tsb.tetrate.io/v2

OrganizationSetting

↩ Parent

Name	Type	Description	Required
apiVersion	string	tsb.tetrate.io/v2	true
kind	string	OrganizationSetting	true
metadata	object	Refer to the Kubernetes API documentation for the fields of the metadata field.	true
spec	object	Settings that apply globally to the entire organization.	false
status	object		false

OrganizationSetting.spec

↩ Parent

Settings that apply globally to the entire organization.

Name	Type	Description	Required
defaultSecuritySetting	object	Security settings for all proxy workloads in this organization.	false
defaultTrafficSetting	object	Traffic settings for all proxy workloads in this organization.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
failoverSettings	object	Failover settings for all proxies connecting to a host exposed in this organization.	false
fqn	string	Fully-qualified name of the resource.	false
networkSettings	object	Reachability between clusters on various networks.	false
regionalFailover	[]object	Default locality routing settings for all gateways.	false

OrganizationSetting.spec.defaultSecuritySetting

↩ Parent

Security settings for all proxy workloads in this organization.

Name	Type	Description	Required
authentication	enum	DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well. Enum: UNSET, OPTIONAL, REQUIRED	false
authenticationSettings	object	Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.	false
authorization	object	The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.	false
configGenerationMetadata	object	Metadata values that will be add into the Istio generated configurations.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
etag	string	The etag for the resource.	false
extension	[]object	Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension.	false
fqn	string	Fully-qualified name of the resource.	false
propagationStrategy	enum	Propagation strategy specifies how a security setting is propagated along the configuration hierarchy. Enum: REPLACE, STRICTER	false
waf	object	NOTICE: this feature is in alpha stage and under active development.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

Name	Type	Description	Required
http	object	HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).	false
trafficMode	enum	Enum: UNSET, OPTIONAL, REQUIRED	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

Name	Type	Description	Required
jwt	object	Authenticate an HTTP request from a JWT Token attached to it.	false
oidc	object		false
rules	object	List of rules how to authenticate an HTTP request.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

Name	Type	Description	Required
issuer	string	Identifies the issuer that issued the JWT.	true
audiences	[]string	The list of JWT audiences.	false
fromCookies	[]string	List of cookie names from which JWT is expected.	false
fromHeaders	[]object	This field specifies the locations to extract JWT token.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string	URL of the provider's public key set to validate signature of the JWT.	false
outputClaimToHeaders	[]object	This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.	false
outputPayloadToHeader	string	This field specifies the header name to output a successfully verified JWT payload to the backend.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

Name	Type	Description	Required
name	string	The HTTP header name.	true
prefix	string	The prefix that should be stripped before decoding the token.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

Name	Type	Description	Required
claim	string	The name of the claim to be copied from.	true
header	string	The name of the header to be created.	true

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc

↩ Parent

Name	Type	Description	Required
clientId	string	The client_id to be used in the authorize calls.	true
clientTokenSecret	string	The name of the Kubernetes secret containing the client secret.	true
provider	object	The OIDC Provider configuration.	true
redirectUri	string	The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.	true
authScopes	[]string	Optional list of OAuth scopes to be claimed in the authorization request.	false
authType	enum	Defines how client_id and client_secret are sent in OAuth client to OAuth server requests. Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH	false
grantType	enum	Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE	false
redirectPathMatcher	string	Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.	false
signoutPath	string	The path to sign a user out, clearing their credential cookies.	false
useRefreshToken	boolean	Enable automatic access token refresh using associated refresh token (see RFC 6749 section 6) provided that the OAuth server supports that.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

Name	Type	Description	Required
issuer	string	The OIDC Provider's issuer identifier.	true
authorizationEndpoint	string	The OIDC Provider's authorization endpoint.	false
jwks	string	JSON string with the OIDC provider's JSON Web Key Sets.	false
jwksUri	string	URI for the OIDC provider's JSON Web Key Sets.	false
tls	object	The TLS settings used by the clients to connect with the OIDC provider.	false
tokenEndpoint	string	The OIDC Provider's token endpoint.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

Name	Type	Description	Required
files	object	TLS key source from files.	false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string	TLS key source from a Kubernetes Secret.	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

Name	Type	Description	Required
caCertificates	string	File containing CA certificates to verify the certificates presented by the server.	false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

