We are happy to announce a new major release of Kuma, and a new major release of Kong Mesh built on Kuma! Kuma 1.4 ships with 25+ new features and countless improvements, particularly when it comes to performance. As previously announced at Kong Summit 2021, Kong Mesh ships we enterprise capabilities for large scale service mesh deployments, like RBAC, and native support for Windows VMs.
We strongly suggest to upgrade, in order to take advantage of the latest and greatest when it comes to service mesh.
For a complete list of features and updates, take a look at the full changelog.
In Kong Mesh 1.5, the new RBAC feature is enabled by default and it works consistently across both Kubernetes and Universal environments, in both standalone and multi-zone deployments, across every cloud. By using this new feature we can better scale Kong Mesh operations across the organizations by restricting what our teams and their individual contributors can do on top of one or more virtual meshes. You can learn more about this feature in the official documentation.
RBAC introduces a few important concepts:
AccessRole is a resource that defines a role that can later be assigned for a user. This resource is global-scoped, which means it is not bound to a mesh. Below an example of an AccessRole:
type: AccessRole
name: role-1
rules:
- types: ["TrafficPermission", "TrafficRoute", "Mesh"] # list of types to which access is granted. If empty, then access is granted to all types
names: ["res-1"] # list of allowed names of types to which access is granted. If empty, then access is granted to resources regardless of the name.
mesh: default # Mesh within which the access to resources is granted. It can only be used with the Mesh-scoped resources.
access: ["CREATE", "UPDATE", "DELETE", "GENERATE_DATAPLANE_TOKEN", "GENERATE_USER_TOKEN", "GENERATE_ZONE_CP_TOKEN"] # an action that is bound to a type.
when: # a set of qualifiers to receive an access. Only one of them needs to be fulfilled to receive an access
- sources: # a condition on sources section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all sources are allowed
match:
kuma.io/service: web
destinations: # a condition on destinations section in connection policies (like TrafficRoute or Healtchecheck). If missing, then all destinations are allowed
match:
kuma.io/service: backend
- selectors: # a condition on selectors section in dataplane policies (like TrafficTrace or ProxyTemplate).
match:
kuma.io/service: web
- dpToken: # a condition on generate dataplane token.
tags:
- name: kuma.io/service
value: webThis resource binds an AccessRole to a User/Group. For example
type: AccessRoleBinding
name: binding-1
subjects: # a list of subjects that will be assigned roles
- type: User # type of the subject. Available values: ("User", "Group")
name: john.doe@example.com # name of the subject.
- type: Group
name: team-a
roles: # a list of roles that will be assigned to the list of subjects.
- role-1The “AccessRoles” can be bound to a specific “User” or “Group” of users. In Kubernetes, users are being identified by their login credentials provided via “kubectl login”, whereas in Universal they are identified by the underlying Kuma user token.
In the future, this creates the perfect foundation for adding OIDC/LDAP support to Kong Mesh as an additional way to authenticate users.
This release includes performance improvements that have been identified by our new performance suite which replicates a Kuma deployment at scale. This allows us to anticipate some performance issues that you may be experiencing in production and ship a fix as part of our continuous improvements to the product.
Particularly, we have reduced the likelihood of overwhelming the underlying Postgres database in universal mode, and we are making incremental improvements to the CPU and memory consumption of Kuma. These performance improvements are our top priority, so please reach out to the maintainers if you would like to report any issue running Kuma at scale.
Kong Mesh 2.13 delivers full support for Mesh Identity for Kubernetes and Universal mode. Plus, it's been designated as a Long Term Support release, with support for a total of 2 years. But first, what's Kong Mesh for the uninitiated? Built on top
We’re excited to announce the release of Kong Mesh and Kuma 2.2. This new minor release adds some long-awaited enterprise features, more incremental improvements to our UI and policies, and many more minor features and bug fixes. In order to take
We’re excited to announce the release of Kong Mesh and Kuma 2.1! In this release, we’re shipping the full suite of new and improved policies announced (and started) in 2.0. Additionally, we’re launching some more great UX improvements in the UI and a
Today we’re excited to announce the release of Kong Mesh and Kuma 2.0. With this new major release, we’re announcing the first availability of our next-generation policies, in addition to new eBPF capabilities. 2.0 is also significant as we have
We are happy to announce the release of Kong Mesh 1.9 and Kuma 1.8! This release is packed with features and improvements such as observability for builtin Gateway, a complete rewrite of the CNI and projected service account tokens support. In order
We’re excited to announce the latest release for both Kuma and Kong Mesh. This cycle, we focused on simplifying enterprise-wide mesh deployments. We strongly suggest upgrading, in order to take advantage of the latest and greatest when it comes to s
