Package :



Table of Contents


Field Type Label Description
displayName string User-provided display name for the virtual mesh.
meshes [] repeated The meshes contained in this virtual mesh.
certificateAuthority VirtualMeshSpec.CertificateAuthority
federation VirtualMeshSpec.Federation
shared VirtualMeshSpec.SharedTrust
limited VirtualMeshSpec.LimitedTrust
enforceAccessControl VirtualMeshSpec.EnforcementPolicy


Field Type Label Description
builtin VirtualMeshSpec.CertificateAuthority.Builtin Use auto-generated root certificate.
provided VirtualMeshSpec.CertificateAuthority.Provided Use user-provided root certificate.


Configuration for auto-generated root certificate unique to the VirtualMesh Uses the X.509 format, RFC5280

Field Type Label Description
ttlDays uint32 Number of days before root cert expires. Defaults to 365.
rsaKeySizeBytes uint32 Size in bytes of the root cert's private key. Defaults to 4096
orgName string Root cert organization name. Defaults to “service-mesh-hub”


Configuration for user-provided root certificate.

Field Type Label Description
certificate Reference to a Secret object containing the root certificate.


Field Type Label Description
mode VirtualMeshSpec.Federation.Mode


Limited trust is a virtual mesh trust model which does not require all meshes sharing the same root certificate or identity model. But rather, the limited trust creates trust between meshes running on different clusters by connecting their ingress/egress gateways with a common cert/identity. In this model all requests between different have the following request path when communicating between clusters
cluster 1 MTLS shared MTLS cluster 2 MTLS client/workload <———–> egress gateway <———-> ingress gateway <————–> server
This approach has the downside of not maintaining identity from client to server, but allows for ad-hoc addition of additional clusters into a virtual mesh.


Shared trust is a virtual mesh trust model requiring a shared root certificate, as well as shared identity between all entities which wish to communicate within the virtual mesh.
The best current example of this would be the replicated control planes example from Istio:


Field Type Label Description
federationStatus Status of the process writing federation decision metadata onto MeshServices.
certificateStatus Status of the process signing CSRs.
configStatus Overall validation status of this VirtualMesh.
accessControlEnforcementStatus Status of ensuring that access control is enforced within this VirtualMesh.


If ENABLED, by default disallow traffic to all Services in the VirtualMesh unless explicitly allowed through AccessControlPolicies. If DISABLED, by default allow traffic to all Services in the VirtualMesh. If MESH_DEFAULT, the default value depends on the type service mesh: Istio: false Appmesh: true

Name Number Description


Name Number Description
PERMISSIVE 0 All services in a VirtualMesh will be federated to all workloads in that Virtual Mesh.