Managing Meshes with kubectl

With the kubectl command you can create, update, move, list, view, and delete a mesh. The following topics detail how to manage these operations with kubectl.

Required IAM Policy for a Mesh

To use a mesh, an administrator must grant you the required type of access in a policy (IAM). Whether you're using the Console, the REST API with an SDK, the CLI, Kubernetes kubectl, or other tool, the correct permissions are required.

When an action produces a permission denied or unauthorized message, confirm your policy settings with your administrator. The administrator must ensure that the correct type of access is granted and the correct compartment is specified.

For example, to allow users in the group MeshAdmins to create, update, and delete all meshes in the compartment sales-app:

Allow group MeshAdmins to manage service-meshes in compartment sales-app

For Service Mesh IAM policy reference details for each resource, see: Service Mesh IAM Policies.

For a step-by-step guide to set up all the required IAM policies for a Service Mesh, see: Set up Policies required for Service Mesh

Viewing Kubernetes Configuration Options for Meshes

You can view the Kubernetes CLI Mesh YAML configuration options by displaying the Custom Resource Definition (CRD). Use the following command:

kubectl get crd -o yaml

In the CRD, you see the fields used in a YAML configuration file under spec:schema:openAPIV3Schema:properties:spec. CRD output also includes information about field types, ranges, and limits. The following section provides an example of a YAML configuration file.

Creating a Mesh

To create a Mesh, use the kubectl apply command. For example:

kubectl apply -f mesh.yaml
Sample mesh.yaml
kind: Mesh
  name: <meshName>  # Name of the mesh
  namespace: <k8sAppNamespace>
  displayName: <yourDisplayName>  # UI DisplayName of the mesh
  description: <description>
	- id: ocid1.certificateauthority.oc1...
    minimum: PERMISSIVE


Refer to Service Mesh Kubernetes Resource Conditions for details on Service Mesh Kubernetes custom resource statuses.


  • <name>: The name of the new mesh. You can change the value after creation. The name must start with a letter or underscore, followed by letters, numbers, hyphens, or underscores. Length can be 1–255 characters. Avoid entering confidential information.
  • <description> The description of the mesh. Avoid entering confidential information.
  • <compartmentId>: the OCID of the compartment to which the new mesh belongs.
  • <certificateAuthorities> (immutable): an array of certificate authorities used for creating leaf certificates.
    • id: the OCID of the certificate authority.
  • <mtls> (optional): set the mTLS authentication minimum mode between service communications within the mesh. Child resources mTLS authentication must meet this minimum mode.

    • <minimum>:
      • DISABLED: Accept raw TCP traffic. No minimum virtual services or ingress gateways within this mesh can use any mTLS authentication mode.
      • PERMISSIVE: Accept both mTLS and raw TCP traffic. Virtual services and ingress gateways within this mesh are either PERMISSIVE or STRICT modes.
      • STRICT: Accept mTLS traffic. All virtual services and ingress within this mesh must use STRICT mode.

      For more information on using mTLS on Service Mesh, see Using mTLS with Service Mesh.

Updating a Mesh

To update a mesh with kubectl:

  1. Change the existing YAML configuration file for the mesh as needed.
  2. Save the file.
  3. Run the apply command again:

    kubectl apply -f mesh.yaml

Moving a Mesh

To move a mesh to a different compartment:

  1. Update the compartment OCID to the value of the target compartment in the existing YAML configuration file for the mesh.
  2. Save the file.
  3. Run the apply command again:

    kubectl apply -f mesh.yaml

Listing Meshes

To get a list of meshes in your namespace, use the following command:

kubectl get meshes -n <namespace>

Getting Mesh Details

To view the details of a specific mesh in your namespace, use the following command:

kubectl describe mesh <name> -n <namespace>

Deleting a Mesh

To delete a specific mesh in your namespace, use the following command:

kubectl delete mesh <name> -n <namespace>

If any child resources exist in the mesh, for example access policies, ingress gateways, or virtual services, the delete operation fails.

Deleting a Kubernetes namespace in which you created mesh resources doesn’t result in the deletion of your mesh resources. Instead, delete your mesh child resources and then delete your mesh before you delete your Kubernetes namespace.