From 289ed198e0b100e2b76a13abb5e76e4ffc201b7b Mon Sep 17 00:00:00 2001 From: Marcin Skalski Date: Thu, 19 Dec 2024 14:12:30 +0100 Subject: [PATCH 1/3] feat(mes): add example of disabling traffic to MeshExternalService on Mesh Signed-off-by: Marcin Skalski --- app/_src/networking/meshexternalservice.md | 36 ++++++++++++++++++++-- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/app/_src/networking/meshexternalservice.md b/app/_src/networking/meshexternalservice.md index 5f079188f..f62ce87be 100644 --- a/app/_src/networking/meshexternalservice.md +++ b/app/_src/networking/meshexternalservice.md @@ -12,12 +12,14 @@ The `MeshExternalService` resource allows you to declare external resources inst {% tip %} What is the difference between `MeshPassthrough` and `MeshExternalService`? -The main difference is that `MeshExternalService` is assigned a custom domain and can be targeted by policies. `MeshPassthrough`, on the other hand, does not alter the address of the original host and cannot be targeted by policies. +The main difference is that `MeshExternalService` assigns a custom domain and can be targeted by policies. +`MeshPassthrough` does not alter the address of the original host and cannot be targeted by policies. {% endtip %} {% warning %} -Currently `MeshExternalService` resource only supports targeting by [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) with [Zone Egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress). -This limitation will be lifted in the next release. +Currently you can not configure granular [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for MeshExternalService. +You can only enable or disable whole traffic to MeshExternalService from Mesh by [Mesh resource configuration](/docs/{{ page.release }}/production/mesh/). +More on this in [Controlling MeshExternalService access from Mesh](/docs/{{ page.release }}/networking/meshexternalservice/#controlling-meshexternalservice-access-from-mesh) section. {% endwarning %} ## Configuration @@ -142,6 +144,34 @@ networking: port: 9901" ``` +### Controlling MeshExternalService access from Mesh + +At this moment you cannot configure [MeshTrafficPermission](/docs/{{ page.release }}/policies/meshtrafficpermission) for +MeshExternalService. But you can configure access to all external services on Mesh level. For example, you can disable +outgoing traffic to all MeshExternalServices: + +{% tabs usage useUrlFragment=false %} +{% tab usage Kubernetes %} +```yaml +apiVersion: kuma.io/v1alpha1 +kind: Mesh +metadata: + name: default +spec: + routing: + defaultForbidMeshExternalServiceAccess: true +``` +{% endtab %} +{% tab usage Universal %} +```yaml +type: Mesh +name: default +routing: + defaultForbidMeshExternalServiceAccess: true +``` +{% endtab %} +{% endtabs %} + ## Examples TCP examples use https://tcpbin.com/ service which is a TCP echo service, check out the website for more details. From 481b3eb701243fc409a9c9a1e5afce372534a10f Mon Sep 17 00:00:00 2001 From: Marcin Skalski Date: Fri, 20 Dec 2024 08:13:50 +0100 Subject: [PATCH 2/3] feat(mes): fix vale Signed-off-by: Marcin Skalski --- .github/styles/config/vocabularies/Base/accept.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/styles/config/vocabularies/Base/accept.txt b/.github/styles/config/vocabularies/Base/accept.txt index d2d0d9c14..eafd45532 100644 --- a/.github/styles/config/vocabularies/Base/accept.txt +++ b/.github/styles/config/vocabularies/Base/accept.txt @@ -180,3 +180,4 @@ yml [xX]DS|xds Zipkin zsh +MeshExternalService From 1554c9028aebb7cd194d6c5e30d8860405f5de71 Mon Sep 17 00:00:00 2001 From: Marcin Skalski Date: Fri, 20 Dec 2024 09:00:54 +0100 Subject: [PATCH 3/3] feat(mes): fix vale Signed-off-by: Marcin Skalski --- .github/styles/config/vocabularies/Base/accept.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/styles/config/vocabularies/Base/accept.txt b/.github/styles/config/vocabularies/Base/accept.txt index eafd45532..ec18e6daf 100644 --- a/.github/styles/config/vocabularies/Base/accept.txt +++ b/.github/styles/config/vocabularies/Base/accept.txt @@ -100,6 +100,7 @@ MADR md minikube Maglev +MeshExternalService MeshGateway matchers Mockbin @@ -180,4 +181,3 @@ yml [xX]DS|xds Zipkin zsh -MeshExternalService