►
Description
In this Kong Builders episode, Cody De Arkland shows how to build an application and connect the workload. He explores baseline security policy and Traffic Permissions and L7 path policies.
Try Kuma: https://kuma.io/
Try Kong Mesh: https://bit.ly/2TdwYTp
▬▬▬▬▬▬ CONTACT CODY ▬▬▬▬▬▬
🐦 https://twitter.com/codydearland
▬▬▬▬▬▬ ADDITIONAL RESOURCES ▬▬▬▬▬▬
Traffic Permissions Docs: https://kuma.io/docs/1.2.0/policies/traffic-permissions/
Zero Trust Blog Post: https://konghq.com/blog/the-importance-of-zero-trust-security-when-making-the-microservices-move/
#ZeroTrust #ServiceMesh #APISecurity #Kuma #L7 #TrafficPermissions #KongBuilders
A
Hello:
everyone,
my
name
is
cody
d
arkland.
I
work
for
kong
and
yeah.
Thank
you
for
joining
us
for
another
another
week
of
kong
builders.
So
for
those
who
your
first
time
joining,
you
know,
welcome
we're
we're
a
fun
community
who
likes
to
just
do
nerdy
things
and
build
build
cool
things
with
the
kong
products.
So
at
kong
I
focus
on
service
mesh
and
so
a
lot
of
what
we
do
on
on
this
series.
A
Right
now
is
service
mesh,
but
I
know
that
last
week
last
week
before
that
victor
from
our
developer
advocacy
team
had
joined
and
he
did
a
really
cool
session
around
our
connect
platform
and
kubernetes,
so
we're
branching
out
beyond
just
service
mesh,
but
just
to
kind
of
set
the
stage
of
what
we're
going
to
do.
Today,
a
couple
weeks
back,
we
had
started
out
this
series
with
building
our
service
measurement
ground
up.
So
in
that
session
we
had
gone
through
and
we
built
our
service
mesh.
A
We
deployed
kuma
inside
of
a
kubernetes
cluster,
I'm
using
eks
in
in
today's
video.
So
a
shout
out
shout
out
to
the
amazon
folks
for
having
a
great
kubernetes
platform.
So
I'll
I'll
be
building
in
there
today,
we've
already
got
kuma
up
and
running,
so
we're
not
going
to
run
through
that
whole
setup
process.
Again,
I'd
encourage
you
to
subscribe
to
the
channel.
There's
videos
in
the
wayback
machine
around
how
you
can
get
get
started
installing
installing
from
the
ground
up,
so
we're
gonna.
A
We
already
have
that
installed
I'll,
bring
it
up
in
the
ui,
we'll
take
a
look
around
just
so
we
can
understand
kind
of
what's
in
that
environment.
In
that
original
video
we
went
and
deployed
our
app
deployed
the
gateway.
We
did
all
that
stuff.
A
I'm
gonna
do
that
again
today,
just
to
kind
of
reinforce
some
concepts
and
then
we're
going
to
jump
into
just
playing
live
with
some
policy
stuff
we're
going
to
start
doing
some
traffic
permissions
we're
going
to
explore
how
we
can
set
up
kind
of
that
zero
trust
model
inside
of
service
mesh.
You
know
we
talk
so
much
about
policies
in
service
mesh
and
this
idea
of
kind
of
apply
it
once
consumed
by
many
today.
The
goal
of
today
is
to
get
through
that.
A
If
we
manage
to
just
wreck
through
that
at
warp
speed,
we'll
probably
jump
into
some
observability
stuff
or
maybe
play
with
a
little
little
grafana
metrics
action
formally
that's
scheduled
for
next
week,
but
I
like
to
have
in
the
back
pocket
in
case
we
we
move
fast
and
things
aren't
breaking
like.
We
typically
expect
them
to
so.
I've
got
if
you
see
me
just
for
the
audience
out
there.
A
If
you
see
me
turn
this
way,
I'm
looking
at
the
chat
window,
so
I
can
answer
any
questions
that
come
through
from
from
anybody
in
the
in
the
audience
who's
watching.
If
I'm
looking
this
way,
it's
because
I'm
looking
at
the
screen
and
we're
we're
dialed
in
and
we're
playing
in
the
products.
I
just
want
you
to
know.
