Protocol support in Kuma

At its core, Kuma distinguishes between the following major categories of traffic: http, grpc, kafka and opaque tcp traffic.

For http, grpc and kafka traffic Kuma provides deep insights down to application-level transactions, in the latter tcp case the observability is limited to connection-level statistics.

So, as a user of Kuma, you’re highly encouraged to give it a hint whether your service supports http , grpc, kafka or not.

By doing this,

On Kubernetes, to give Kuma a hint that your service supports HTTP protocol, you need to add an appProtocol to the k8s Service object.

E.g.,

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: web
  5. namespace: kuma-example
  6. spec:
  7. selector:
  8. app: web
  9. ports:
  10. - port: 8080
  11. appProtocol: http # let Kuma know that your service supports HTTP protocol

On Kubernetes, to give Kuma a hint that your service supports HTTP protocol, you need to add a <port>.service.kuma.io/protocol annotation to the k8s Service object.

E.g.,

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: web
  5. namespace: kuma-example
  6. annotations:
  7. 8080.service.kuma.io/protocol: http # let Kuma know that your service supports HTTP protocol
  8. spec:
  9. selector:
  10. app: web
  11. ports:
  12. - port: 8080

On Universal, to give Kuma a hint that your service supports the http protocol, you need to add a kuma.io/protocol tag to the inbound interface of your Dataplane.

E.g.,

  1. type: Dataplane
  2. mesh: default
  3. name: web
  4. networking:
  5. address: 192.168.0.1
  6. inbound:
  7. - port: 80
  8. servicePort: 8080
  9. tags:
  10. kuma.io/service: web
  11. kuma.io/protocol: http # let Kuma know that your service supports HTTP protocol

HTTP/2 support

Kuma by default upgrades connection between Dataplanes to HTTP/2. If you want to enable HTTP/2 on connections between a dataplane and an application, use kuma.io/protocol: http2 tag.

TLS support

Whenever a service already initiates a TLS request to another service - and mutual TLS is enabled - Kuma can enforce both TLS connections end-to-end as long as the service that is generating the TLS traffic is explicitly tagged with tcp protocol (ie: kuma.io/protocol: tcp).

Effectively kuma-dp will send the raw original TLS request as-is to the final destination, while in the meanwhile it will be enforcing its own TLS connection (if mutual TLS is enabled). Hence, the traffic must be marked as being tcp, so kuma-dp won’t try to parse it.

Note that in this case no advanced HTTP or GRPC statistics or logging are available. As a best practice - since Kuma will already secure the traffic across services via the mutual TLS policy - we suggest disabling TLS in the original services in order to get L7 metrics and capabilities.

Websocket support

Kuma out of the box support’s Websocket protocol. The service exposing Websocket should be marked as tcp.

As Websockets use pure TCP connections under the hood, your service have to be recognised by Kuma as the TCP one. It’s also the default behavior for Kuma to assume the service’s inbound interfaces are the TCP ones, so you don’t have to do anything, but if you want to be explicit, you can configure your services exposing Websocket endpoints with appProtocol property. I.e.:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: websocket-server
  5. namespace: kuma-example
  6. spec:
  7. selector:
  8. app: websocket-server
  9. ports:
  10. - port: 8080
  11. appProtocol: tcp
  1. type: Dataplane
  2. mesh: default
  3. name: websocket-server
  4. networking:
  5. address: 192.168.0.1
  6. inbound:
  7. - port: 80
  8. servicePort: 8080
  9. tags:
  10. kuma.io/service: websocket-server
  11. kuma.io/protocol: tcp