Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(mes): add example of disabling traffic to MeshExternalService on Mesh #2126

Merged
merged 3 commits into from
Dec 20, 2024
Merged

feat(mes): add example of disabling traffic to MeshExternalService on Mesh #2126

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
289ed19
feat(mes): add example of disabling traffic to MeshExternalService on…
Automaat Dec 19, 2024
481b3eb
feat(mes): fix vale
Automaat Dec 20, 2024
1554c90
feat(mes): fix vale
Automaat Dec 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 33 additions & 3 deletions app/_src/networking/meshexternalservice.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,14 @@
{% tip %}
What is the difference between `MeshPassthrough` and `MeshExternalService`?

The main difference is that `MeshExternalService` is assigned a custom domain and can be targeted by policies. `MeshPassthrough`, on the other hand, does not alter the address of the original host and cannot be targeted by policies.
The main difference is that `MeshExternalService` assigns a custom domain and can be targeted by policies.
`MeshPassthrough` does not alter the address of the original host and cannot be targeted by policies.
{% endtip %}

{% warning %}
Currently `MeshExternalService` resource only supports targeting by [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) with [Zone Egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress).
This limitation will be lifted in the next release.
Currently you can not configure granular [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for MeshExternalService.
You can only enable or disable whole traffic to MeshExternalService from Mesh by [Mesh resource configuration](/docs/{{ page.release }}/production/mesh/).
More on this in [Controlling MeshExternalService access from Mesh](/docs/{{ page.release }}/networking/meshexternalservice/#controlling-meshexternalservice-access-from-mesh) section.
{% endwarning %}

## Configuration
Expand Down Expand Up @@ -142,6 +144,34 @@
port: 9901"
```

### Controlling MeshExternalService access from Mesh

Check failure on line 147 in app/_src/networking/meshexternalservice.md

View workflow job for this annotation

GitHub Actions / Lint docs 

[vale] reported by reviewdog 🐶
[Google.Headings] 'Controlling MeshExternalService access from Mesh' should use sentence-style capitalization.

Raw Output:
{"message": "[Google.Headings] 'Controlling MeshExternalService access from Mesh' should use sentence-style capitalization.", "location": {"path": "app/_src/networking/meshexternalservice.md", "range": {"start": {"line": 147, "column": 5}}}, "severity": "ERROR"}

At this moment you cannot configure [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for
MeshExternalService. But you can configure access to all external services on Mesh level. For example, you can disable
outgoing traffic to all MeshExternalServices:

{% tabs usage useUrlFragment=false %}
{% tab usage Kubernetes %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
name: default
spec:
routing:
defaultForbidMeshExternalServiceAccess: true
```
{% endtab %}
{% tab usage Universal %}
```yaml
type: Mesh
name: default
routing:
defaultForbidMeshExternalServiceAccess: true
```
{% endtab %}
{% endtabs %}

## Examples

TCP examples use https://tcpbin.com/ service which is a TCP echo service, check out the website for more details.
Expand Down
Loading