If
you
see
me
bouncing
between
this,
because
I'm
trying
to
be
attentive
to
everyone's
needs.
So,
let's,
let's
jump
in
and
start
playing.
I
want
fire
up.
A
A
As
sharing
comes
up,
I
just
want
to
shout
out:
you
know:
there's
a
couple:
people
behind
the
scenes,
helping
orchestrate
all
this
and
get
it
going
taran
with
our
with
our
developer
marketing
team
and
then
michael,
who
leads
up
our
developer
advocacy
team.
So
thanks
taren,
michael
for
always
helping
me
look
as
best.
I
can
it's
a
huge
challenge
and
you
do
it
really
well.
So
thanks
a
lot
guys,
all
right,
so
here
we're
in
our
ui.
I
go
ahead
and
do
so.
I
use
a
lot
of
aliases.
So
I'm
sorry
for
that.
A
It's
just
how
how
I
roll
kgp
is
cube.
Control
get
pods,
we'll
do
get
pods
all,
so
we
can
see
kind
of
the
lay
of
the
land
for
our
for
our
cluster.
Here
I've
got
kuma
up
and
running,
we'll
go
ahead
and
pop
into
that.
I'm
actually
going
to
use
a
separate.
A
Tab
just
to
break
down
what
we're
doing
here,
we're
using
cube
control
to
port
forward
into
the
kuma
system,
name
space
and
we're
going
to
hit
the
actual
control
plane
service
that
control
plane.
We
talked
I
kind
of
broke
this
down
some
other
videos,
but
quick,
just
recap
on
it
in
service
measure.
We
talk
about
a
lot
about
control,
plane
versus
data
plane,
control
plane
is
where
administrators
and
operators
interact
with
the
service
mesh
platform.
It's
also
where
policies
are
pushed
down
to
data
planes,
data
planes
handle
user
traffic
and
communication
within
the
mesh.
A
So
there's
a
big
difference
there
between
how
control
planes
work
and
data
planes
work.
We
use
envoy
as
our
data
plane,
so
we're
pushing
configurations
into
envoy
and
letting
envoy
handle
user-to-user
communication
within
service-to-service
communications.
A
better
way
to
say
it
within
the
service
mesh
control
plane
is
how
we
orchestrate
those
configurations.
A
You
know
all
of
the
meshes
typically
work
on
a
control
plane
versus
data
plane
model.
A
lot
of
the
differences
you
see
in
service
meshes
comes
down
to
how
that
control
plane
is
implemented.
So
we
focus
on
a
couple
of
things
specifically
in
our
control
plane,
things
like
multi-cloud,
you
know
operator
experience.
How
do
we
make
it
a
platform
that
you
can
get
up
and
running
with
quickly?
All
that
goes
into
how
do
we
push
configs
into
the
data
plane
so
that
you
can
actually
consume
them?
A
A
And
we
are
into
the
ui
so
running,
kuma
1.2.1-
that
was
a
new
release
that
just
came
out
last
week
a
couple
of
fixes
in
there.
We
also
did
a
live
stream
about
two
weeks
ago.
Three
weeks
ago,
where
we
kind
of
featured
all
of
the
1.2
features
we're
going
to
touch
on
quite
a
few
of
those
today
also
and
revisit
them
a
couple
things
just
to
call
out
high
level
stuff
that
we
broke
down
in
the
other
stream.
A
A
That
might
be
a
some
form
of
a
a
zone
right,
it's
a
place
where
workloads
live
so
we're
doing
standalone
mode
in
a
couple
of
weeks,
we're
going
to
dive
into
multi-cluster
and
we're
going
to
start
playing
with
multiple
zones
in
the
same
service
mesh
right
now,
we've
got
one
zone.
Our
zone
control
plane
is
running
version
1.2.1,
which
is
the
version
of
kuma
we're
playing
with
no
services.
No
data
planes,
no
envoys,
no
proxies.
Yet
it's
a
pretty
pretty
empty
environment.
A
We
have
the
ability,
out
of
the
box
to
be
very
multi-tenant
in
kuma
and
kong
mesh,
so
we
had
the
ability
to
you
know
I
mentioned
earlier.
Taran
and
michael
are
on
the
call
with
me.
