Workloads
LatticeMeshMember
Enrolls existing Kubernetes workloads into the Lattice service mesh without converting them to LatticeService. Use this for third-party applications, legacy workloads, or infrastructure services that need mesh networking, mTLS, and policy enforcement.
group: lattice.dev version: v1alpha1 scope: namespaced
Examples
Prometheus Monitoring
prometheus-mesh-member.yaml
apiVersion: lattice.dev/v1alpha1
kind: LatticeMeshMember
metadata:
name: prometheus
namespace: monitoring
spec:
target:
selector:
matchLabels:
app: prometheus
ports:
- port: 9090
name: http
peerAuth: Permissive
allowedCallers:
- name: grafana
namespace: monitoring
dependsAll: true
serviceAccount: prometheusNamespace-wide Mesh Member
legacy-mesh-member.yaml
apiVersion: lattice.dev/v1alpha1
kind: LatticeMeshMember
metadata:
name: legacy-apps
namespace: legacy
spec:
target:
namespace: legacy
ports:
- port: 8080
name: http
peerAuth: Strict
egress:
- target:
fqdn: api.example.com
ports:
- port: 443
allowPeerTraffic: trueSpec
| Field | Type | Description |
|---|---|---|
target | MeshMemberTarget | Target workload(s) to enroll in the mesh. |
ports | []MeshMemberPort | Ports exposed by the workload. |
allowedCallers | []CallerRef | Services allowed to call this member. |
dependencies | []ServiceRef | LatticeServices this member depends on. |
egress | []EgressRule | Egress rules for external traffic. |
allowPeerTraffic | bool? | Allow traffic between pods matched by this member. |
dependsAll | bool? | Allow this member to be called by all LatticeServices. |
ingress | IngressSpec? | Optional Gateway API ingress configuration. |
serviceAccount | string? | Kubernetes ServiceAccount name for the workload. |
MeshMemberTarget
Identifies the workload(s) to enroll. Use selector for label-based targeting or namespace for namespace-wide enrollment.
| Field | Type | Description |
|---|---|---|
selector | LabelSelector? | Label selector matching target pods. |
namespace | string? | Target an entire namespace. |
MeshMemberPort
| Field | Type | Description |
|---|---|---|
port | u16 | Port number. |
name | string? | Named port reference. |
peerAuth | PeerAuth? | mTLS peer authentication mode for this port. |
PeerAuth
Strict Require mTLS for all connections.
Permissive Accept both mTLS and plaintext connections.
Webhook Delegate authentication to a webhook.
CallerRef
| Field | Type | Description |
|---|---|---|
name | string | Name of the calling service. |
namespace | string? | Namespace of the calling service. Defaults to same namespace. |
EgressRule
| Field | Type | Description |
|---|---|---|
target | EgressTarget | Egress destination. |
ports | []PortSpec? | Allowed destination ports. |
EgressTarget
Exactly one of entity, cidr, or fqdn must be specified.
| Field | Type | Description |
|---|---|---|
entity | string? | Cilium entity (e.g., world, cluster). |
cidr | string? | CIDR block (e.g., 10.0.0.0/8). |
fqdn | string? | Fully qualified domain name (e.g., api.example.com). |
Status
| Field | Type | Description |
|---|---|---|
phase | MeshMemberPhase | Current phase: Pending, Ready, or Failed. |
scope | MeshMemberScope | Target scope: Workload or Namespace. |
message | string? | Human-readable status message. |
observedGeneration | i64? | Last observed metadata.generation. |
conditions | []Condition | Standard Kubernetes conditions. |
MeshMemberPhase
Pending Mesh member is being configured.
Ready Workload is enrolled in the mesh with policies active.
Failed Configuration failed. Check
message and conditions for details.