General notes about Kuma policies

where

To keep configuration model simple and consistent, Kuma assumes that every Dataplane represents a service, even if it’s a cron job that doesn’t normally handle incoming traffic.

Consequently, tag is mandatory for sources and destinations selectors.

E.g., the following policy will apply to network traffic between all Dataplanes

In contrast, the next policy will apply only to network traffic between Dataplanes that represent web and backend services:

Finally, you can further limit the scope of a policy by including additional tags into sources and destinations selectors:

For example, policies that get applied on the client side of a connection between two Dataplanes - such as TrafficRoute, TrafficLog, HealthCheck - do not support arbitrary tags in their destinations selector; only the service tag is supported.

In some cases there is a fundamental technical cause for that (e.g., TrafficRoute), in other cases it’s a simplification of the initial implementation (e.g., TrafficLog and HealthCheck).

Please let us know if such constraints become critical to your use case.