If
I
was
a
mesh
administrator,
I
might
create
tearing
her
own
her
own
virtual
mesh.
I
might
create
michael's
own
virtual
mesh.
We
could
all
have
independent
configurations.
Independent
policies
applied
really
operating
under
that
same
mesh,
so
we
focus
a
lot
on
making
multi
multi-tenancy
a
consumable
thing
in
in
service
mesh.
A
So
that's
a
big,
a
big
thing
that
we
care
a
lot
about.
So
when
I'm
looking
at
this
mesh
here,
I'm
seeing
that
this
mesh
is
set
up,
mtls
is
disabled.
All
of
these
features
are
disabled.
We're
going
to
turn
some
of
those
on
today,
so
we
can
play
with
traffic
permissions,
so
mtls
will
go
on
right
now.
We
just
got
the
default
policy
there.
A
So,
let's
get
started.
Let's
deploy
out
our
application
again
and
get
things
rolling,
but
first
I
want
to
start
highlighting
some
of
the
new
things
that
we
added
recently.
If
I
switch
back
into
the
cli
and
I'm
going
to
make
sure
kuma
control
version
cool.
So
I'm
running
the
kuma
control
version
1.2.1,
which
has
all
the
new
new
hotness
new
features
in
it
out
of
the
gate,
I'm
going
to
install
our
kong
gateway
so
that
we
have
kind
of
an
ingress
path
to
get
to
our
application.
A
A
So
what
I
get
output
here
is
effectively
the
yaml
which
we're
not
going
to
decompose
in
this
call,
but
I
get
the
full
yaml
of
what
this
deployment
actually
does
in
the
in
the
environment.
So
what
we're
doing
is
we're
spinning
up
the
kong
proxy,
we're
spinning
up
the
ingress
controller
and
then
we're
setting
up
side
car
just
different
configurations
within
so
once
again
I'll
run
that
command
this
time,
I'm
going
to
pipe
it
into
view,
control,
apply
and
let
it
deploy
into
the
environment.
A
If
I
do
now
don't
get
pods
all
we
can
see
that
coming
up,
I'm
going
to
spend
a
few
minutes
explaining
kind
of
what's
happening
here,
mostly
because,
if
I
go
in
and
do
a
cube
control
get
services
all
we
see
this
address
here.
This
is
going
to
take
a
little
while
to
come
back
up
at
aws.
Elastic
load.
Balancers
are
heavy.
They
take
a
little
while
to
fully
register
with
route53.
Aws
is
a
dns
provider,
so
it
takes
a
little
while
for
us
to
be
able
to
access
it.
A
I
need
to
take
this
feedback
that
I'd
love
to
see
a
refresh
button,
so
I
might
you
know,
would
be
really
cool.
Is
that
if
you
have
any
feelings
like?
Would
you
like
to
see
a
refresh
button
on
the
overview
page
so
that
these
values
update,
like
I
think,
that's
a
cool
feature-
it'll,
be
a
cool
like
nice
little
quality
of
life?
A
If
you
think
that'd
be
interesting,
drop
a
comment
and
let
us
know
if
you
think
that
would
have
any
use
to
it
to
refresh
this
page
without
having
to
just
toggle
between
either
way
we
see
a
data
plane
proxy
online.
If
I
click
on
this,
we
can
see
kong
ingress.
This
is
registered.
Green
typically
means
good
things,
so
we
can
see
it's
connected
in
the
environment,
something
I
love.
That's
like
a
small
feature
that
we
do
inside
of
inside
of
kum
and
kong
mesh.
I've
worked
with
several
service
meshes
over
the
years.
A
I
love
that
we
show
the
updates
that
are
coming
in
to
that
to
that
data
plane
object,
because
that,
as
for
me
as
like
an
operator
that
tells
me
that
things
are
happening
and
it
might
not
be
working,
it
might
not
be
doing
all
the
things
I
want
it
to.
But
if
I'm
seeing
this
total
updates
number
go
up,
I
know
it's
getting
configurations
from
this
from
the
control
point.
So
it's.
B
A
If
I
go
into
gateway,
we
can
see,
I
have
a
gateway
configured
now,
as
I
mentioned
before,
we
deploy.congress
controller,
this
gateway,
it
has
what's
called
gateway
mode,
enabled
gateway
mode
enabled
means
it's
turning
off
the
external
envoy
listener.
