我的书签
添加书签
移除书签How Kuma chooses the right policy to apply
E.g., there might be a catch-all policy that sets the baseline for your organization
Additionally, there might be a more focused use case-specific policy, e.g.
type: TrafficLogmesh: defaultname: web-to-backend-policysources:- match:kuma.io/service: webcloud: awsregion: usdestinations:- match:kuma.io/service: backendconf:backend: splunk
What does Kuma do when it encounters multiple matching policies?
Kuma always picks the most specific policy
A policy that matches by a greater number of tags
- match:kuma.io/service: '*'cloud: awsregion: us
is “more specific” than the one with the less number of tags
- match:kuma.io/service: '*'
A policy that matches by the exact tag value
- match:kuma.io/service: web
- match:kuma.io/service: '*'
If 2 policies match by the same number of tags, then the one with a greater total number of matches by the exact tag value
is “more specific” than the other
- match:kuma.io/service: webversion: '*'
If 2 policies are equal (match by the same number of tags, and the total number of matches by the exact tag value is the same for both policies, and the total number of matches by a
'*'tag value is the same for both policies) then the latest onemodificationTime: "2020-01-01T20:00:00.0000Z"...- match:kuma.io/service: web
is “more specific” policy than the older one
modificationTime: "2019-01-01T20:00:00.0000Z"...- match:kuma.io/service: webcloud: aws
Dataplane policy is a policy that matches group of data plane proxies, not a connection between multiple proxies.
Assuming we have the following data plane proxy
type: Dataplanename: web-1networking:address: 192.168.0.1inbound:- port: 9000servicePort: 6379tags:kuma.io/service: web
and a ProxyTemplate which is an example of a Dataplane Policy
type: ProxyTemplatemesh: defaultname: custom-template-1selectors:- match:kuma.io/service: webconf:imports:- default-proxy
The policy can be applied either on inbound connections that a data plane proxy receives or outbound connections that data plane proxy creates, therefore there are two types of connection policies.
This kind of policy is enforced on the outbound connections initiated by the data plane proxy defined in sources section and then is applied only if the target data plane proxy matches tags defined in destination.
Assuming we have the following data plane proxies:
type: Dataplanemesh: defaultname: backend-1networking:address: 192.168.0.2inbound:- port: 9000servicePort: 6379tags:kuma.io/service: backend
and a HealthCheck which is an example of Outbound Connection Policy
type: HealthCheckmesh: defaultname: catch-all-policysources:- match:destinations:- match:kuma.io/service: backend
then the health checking is applied only on the first outbound listener of the web-1 data plane proxy. The configuration of data plane proxy is not changed in any way.
This kind of policy is enforced on the inbound connections received by the data plane proxy defined in destination section and then is applied only if the data plane proxy that initiated this connection matches tags defined in sources.
Assuming we have the following data plane proxies:
type: Dataplanemesh: defaultname: web-1networking:address: 192.168.0.1inbound:- port: 9000servicePort: 6379tags:kuma.io/service: weboutbound:- port: 1234tags:kuma.io/service: backend
type: Dataplanemesh: defaultname: backend-1networking:address: 192.168.0.2inbound:- port: 9000servicePort: 6379tags:kuma.io/service: backend- port: 9000servicePort: 6379tags:kuma.io/service: backend-api
type: TrafficPermissionmesh: defaultname: catch-all-policysources:- match:kuma.io/service: webdestinations:- match:
then the TrafficPermission is enforced only on the first inbound listener of the backend-1 data plane proxy. The configuration of data plane proxy is not changed in any way.
