logging/metrics/tracing systems in the organization. -Currently, those features are configured on `Mesh`, {% if_version lte:2.0.x inline:true %}`TrafficLog`, and `TrafficTrace`{% endif_version %}{% if_version gte:2.1.x inline:true %}`MeshAccessLog`, and `MeshTrace`{% endif_version %} objects. +Currently, those features are configured on `Mesh`, `MeshAccessLog`, and `MeshTrace` objects. {% navtabs %} {% navtab Kubernetes %} -{% if_version lte:2.0.x %} -```yaml -apiVersion: kuma.io/v1alpha1 -kind: AccessRole -metadata: - name: observability-operator -spec: - rules: - - mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] - - types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endif_version %} -{% if_version gte:2.1.x %} ```yaml apiVersion: kuma.io/v1alpha1 kind: AccessRole @@ -570,22 +429,8 @@ spec: - types: ["Mesh"] access: ["CREATE", "DELETE", "UPDATE"] ``` -{% endif_version %} {% endnavtab %} {% navtab Universal %} -{% if_version lte:2.0.x %} -```yaml -type: AccessRole -name: observability-operator -rules: -- mesh: '*' - types: ["TrafficLog", "TrafficTrace"] - access: ["CREATE", "DELETE", "UPDATE"] -- types: ["Mesh"] - access: ["CREATE", "DELETE", "UPDATE"] -``` -{% endif_version %} -{% if_version gte:2.1.x %} ```yaml type: AccessRole name: observability-operator @@ -596,12 +441,11 @@ rules: - types: ["Mesh"] access: ["CREATE", "DELETE", "UPDATE"] ``` -{% endif_version %} {% endnavtab %} {% endnavtabs %} This way an observability operator can: -* Modify {% if_version lte:2.0.x inline:true %}`TrafficLog` and `TrafficTrace`{% endif_version %}{% if_version gte:2.1.x inline:true %}`MeshAccessLog` and `MeshTrace`{% endif_version %} in any mesh +* Modify `MeshAccessLog` and `MeshTrace` in any mesh * Modify any `Mesh` ### Single Mesh operator @@ -650,12 +494,7 @@ Kubernetes provides their own RBAC system, but it's not sufficient to cover use * You cannot restrict access based on the content of the policy {{site.mesh_product_name}} RBAC works on top of Kubernetes RBAC. -{% if_version lte:2.0.x %} -For example, to restrict the access for a user to modify `TrafficPermission` for backend service, they need to be able to create `TrafficPermission` in the first place. -{% endif_version %} -{% if_version gte:2.1.x %} For example, to restrict the access for a user to modify `MeshTrafficPermission` for backend service, they need to be able to create `MeshTrafficPermission` in the first place. -{% endif_version %} The `subjects` in `AccessRoleBinding` are compatible with Kubernetes users and groups. {{site.mesh_product_name}} RBAC on Kubernetes is implemented using Kubernetes Webhook when applying resources. This means you can only use Kubernetes users and groups for `CREATE`, `DELETE` and `UPDATE` access. @@ -1398,7 +1237,6 @@ conf: {% endnavtab %} {% endnavtabs %} -{% if_version gte:2.0.x %} ## What should I do if I've locked myself out? If you remove the default `AccessRoleBinding` and `AccessRole`, you might find yourself locked out and unable to edit any resources. If you encounter this situation, you can regain access to the cluster by following these steps: @@ -1406,4 +1244,3 @@ If you remove the default `AccessRoleBinding` and `AccessRole`, you might find y 1. [Configure the control-plane](/mesh/{{page.release}}/documentation/configuration/#modifying-the-configuration) by setting the: `KUMA_ACCESS_TYPE` environment variable to `static`, and then restart the control-plane. 2. Create the default `AccessRoleBinding` and `AccessRole` (as described in the [default section](/mesh/{{page.release}}/features/rbac/#default)), or add new groups if necessary. 