This
is
a
really
complicated
concept
to
break
through
when
we
we
attach
a
sidecar
to
a
application
inside
of
kubernetes.
A
It's
a
really
powerful
feature.
If
you
don't
want
to
use
khan
gateway
or
kong
ingress
controller,
why
would
you
want
to
do
that?
Why
wouldn't
you
want
to
use
khan
gateway,
but
all
jokes
aside,
really
powerful
feature
for
integrating
with
other
systems.
In
this
case,
it's
tied
in
gateway
mode's
on.
I
can
hit
this
this
proxy
as
soon
as
the
load.
Balancer
comes
all
the
way
up,
go
ahead
and
get
our
application
deployed.
A
Now,
I'm
going
to
hop
into
the
actual
configuration
for
that
app
and
just
talk
through
a
couple
of
quick,
quick
things,
we're
creating
a
namespace,
I'm
just
calling
it
kong
not
for
any
reason,
kong
we're
turning
on
sidecar
injection
enabled,
which
means
any
pod
deployed
into
this
name.
Space,
is
going
to
get
that
sidecar.
A
This
config
map
down
here
is
just
a
bunch
of
application.
Configs
for
the
app
I
wrote,
there's
nothing
special
about
about
kong
on
there,
with
the
exception
of
these
values.
Here,
where
I'm
using
this
dot
mesh
address,
we
use
a
form
of
dns
we've
core
dns
inside
of
inside
of
our
clusters
to
send
traffic
that
has
a
dot
mesh
address
through
onvoice.
This
is
how
we
kind
of
enforce
that
envoy
should
be
used
for
communication
inside
of
inside
of
the
mesh.
A
It's
going
to
try
it's
going
to
send
traffic
through
that
when
you
use
that
dot
mesh
address,
especially
for
systems
that
are
going
outside
of
your
local
zone.
If
I
was
just
if
I
was
working
in
single
zone,
which
I
am
here
and
I
took
off
dot
dot
mesh,
it
would
still
work
it
would
go
through
envoy
still
because
the
single
zone,
I
tend
to
default,
to
doing
dot
mesh
just
to
always
send
it
through
whether
it's
multi-cluster
or
not.
A
You
don't
need
to
have
the
dot
mesh
there
in
a
single
zone
configuration
I
just
I
have
it.
There
doesn't
hurt.
So
that's
important
thing
to
know.
We
added
functionality
in
1.2
to
where
dns
is
always
turned
on.
You
used
to
have
to
do
a
kuma
control,
install
dns
to
turn
that
on
then
thems
days
are
gone
rest.
This
is
just
configs
for
the
app
nothing
terribly
special.
A
A
couple
of
things
in
here.
That'll
come
up
later.
I
have
some
prometheus
configs
here.
Those
are
gonna
tell
prometheus
to
scrape
this
pod
for
metrics.
When
I
do
observability
down
the
road.
I
just
leave
that
on
for
for
grins,
I've
got
some
service
configurations
here,
I'm
telling
on
I'm
telling
kuma
that
this
is
an
http
service.
So
this
lets
us
turn
on
what
are
called
the
layer.
Seven
features.
A
Typically,
by
default,
communication
is
just
based
on
tcp,
so
it's
like
hey.
Are
you
there
yeah,
I'm
there,
let's
send
traffic
back
and
forth
when
we
turn
on
that
http
functionality
we're
able
to
start
looking
at
the
context
of
the
request
coming
through
that
http
listener
is
on
online
and
it's
looking
for
http
traffic.
You
wouldn't
want
to
turn
this
on
for
a
database
right,
because
the
database
is
only
going
to
answer
on
a
tcp
connection.
It
just
won't
work
right.
A
So
in
this
case
our
front
end
is
a
react
based
front
end.
We
want
it
to
be
an
http
service.
We
want
to
be
able
to
get
tracing
out.
We
want
to
be
able
to
use
the
layer,
7
routing
features,
so
we're
turning
this
on
via
an
annotation.
That's
the
only
thing
that's
worth
mentioning
again.
Our
api
is
an
http
service,
we're
turning
it
on
there
as
well.
A
A
Awesome,
hi,
matt.
I
see
your
question
there.
