Kong Mesh 2.9: Increased Security Configurations and Health Check Capabilities

We’re excited to announce the upcoming release of Kong Mesh 2.9 in mid-September. This release comes with many improvements around security configurations, resiliency, and platform flexibility and we’re excited for everyone to get their hands on it.

While we’re putting the finishing touches on the release, we wanted to give an overview in this blog post of the new capabilities for everyone attending API Summit 2024 this week. (Make sure you also catch Charly Molter’s session on “Demystifying the Latest in Kong Mesh” on September 11th at 5:05pm EST!).

Security: New MeshTLS policy

Kong Mesh has long had the ability to implement mTLS across all the services in a mesh. However, until now users have been limited to implementing either strict or permissive mode on a per-mesh basis.

In Kong Mesh 2.9, we’re releasing an oft-requested feature in the form of a new MeshTLS policy. This policy allows very granular configuration of the TLS behaviors within the mesh and enables users to specifically target exactly the services they want with TLS modes, allowed ciphers, TLS versions, and more.

Below is an example of a new (universal mode) MeshTLS policy that enforces default TLS versions and ciphers in permissive mode across all the applications in a mesh.

And below is an example of a new (Kubernetes mode) MeshTLS policy that restricts the TLS mode to strict for the billing service.

This new capability will be especially useful for those teams who are incrementally onboarding their applications into Kong Mesh and where each application team has different requirements around TLS configurations. The granular nature of the new MeshTLS policy will allow each application to be targeted independently with different configuration sets enabling a smooth transition from non-mesh to mesh operations.

Resiliency: New Application Probes to support multiple workload protocols

Kubernetes supports probes to test the health and readiness of running applications. Because mesh technologies capture the inbound traffic to all applications, we developed "virtual probes" some time ago to expose listeners for these probes and ensure users retained a great out-of-the-box experience.

However, historically these probes (and our virtual proxy) only supported HTTP traffic. In Kong Mesh 2.9 we've completely revamped our virtual probe capabilities, replacing them with "Application Probes" that support HTTP, GRPC, and TCP (the full suite of currently supported Kubernetes probes) and allow users much greater support when implementing probes for non-HTTP application types.

An example of how this (universal mode) Dataplane object would look with the new probes is shown below.

Flexibility: Increased support for different platform targets

Meshes use redirection to capture network traffic and act on it. Much of the time this redirection uses some type of iptables implementation in the underlying OS. As the breadth of platforms being used for mesh deployments increases, so does the number of iptables implementations/mechanisms. 

Some platforms use iptables, some use iptables-legacy, some nftables (a new implementation), etc. In order to increase our support across all of these customer deployment targets, we’ve completely revamped our iptables detection and configuration capabilities.

As of 2.9 we have much more robust detection methods for the implementation of iptables on platform OSes. And in the event that they still aren’t able to auto-configure correctly, we've also introduced a configuration section allowing users to override the path when installing the transparent proxy from `kumactl` (as shown below).

This capability will reduce debugging time for platform teams deploying Kong Mesh into their environment and ensures that whatever platform they want to deploy to is well-supported.

Summary

Kong Mesh 2.9 adds some oft-requested and powerful additional features and configuration options for customers to deploy and integrate mesh into their environments while ensuring a smooth onboarding experience for their application teams and partners.

Take advantage of these innovations to take your organization to the next level. With Kong Mesh 2.9, you can achieve a service mesh environment that aligns perfectly with your unique requirements and objectives.

Want to see Kong Mesh in action? Request a demo or download Kong Mesh today.