3. Remove the `KUMA_ACCESS_TYPE` environment variable for the control-plane and restart the control-plane. -{% endif_version %} diff --git a/app/_src/mesh/features/vault.md b/app/_src/mesh/features/vault.md index c3781926d3e3..2de79a2a8770 100644 --- a/app/_src/mesh/features/vault.md +++ b/app/_src/mesh/features/vault.md @@ -20,10 +20,8 @@ using a CA root certificate and key stored in a HashiCorp Vault server. * [`acmpca`](/mesh/{{page.release}}/features/acmpca/): {{site.mesh_product_name}} generates data plane certificates using Amazon Certificate Manager Private CA. -{% if_version gte:1.8.x -%} * [`certmanager`](/mesh/{{page.release}}/features/cert-manager/): {{site.mesh_product_name}} generates data plane certificates using Kubernetes [cert-manager](https://cert-manager.io) certificate controller. -{% endif_version %} ## Vault mode @@ -319,19 +317,6 @@ You must also make sure the global control plane communicates with Vault. When a {% endif_version %} -{% if_version gte:2.0.x %} [mtls-policy]: /mesh/{{page.release}}/policies/mutual-tls/ -{% if_version lte:2.1.x %} -[secrets]: /mesh/{{page.release}}/security/secrets/ -{% endif_version %} -{% if_version gte:2.2.x %} [secrets]: /mesh/{{page.release}}/production/secure-deployment/secrets/ -{% endif_version %} [http-api]: /mesh/{{page.release}}/reference/http-api/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[mtls-policy]: https://kuma.io/docs/1.8.x/policies/mutual-tls/ -[secrets]: https://kuma.io/docs/1.8.x/security/secrets/ -[http-api]: https://kuma.io/docs/1.8.x/reference/http-api -{% endif_version %} diff --git a/app/_src/mesh/features/windows.md b/app/_src/mesh/features/windows.md index 37b27d7fde77..fe83a1c4d6f4 100644 --- a/app/_src/mesh/features/windows.md +++ b/app/_src/mesh/features/windows.md @@ -2,11 +2,17 @@ title: Kong Mesh with Windows --- -{% if_version gte:1.7.x lt:2.11.x %} +{% if_version gte:2.11.x %} +{:.important} +> As of 2.11.0 Windows is no longer supported in {{site.mesh_product_name}}. + +{% endif_version %} +{% if_version lt:2.11.x %} {% if_version gte:2.9.x %} {:.important} > **Deprecation notice:** Windows support in {{site.mesh_product_name}} has been deprecated as of v2.9.0 and will be removed in v2.11.0. + {% endif_version %} To install and run {{site.mesh_product_name}} on Windows: @@ -39,8 +45,7 @@ Invoke-Expression ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Ur {% endnavtab %} {% navtab Manually %} -You can also [download]{%if_version gte:2.2.x %}({{site.links.download}}/kong-mesh-binaries-release/kong-mesh-{{page.version}}-windows-amd64.tar.gz){%endif_version%}{%if_version lte:2.1.x%}(https://download.konghq.com/mesh-alpine/kong-mesh-{{page.version}}-windows-amd64.tar.gz){%endif_version%} -the distribution manually. +You can also [download]({{site.links.download}}/kong-mesh-binaries-release/kong-mesh-{{page.version}}-windows-amd64.tar.gz) the distribution manually. Then extract the archive with: @@ -85,20 +90,7 @@ but you can use a persistent storage like PostgreSQL by updating the `conf/kuma- -{% if_version gte:2.0.x %} -{% if_version lte:2.1.x %} -[deployments]: /mesh/{{page.release}}/introduction/deployments/ -[backends]: /mesh/{{page.release}}/documentation/configuration/ -{% endif_version %} -{% if_version gte:2.2.x %} [deployments]: /mesh/{{page.release}}/production/deployment/ [backends]: /mesh/{{page.release}}/documentation/configuration/ -{% endif_version %} -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[backends]: https://kuma.io/docs/1.8.x/documentation/configuration/ -{% endif_version %} {% endif_version %} diff --git a/app/_src/mesh/gettingstarted.md b/app/_src/mesh/gettingstarted.md index f0b983036f9d..7ed68f984df1 100644 --- a/app/_src/mesh/gettingstarted.md +++ b/app/_src/mesh/gettingstarted.md @@ -7,16 +7,8 @@ title: Getting Started with Kong Mesh drop-in binary replacements for both the control plane and data plane executables. -{% if_version