Do
we
have
an
example
on
how
to
communicate
between
meshes?
Absolutely
that's
not
in
this
stream.
We
are
going
to
cover
that
in
a
couple
a
couple
of
weeks,
but
I
can
answer
that
very
very
quickly,
as
this
stuff
is
coming
online
and
you'll
see
a
live
demo
of
that
a
little
little
ways
down
the
road
when
we
when
we
get
there,
so
you
heard
me
talking
just
a
moment
ago
about
that
about
that
dot
mesh
address
on
the
end
of
this.
A
What
ends
up
happening
if
we
have?
So,
let's
pretend
for
a
second
that
we
have
two
clusters.
We
have
an
amazon,
eks
cluster
and
an
azure
aks
cluster.
We've
joined
these
in
a
global
service
mesh.
We
have
a
global
control
plane
where
these
two
meshes
are
joined
to
that
the
envoys
or
the
the
sidecars
between
those
environments
are
going
to
look
for
something
called
a
zone
ingress
that
zone
ingress
is
a
mesh
wide
concept
that
lives
inside
of
those
environments
and
acts
as
a
front
door.
A
For
mesh
communication,
so
I,
as
a
user,
can't
connect
to
that
zone
ingress
and
hit
a
service.
But
what
will
work
is
when
this
the
mesh
tries
to
hand
off
traffic?
So
I
have
my
front
end
and
eks,
and
my
api
and
aks
when
my
front
end
goes
to
talk.
It
will
actually
reach
out
to
the
zone
ingress
in
the
aks
environment
and
that
will
then
hand
off
that
is
enabled
by
using
that
dot
mesh
address.
A
So,
as
systems
come
online,
they
report
up
to
their
zone
control
planes
and
their
zone
control
planes
send
that
up
to
the
global
control
plane,
the
global
control
plane
keeps
track
of
where
everyone's
at
understands,
like
the
post
office
right,
it
understands
how
to
put
things
on
a
truck
and
get
it
to
your
actual
house.
That's
what
that
global
control
plan
is
doing
so
the
letter
goes
out
from
your
house
goes
to
your
local
post
office.
Your
local
post
office
says
yeah.
A
I
know
where
I
know
where
this
person
lives
I'm
going
to
send
this
over.
Here
they
go
to
your
their
local
post
office
and
then
hands
off
to
to
actual
service.
Again,
that's
enabled
from
a
technical
perspective,
that's
enabled
by
turning
on
mtls,
so
you
will.
First,
you
have
to
set
up
the
global
the
global
service
mesh,
so
you
build
a
control
plane,
build
two
remote
control.
Planes
connect
them
all
together.
Just
maybe
four
commands
total
four
or
five
commands
total.
A
You
turn
on
mtls.
We
turn
on
mtls,
because
that
gives
us
the
sni
header
that
lets
the
mesh
know
where
traffic
needs
to
go
when
you've
deployed
those
meshes.
You've
turned
on
a
flag
that
says
ingress
enabled
and
that's
going
to
turn
on
the
zone
ingresses
and
then
by
making
sure
your
application
is
configured
to
use
this
dot
mesh
address
sends
that
traffic
back
through
the
mesh
and
over
over
those
zone
ingresses.
A
So
we'll
do
that
hands-on
again
like
next
time
or
not
next
time,
but
either
next
time
or
the
time
after
that,
but
at
a
high
level.
I
think
that
that
explains
it.
If
you
have
more
questions
on
it,
you
want
to
unpack
it
more
drop.
Those
in
the
comments
we'll
we'll
diet,
we'll
dive
deeper
on
that
in
this,
we
should
have
time
to
very
easily
cover
that
as
well.
A
A
We
have
our
ingress
gateway
here,
we'll
hit
this
address.
I
hope
that
showed
up
on
another
screen
unintentionally,
so
I'm
gonna
cycle
this
and
drag
this
over.
So
we
can
see
it
here
now.
This
is
not
going
to
work
just
to
just
a
spoiler
alert
a
little
bit.
If
I
go
advanced
and
tell
chrome
that
I
trust
this
anyways
no
route
match
these
values.
I
haven't
configured
the
ingress
to
use
to
reach
out
to
anything.
Yet
the
ingress
is
just
there.
