Inspect API

    Read to understand how Kuma matches policies to data plane proxies. With so many policies, it’s hard to understand which policies are selected for a specific data plane proxy. That’s where the Inspect API can help:

    1. DATAPLANE:
    2.   ProxyTemplate
    3.     pt-1
    4.   TrafficTrace
    5.     backends-eu
    7. INBOUND 127.0.0.1:10010:10011(backend):
    8.   TrafficPermission
    9.     allow-all-default
    11.   Timeout
    12.     timeout-all-default
    13.   TrafficRoute
    14.     route-all-default
    16. SERVICE gateway:
    17.   CircuitBreaker
    18.     circuit-breaker-all-default
    19.   HealthCheck
    20.     gateway-to-backend

    Each data plane proxy has 4 policy attachment points:

    • Inbound – applied to envoy inbound listener
    • Outbound – applied to envoy outbound listener
    • Service – applied to envoy outbound cluster (upstream cluster)
    • Dataplane – non-specific policy attachment, could affect inbound/outbound listeners and clusters

    Sometimes it’s useful to see if it’s safe to delete or modify some policy. Before making any critical changes, it is worth checking which data plane proxies will be affected. This can be done using the Inspect API as well:

    1. Affected data plane proxies:
    3.   backend-1:
    4.     inbound 127.0.0.1:10010:10011(backend)
    5.     inbound 127.0.0.1:20010:20011(backend-admin)
    6.     inbound 127.0.0.1:30010:30011(backend-api)
    8.   web-1:

    This command works for all types of policies.

    Get config dump for data plane proxy:

    Get config dump for zone ingress:

    In order to retrieve a config dump in a Multizone deployment, kumactl should be pointed to a zone CP Global CPs don’t have access to envoy config dumps. This is a limitation that will be resolved in an upcoming release.