gte:2.0.x %} You can download the {{site.mesh_product_name}} binaries from the [official installation page](/mesh/{{page.release}}/install). -{% endif_version %} - -{% if_version lte:1.9.x %} -You can download the {{site.mesh_product_name}} binaries from the -[official installation page](/mesh/{{page.release}}/install), then follow -[Kuma's official documentation](https://kuma.io/docs) to start using the product. -{% endif_version %} {:.note} > Kuma, a donated CNCF project, was originally created by Kong, which is @@ -32,12 +24,6 @@ Download and install {{site.mesh_product_name}} from the After you install, follow the getting started guides to get {{site.mesh_product_name}} up and running. -{% if_version lte:1.9.x %} -The Kuma quickstart documentation -is fully compatible with {{site.mesh_product_name}}, except that you are -running {{site.mesh_product_name}} containers instead of Kuma containers: -{% endif_version %} - * [Getting started with Kubernetes][get-started-k8s] {% if_version lte:2.5.x -%} * [Getting started with Universal][get-started-universal] @@ -48,9 +34,7 @@ running {{site.mesh_product_name}} containers instead of Kuma containers: Learn about enterprise features: * [Support for HashiCorp Vault CA](/mesh/{{page.release}}/features/vault/) * [Support for Amazon Certificate Manager Private CA](/mesh/{{page.release}}/features/acmpca/) - {% if_version gte:1.8.x -%} * [Support for Kubernetes cert-manager CA](/mesh/{{page.release}}/features/cert-manager/) - {% endif_version -%} * [Support for Open Policy Agent](/mesh/{{page.release}}/features/opa/) * [Multi-zone authentication](/mesh/{{page.release}}/features/kds-auth/) * [Support for FIPS](/mesh/{{page.release}}/features/fips-support/) @@ -69,12 +53,7 @@ ticket with any questions or feedback you may have. [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes-demo/ {% endif_version %} -{% if_version lte:2.5.x gte:2.0.x %} +{% if_version lte:2.5.x %} [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes/ [get-started-universal]: /mesh/{{page.release}}/quickstart/universal/ {% endif_version %} - -{% if_version lte:1.9.x %} -[get-started-k8s]: https://kuma.io/docs/1.8.x/quickstart/kubernetes/ -[get-started-universal]: https://kuma.io/docs/1.8.x/quickstart/universal/ -{% endif_version %} diff --git a/app/_src/mesh/index.md b/app/_src/mesh/index.md index 9265b11d2190..4c193caf3bc3 100644 --- a/app/_src/mesh/index.md +++ b/app/_src/mesh/index.md @@ -159,15 +159,4 @@ You can contribute to the development of {{site.mesh_product_name}} by contribut For more information, see the [contribution guide](https://kuma.io/community). -{% if_version gte:2.0.x %} -{% if_version lte:2.1.x %} -[deployments]: /mesh/{{page.release}}/introduction/deployments/ -{% endif_version %} -{% if_version gte:2.2.x %} [deployments]: /mesh/{{page.release}}/production/deployment/ -{% endif_version %} -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -{% endif_version %} diff --git a/app/_src/mesh/installation/docker.md b/app/_src/mesh/installation/docker.md index eab67d1691e9..85867c4b4369 100644 --- a/app/_src/mesh/installation/docker.md +++ b/app/_src/mesh/installation/docker.md @@ -138,16 +138,7 @@ If you are entirely using Docker, you may also be interested in checking out the [Kubernetes quickstart][get-started-k8s] as well. -{% if_version gte:2.0.x %} [deployments]: /mesh/{{page.release}}/introduction/deployments/ [backends]: /mesh/{{page.release}}/documentation/configuration/ [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes/ [get-started-universal]: /mesh/{{page.release}}/quickstart/universal/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[backends]: https://kuma.io/docs/1.8.x/documentation/configuration/ -[get-started-k8s]: https://kuma.io/docs/1.8.x/quickstart/kubernetes/ -[get-started-universal]: https://kuma.io/docs/1.8.x/quickstart/universal/ -{% endif_version %} diff --git a/app/_src/mesh/installation/ecs.md b/app/_src/mesh/installation/ecs.md index 16e6c65f0987..882b292e98fb 100644 --- a/app/_src/mesh/installation/ecs.md +++ b/app/_src/mesh/installation/ecs.md @@ -18,133 +18,6 @@ On ECS, {{site.mesh_product_name}} runs in Universal mode. Every ECS task runs w The control plane itself also runs as an ECS service in the cluster. -{% if_version lte:1.9.x %} -### Data plane tokens - -As part of joining and synchronizing with the mesh, every sidecar needs to authenticate with -the control plane. On {{site.mesh_product_name}}, this is accomplished by using a data plane token. -Typically on Universal mode, creating and managing data plane tokens is a manual step for the mesh operator. -However, {{site.mesh_product_name}} on ECS handles automatically provisioning data plane tokens for your services. - -An additional ECS token controller runs in the cluster with permissions to use -the {{site.mesh_product_name}} API to create data plane tokens and put them in AWS secrets. - -New ECS services are given access to an AWS secret. When they -join the cluster, the controller requests a new data plane token scoped to that service. - -### Mesh communication - -With {{site.mesh_product_name}} on ECS, each service enumerates -other services it contacts in the mesh and - -[exposes them in `Dataplane` specification][dpp-spec]. - -## Deployment - -This section covers ECS-specific parts of running {{site.mesh_product_name}}, using the -[example Cloudformation](https://github.com/Kong/kong-mesh-ecs) as a guide. - -### Control plane - -{{site.mesh_product_name}} runs in Universal mode on ECS. The example setup repository uses an AWS RDS -database as a PostgreSQL backend. It also uses ECS service discovery to enable ECS -tasks to communicate with {{site.mesh_product_name}} the control plane. - -The example Cloudformation includes two Cloudformation stacks for -[creating a cluster](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/vpc.yaml) and -[deploying {{site.mesh_product_name}}](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/controlplane.yaml) - -### ECS controller - -The controller is published as a docker image -`docker.io/kong/kong-mesh-ecs-controller:0.1.0`. - -#### API permissions - -To generate data plane tokens, the controller -needs to authenticate with the {{site.mesh_product_name}} API and be authorized to create -new data plane tokens. - -The example repository [launches the control plane with two additional containers](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/controlplane.yaml#L358-L387) -that handle fetching this global secret and -[covers bootstrapping this controller and running it as an ECS task](https://github.com/Kong/kong-mesh-ecs/blob/main/README.md#ecs-controller). - -Any option that enables operators to query the API from `localhost` (for -example, an SSH container in the task) can extract the admin token. - -After `kumactl` is configured with the control plane, you can generate a new user -token for the controller with `kumactl generate user-token`. For example: - -``` -kumactl generate user-token --name ecs-controller --group mesh-system:admin --valid-for 8766h -``` - -Configure the controller using the environment variables: - -- `KUMA_API_TOKEN`: the API token -- `KUMA_API_CA_BYTES`: the CA used to verify the TLS certificates presented by the API. - We recommend communicating with the {{site.mesh_product_name}} API over TLS (served on port `5682` by default). - -#### IAM permissions - -The controller uses the AWS API. The ECS task role must be authorized to perform the following actions: - -- `ecs:ListTasks` and `ecs:DescribeTasks` -- `secretsmanager:GetSecretValue` and `secretsmanager:PutSecretValue` - -These permissions can be further restricted by including a `Resource` or `Condition` in -the IAM policy statements. To make this easier, the controller supports the `--secret-name-prefix` -command line switch to prefix the names of the AWS secrets under which it saves tokens. - -## Services - -When deploying an ECS task to be included in the mesh, the following must be -considered. - -### Outbounds - -Services are bootstrapped with a `Dataplane` specification. - -Transparent proxy is not supported on ECS, so the `Dataplane` resource for a -service must enumerate all other mesh services this service contacts and include them -[in the `Dataplane` specification as `outbounds`][dpp-spec]. - -See the example repository to learn -[how to handle the `Dataplane` template with Cloudformation](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/counter-demo/demo-app.yaml#L30-L46). - -### `kuma.io/service` tag - -Every ECS task must be tagged with the `kuma.io/service` tag so that -the controller includes the task in the mesh. The ECS task -authenticates to the mesh as this service. The tag value should match the -`kuma.io/service` value in the `Dataplane` resource. - -### Sidecar - -The sidecar must run as a container in the ECS task. It must also run with the AWS secret -that holds the data plane token created by the ECS controller. - -The controller _does not create_ the secret, it only puts and gets it. The -AWS secret should be created and destroyed by the same mechanism that creates the -ECS service (for example, a Cloudformation stack). - -See the example repository for [an example container -definition](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/counter-demo/demo-app.yaml#L205-L243). - -#### Initialization - -When a task starts, the following happens: - -1. The task requests the `token` JSON key from an existing AWS secret. -2. Initially, the secret does not contain this key and ECS continues - trying to create the task. -3. Shortly after the task is created, while it's in the retry loop, the ECS - controller sees the task and checks whether `token` exists in the corresponding secret. -4. The controller sees an empty secret and generates a new data plane token via the - mesh API, saving the result as `token` in the secret. -5. Finally, ECS is able to fetch the `token` value and starts the task successfully. -{% endif_version %} -{% if_version gte:2.0.x %} ### Data plane authentication As part of joining and synchronizing with the mesh, every sidecar needs to authenticate with @@ -251,20 +124,6 @@ The sidecar must run as a container in the ECS task. See the example repository for [an example container definition](https://github.com/Kong/kong-mesh-ecs/blob/main/deploy/counter-demo/demo-app.yaml#L213-L261). -{% endif_version %} -{% if_version gte:2.2.x %} [dpp-spec]: /mesh/{{page.release}}/production/dp-config/dpp-on-universal/ -{% endif_version %} -{% if_version eq:2.1.x %} -[dpp-spec]: /mesh/{{page.release}}/generated/resources/proxy_dataplane/ -{% endif_version %} -{% if_version eq:2.0.x %} -[dpp-spec]: /mesh/{{page.release}}/generated/resources/proxy_dataplane/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[dpp-spec]: https://kuma.io/docs/1.8.x/generated/resources/proxy_dataplane/ -{% endif_version %} - diff --git a/app/_src/mesh/installation/helm.md b/app/_src/mesh/installation/helm.md index 38b2eddce812..51a7fa914559 100644 --- a/app/_src/mesh/installation/helm.md +++ b/app/_src/mesh/installation/helm.md @@ -177,12 +177,5 @@ To start using {{site.mesh_product_name}}, see the [quickstart guide for Kubernetes deployments][get-started-k8s]. -{% if_version gte:2.0.x %} [deployments]: /mesh/{{page.release}}/introduction/deployments/ [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[get-started-k8s]: https://kuma.io/docs/1.8.x/quickstart/kubernetes/ -{% endif_version %} diff --git a/app/_src/mesh/installation/kubernetes.md b/app/_src/mesh/installation/kubernetes.md index 343c5e8af24e..47c749b07fef 100644 --- a/app/_src/mesh/installation/kubernetes.md +++ b/app/_src/mesh/installation/kubernetes.md @@ -185,12 +185,5 @@ To start using {{site.mesh_product_name}}, see the [quickstart guide for Kubernetes deployments][get-started-k8s]. -{% if_version gte:2.0.x %} [deployments]: /mesh/{{page.release}}/introduction/deployments/ [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[get-started-k8s]: https://kuma.io/docs/1.8.x/quickstart/kubernetes/ -{% endif_version %} diff --git a/app/_src/mesh/installation/macos.md b/app/_src/mesh/installation/macos.md index 95ea1aebb94e..4ffd23c7d8fc 100644 --- a/app/_src/mesh/installation/macos.md +++ b/app/_src/mesh/installation/macos.md @@ -36,8 +36,7 @@ curl -L https://docs.konghq.com/mesh/installer.sh | VERSION={{page.version}} sh {% endnavtab %} {% navtab Manually %} -You can also download the [amd64]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) {% if_version gte:1.8.x %} -or [arm64]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-arm64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-arm64.tar.gz){% endif_version %} distribution manually. +You can also download the [amd64]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-amd64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-amd64.tar.gz) or [arm64]({{site.links.direct}}/kong-mesh-legacy/raw/names/kong-mesh-darwin-arm64/versions/{{page.version}}/kong-mesh-{{page.version}}-darwin-arm64.tar.gz) distribution manually. Then, extract the archive with: diff --git a/app/_src/mesh/installation/openshift.md b/app/_src/mesh/installation/openshift.md index a6718d07463f..adf0d703254c 100644 --- a/app/_src/mesh/installation/openshift.md +++ b/app/_src/mesh/installation/openshift.md @@ -255,12 +255,5 @@ To start using {{site.mesh_product_name}}, see the [quickstart guide for Kubernetes deployments][get-started-k8s]. -{% if_version gte:2.0.x %} [deployments]: /mesh/{{page.release}}/introduction/deployments/ [get-started-k8s]: /mesh/{{page.release}}/quickstart/kubernetes/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[get-started-k8s]: https://kuma.io/docs/1.8.x/quickstart/kubernetes/ -{% endif_version %} diff --git a/app/_src/mesh/installation/windows.md b/app/_src/mesh/installation/windows.md index a2bea32980d9..d6c203d8e4b1 100644 --- a/app/_src/mesh/installation/windows.md +++ b/app/_src/mesh/installation/windows.md @@ -31,7 +31,7 @@ Invoke-Expression ([System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -Ur {% endnavtab %} {% navtab Manually %} -You can also [download]{%if_version gte:2.2.x %}({{site.links.download}}/kong-mesh-binaries-release/kong-mesh-{{page.version}}-windows-amd64.tar.gz){%endif_version%}{%if_version lte:2.1.x%}(https://download.konghq.com/mesh-alpine/kong-mesh-{{page.version}}-windows-amd64.tar.gz){%endif_version%} +You can also [download]({{site.links.download}}/kong-mesh-binaries-release/kong-mesh-{{page.version}}-windows-amd64.tar.gz) the distribution manually. Then extract the archive with: @@ -77,12 +77,5 @@ but you can use a persistent storage like PostgreSQL by updating the `conf/kuma- -{% if_version gte:2.0.x %} [deployments]: /mesh/{{page.release}}/introduction/deployments/ [backends]: /mesh/{{page.release}}/documentation/configuration/ -{% endif_version %} - -{% if_version lte:1.9.x %} -[deployments]: https://kuma.io/docs/1.8.x/introduction/deployments/ -[backends]: https://kuma.io/docs/1.8.x/documentation/configuration/ -{% endif_version %}