A
I've
got
these
stashed
away
over
here.
There's
two
things:
you
need
when
you're
configuring,
the
kong
ingress
controller
to
work
with
within
a
within
the
surface
mesh.
You
need
to
create
a
kubernetes
entry
file
or
an
entry
or
kubernetes
entry
that
will
point
it
at
the
the
mesh
configuration.
So
it's
saying,
hey,
go
talk
through
talk
through
the
service
mesh
in
this
case,
so
it's
saying
talk
to
the
front
ends
mesh
address,
so
we're
gonna
go
ahead
and
create
that.
A
A
A
A
So
the
way
this
application
works-
and
I
got
this
feedback
from
the
previous
session-
that
we
kind
of
went
through
this
and
had
no
one
had
any
idea
how
the
application's
configured
to
work.
So
it's
like
the
context,
gets
kind
of
lost
good
feedback.
So
I
want
to
step
through
kind
of
what's
happening
here.
So
this
is
the
react
based
frontend
application,
so
react.js
just
a
popular
web
framework,
it's
hosted
in
an
nginx
container
that
nginx
container
has
several
reverse
proxies
configured
in
it
that
are
pointing
to
other
backend
systems.
A
B
A
A
When
they
go
to
post
it
uses
the
post
service,
there's
a
websocket
running
to
show
the
the
actual
web
service
information
or
and
outside
the
web
service
information
the
posts
in
the
chat
that
shows
up
the
message
board
that
shows
up
inside
of
there
and
that's
continuously
pinging,
that
that
post
service
for
updates
or
receiving
updates
from
that
post
service,
which
is
in
turn
getting
it
from
postgres.
So
it's
kind
of
a
five-tier
application
that
shows
communication
across
the
board.
A
A
A
B
A
A
We're
doing
is
updating
the
mesh
crd
with
these
values,
so
we're
turning
on
mtls
we're
telling
it
the
name
of
the
backend,
giving
it
the
details
of
that
back-end
expiration
dates,
configuration
items
so
as
soon
as
I
apply
this
file.
A
A
We
can
verify
this
by
going
into
the
ui
once
again
hitting
meshes
and
we
can
see.
Mtls
is
now
enabled
in
this
environment.
You
can
see.
I
have
commented
out
in
that
file
some
tracing
configurations.
If
we
had
the
metric
stuff
installed
right
now,
we
could
turn
those
on
as
well.
Obviously
we're
gonna
get
to
that
at
a
later
date,
so
that
stays
disabled
for
the
time
being
so,
mtls
is
on
in
the
environment,
we're
good
to
go
on
that
front.
Let's
start
playing
with
some
traffic
permissions.
A
A
Out
that
entirely,
that
is
not
the
right
way
to
do
it.
My
brain
wasn't
firing
right
that
day
what
we
want
to
do,
because
if
we
go
in
and
we
look
at
the
the
traffic
permission
policy
by
default,
we
create
an
allow
all
so
that
you,
we
don't
disrupt
traffic.
So
if
I
go
back
into
the
app
everything's
talking,
life
is
great
for
the
record.
If
anybody
wants
to
post
the
user
and
password
is
admin
admin,
so
it's
not
anything
terribly
secret,
so
you
can
go
in
and
mess
around
with
that.
A
A
Things
aren't
working
anymore
if
we
try
to
go
in
and
look
at
configurations,
those
configurations
are
not
registering
because
traffic
is
blocked.
So
now
the
local
envoy,
sidecars,
don't
know
about
each
other
anymore,
because
they're
not
getting
the
right
filter
applied
to
get
communication
data,
so
we're
disconnected
life
is
sad
if
we
were
looking
in
the
chat
or
in
the
console
logs
for
this
we'd
see
a
ton
of
a
ton
of
502
errors
where
things
just
aren't
working
and
we're
getting
bad
requests.
A
So
let's
do
things
the
what
I
call
the
the
old
way,
which
is
where
we
apply
a
set
of
permissions
based
on
service
name.
We
go
in.
We
take
a
look
at
our
standard
proxies.
We
can
see.
We
have
these
different
service
names
for
each
of
these
services,
so
posts
service
underscore
kong
underscore
service
5000..
A
What
this
breaks
down
to
is
the
name
of
the
service,
the
name
space,
it's
in
svc
for
service
and
then
the
port
that's
used.
