Enforce the Ingress Policy
The following policies are automatically installed when you add the Kuma system.
You can see the policies in place for your Kuma system in its app, egress, and ingress folders.
-
For app policy type, click
your Kuma system
to expand the policy folder >> app >> rules.rego to see the application rules for your Kuma system. -
For egress policy type, click
your Kuma system
to expand the policy folder >> egress >> rules.rego to see the egress rules for your Kuma system. -
For ingress policy type, click
your Kuma system
to expand the policy folder >> ingress >> rules.rego to see the ingress rules for your Kuma system.
The client-load deployment repeatedly executes the following HTTP calls in an interval of 30 seconds, pretending to be different users to help generate sample data for visualization.
curl --user alice:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/alice
curl --user bob:password example-app/finance/salary/charlie
curl --user david:password example-app/finance/salary/bob
curl --user david:password example-app/hr/dashboard
curl --user eve:password example-app/admin
By default, all policies allow traffic to the service with Kuma data plane sidecar container. Click on the Decisions tab to verify all the Allowed
decisions from the newly created Kuma system.
The Kuma system Quick Start provides a link to replace the sample ingress policy. With this ingress policy published, example-app
can receive ingress traffic only on the allowed list of endpoint /finance/salary
. Switch to Decisions tab and verify traffic to path /hr/dashboard
and /admin
are Denied
.