That
name
is
automatically
generated,
so
we
can
use
that
to
kind
of
go
through
and
start
to
configure
out
how
these
work.
It's
important
to
think
about
the
architecture
that
we're
working
with
here,
though,
right
before
we
get
started,
the
traffic
goes
from
the
front
into
the
api.
However,
there's
a
key
part
there
to
remember:
we
installed
an
ingress
gateway,
so
traffic
is
actually
coming
from
user
into
the
ingress
gateway.
A
B
A
B
A
A
A
A
A
Are
you
building
out
our
policies
while
we
wait
for
this
to
to
refresh,
I
think
that
my
little
internet
drop
there
has
had
some
some
impacts
impacts
downstream.
So
what
I'm
gonna
do
now?
Is
I'm
gonna
copy
out
and
create
another
version
of
this
of
this
file,
so
we'll
go
copy
traffic
permissions.
A
What
we'll
do
is
we'll
call
this
next,
one
which
will
do
is
we'll
go,
got
a
folder
for
these.
B
A
B
A
I
should
see
80.
make
sure
that
I
have
the
service
name
there.
A
A
A
We
can
actually
see
kind
of
the
live
configuration
of
of
envoy
by
curling
the
local
host
99901
and
hitting
the
clusters
api.
So
we
can
see
this
is
the
service
name,
that's
there.
So
it
knows
about
this
service.
Now
the
front
end
does
but
you'll
see
like
nothing
else
is
showing
up
in
here.
Actually
user
was
showing
up
there,
so
that's
good
to
see,
and
then
we
can
see
the
front
end
service
as
well,
so
things
are
showing
up.
That's
a
good,
a
good
sign.
A
A
That
traffic
permission
policy
hasn't
hasn't,
kicked
in
yet,
which
is
a
strange
one.
Oh
that's
weird.
We
have,
I
see
what
I
did
wrong.
I
didn't
rename
the
file.
B
B
B
A
A
A
Give
me
5432,
which
is
going
to
give
me
the
postgres
communication.
Then
I
need
to
do
another
one
for
or
the
post
api
to
the
redis
database
as
well,
so
I'll
go
and
apply
that
one
as.
A
A
A
What
I
wanted
to
show
at
the
end
of
this
was
like
we
can
do
traffic
commissions
in
this
way,
where
we're,
where
we're
going
through
individually
and
creating
service
to
service,
to
service
to
service.
That's
one
path
to
do
this.
Another
path
is
for
us
to
look
at
using
some
of
the
new
functionality.
We've
added
in
the
most
recent
release,
where
we
can
start
to
do
traffic
permissions
off
of
other
characteristics
of
the
application.
A
For
example,
we
can
use
these
labels,
so
you
can
see
I've
labeled
all
of
these
with
group
demo
app
as
a
as
a
value
on
on
these.
If
I
go
in
and
run
that
same
command
against
the
local
against
the
local
pod
against
certs.
A
These
are
all
things
that
we
can
key
that
those
policies
off
of
for
for
communication,
so
I
can
do
group
demo
out
or
kuma
io
group
demo
app
as
a
as
a
valid
a
valid
policy
or
valid
source
and
destination.
Rather
so
what
I'm
actually
going
to
do
now,
I'm
going
to
edit
that
other
policy
that
I
created
that
permission
step
by
step,
I'm
going
to
create
a
new
one,
but
we'll.
A
Switch
back
in
and
we're
going
to
use
group
group
demo
app
instead.
A
A
B
B
A
A
Let's
go
check
out
the
traffic
permissions
real
quick.
This
is
the
fun
of
fixing
something
live,
let's
refresh
just
to
make
sure
we're
getting
the
most
recent
config
proxy
kuma
gateway
service,
80
and
there
allow
demo
app
is
match.
Group
demo
app
to
group
demo,
app
might
not
be
group,
might
be
kuma,
kumar
or
kuma
group
that
I'm
doing
wrong
there.
B
C
A
A
The
trap
permissions
are
tied
to
the
cert
configuration,
so
in
this
case
I
think
it
does
need
to
be
kuma
kuma,
slash
group
in
order
for
it
to
actually
work,
although
it's
kind
of
strange,
because
these
ones
would
be
kumaio
service,
so
it
should
actually
just
be
grouped
now
that
I'm
thinking
about
it
again,
it's
a
weird
inconsistency.
A
B
A
B
Let's
go
double
check
this
style,
real,
quick.
B
A
All
right,
so
we
are
reaching
through
right
now
it's
showing
down
because
the
database
traffic's
down,
but
this
path
goes
through
the
api
or
the
api
to
post.
So
we
are
communicating
successfully
between
so
the
traffic
permission
is
working
now,
so
let's
go
permission
step
by
step
users,
which
is
the
wrong
name,
but
we're
in
it.
Now.
B
B
B
B
A
A
Gateway
up
and
running,
sending
traffic
run
in
going
to
the
post
service
post
going
to
the
database
live,
looks
good.
There
database
is
up,
so
we
see
that
changed.
I
think
we're
in
business
now
cool,
so
the
first
part
is
up.
We
should
do
one
more
and
we
can
have
the
user
service
up
and
life
will
be
we'll,
be
good
and
we'll
be
back
on
track.
A
B
A
Any
moments
that
should
pop
up
actually,
I
need
to
do
one
more
permission
for
users
going
to
postgres
in
order
for
that
to
pop
up
correctly.
But
if
we
come
up
here
and
we
do
api,
slash
user
db,
we're
able
to
communicate
with
it
so
we're
getting
to
the
api.
It's
just
the
database
is
down.
So
if
we
do
one
more,
thank
you
for
going
on
this
journey
with
me
and
we
go
that
one
and
we
call
it
user
database
dot.
A
A
Kind
of
flaked
for
a
few
as
everything
kind
of
reconciles
back
across
across
like
those
different
permissions.
So
that's
just
a
little
bit
of
a
false
negative
there
it's
more
of
a
ui
problem
than
a
communication
problem,
but
if
we
come
in,
we
can
see
we're
now
getting
connectivity
all
the
way
through.
So
that's
a
good
sign.
A
A
All
these
all
show
up
as
as
crds
individually
in
that
environment,
so
we're
cruising
up
on
end
of
time,
so,
unfortunately,
I'm
not
going
to
be
able
to
get
to
actually
setting
up
some
of
the
traffic
policies
we
want
to
touch
on
so
we'll
have
to
cover
those
next
time
and
the
next
time
we'll
also
show
how
we
can
move
to
that
tag
model
where
we're
using
kind
of
one
tag.
Let's
us
logically
group
applications
better
together
and
traffic
traffic
in
traffic
permissions.
A
Words
are
hard,
so
we
had
a
little
bit
of
a
learning
experience
on
this
one
as
we
as
we
corrected
some
policies
that
were
named
poorly
on
the
fly.
So
that's
my
apologies,
but
it's
good
to
have
these
things
fail,
live
and
you
get
to
walk
through
and
troubleshoot.
Why
they're,
not
working
and
and
fix
them.
So
next
time
again,
we'll
come
back
in
we'll
group.
These
up
we'll
show
how
you
can
use
these
labels
in
kuma
and
kong
mesh
to
group
things
together,
so
it
makes
it
easier.
A
From
my
perspective,
when
you
say
hey,
these
are
all
part
of
the
same
demo
app.
They
should
just
all
be
able
to
talk
to
each
other
and
then
the
gateway
handles
communication
inbound.
So
that's
something
we'll
we'll
handle
we'll
handle
next
time
when
we
come
back
in
in
two
weeks.
So
I
want
to
pause
now
with
about
five
minutes
left
and
answer
kind
of
questions
that
come
up
in
in
the
comment
section.
So
any
any
questions
from.
A
A
I
mean
it
is
on
anything
at
all
any
anything,
kuma
kong
mesh
related,
that's
outside
of
or
that
even
outside
of
this.
This
walk
through
that
we
did
here
today.
A
Nothing
going
once
going
twice
all
right
everyone.
Then
we
are
going
to
sign
off
on
this
one
next
time
I
promise
we
will
get
much
further
much
faster,
so
I
appreciate
you
coming
to
hang
out
with
me
on
a
friday.
I
hope
everyone
has
a
great
weekend
if
you're
in
california
stay
out
of
the
heat
it's
miserable
out
here.