Name	Type	Description	Required
jwt	[]object	List of rules how to authenticate an HTTP request from a JWT Token attached to it.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]

↩ Parent

Name	Type	Description	Required
issuer	string	Identifies the issuer that issued the JWT.	true
audiences	[]string	The list of JWT audiences.	false
fromCookies	[]string	List of cookie names from which JWT is expected.	false
fromHeaders	[]object	This field specifies the locations to extract JWT token.	false
jwks	string	JSON Web Key Set of public keys to validate signature of the JWT.	false
jwksUri	string	URL of the provider's public key set to validate signature of the JWT.	false
outputClaimToHeaders	[]object	This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.	false
outputPayloadToHeader	string	This field specifies the header name to output a successfully verified JWT payload to the backend.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

Name	Type	Description	Required
name	string	The HTTP header name.	true
prefix	string	The prefix that should be stripped before decoding the token.	false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

Name	Type	Description	Required
claim	string	The name of the claim to be copied from.	true
header	string	The name of the header to be created.	true

OrganizationSetting.spec.defaultSecuritySetting.authorization

↩ Parent

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

Name	Type	Description	Required
http	object	This is for configuring HTTP request authorization.	false
identityMatch	enum	identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service. Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY	false
mode	enum	A short cut for specifying the set of allowed callers. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES	false
rules	object	When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.	false
serviceAccounts	[]string	When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

Name	Type	Description	Required
external	object		false
local	object		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external

↩ Parent

Name	Type	Description	Required
includeRequestHeaders	[]string		false
tls	object		false
uri	string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls

↩ Parent

Name	Type	Description	Required
files	object	TLS key source from files.	false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string	TLS key source from a Kubernetes Secret.	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

Name	Type	Description	Required
caCertificates	string	File containing CA certificates to verify the certificates presented by the server.	false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local

↩ Parent

Name	Type	Description	Required
rules	[]object		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

↩ Parent

Name	Type	Description	Required
name	string	A friendly name to identify the binding.	true
from	[]object	Subjects configure the actors (end users, other services) that are allowed to access the target resource.	false
to	[]object	A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

↩ Parent

Name	Type	Description	Required
jwt	object	JWT configuration to identity the subject.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

Name	Type	Description	Required
iss	string		false
other	map[string]string	A set of arbitrary claims that are required to qualify the subject.	false
sub	string		false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

↩ Parent

Name	Type	Description	Required
methods	[]string	The HTTP methods that are allowed by this rule.	false
paths	[]string	The request path where the request is made against.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

Name	Type	Description	Required
allow	[]object	Allow specifies a list of rules.	false
deny	[]object	Deny specifies a list of rules.	false
denyAll	boolean	Deny all specifies whether all requests should be rejected.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

↩ Parent

Name	Type	Description	Required
from	object	From specifies the source of a request.	true
to	object	To specifies the destination of a request.	true

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

↩ Parent

Name	Type	Description	Required
from	object	From specifies the source of a request.	true
to	object	To specifies the destination of a request.	true

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the source of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

Name	Type	Description	Required
fqn	string	The target resource identified by FQN which will be the destination of a request.	false

OrganizationSetting.spec.defaultSecuritySetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

Name	Type	Description	Required
annotations	map[string]string	Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.	false
labels	map[string]string	Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.	false

OrganizationSetting.spec.defaultSecuritySetting.extension[index]

↩ Parent

Name	Type	Description	Required
fqn	string	Fqn of the extension to be executed.	true
config	object	Configuration parameters sent to the WASM plugin execution.	false
match	[]object	Specifies the criteria to determine which traffic is passed to WasmExtension.	false

OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index]

↩ Parent

Name	Type	Description	Required
mode	enum	Criteria for selecting traffic by their direction. Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER	false
ports	[]object	Criteria for selecting traffic by their destination port.	false

OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]

↩ Parent

Name	Type	Description	Required
number	integer		true

OrganizationSetting.spec.defaultSecuritySetting.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

Name	Type	Description	Required
rules	[]string	Rules to be leveraged by WAF.	true

OrganizationSetting.spec.defaultTrafficSetting

↩ Parent

Traffic settings for all proxy workloads in this organization.

Name	Type	Description	Required
configGenerationMetadata	object	Metadata values that will be add into the Istio generated configurations.	false
description	string	A description of the resource.	false
displayName	string	User friendly name for the resource.	false
egress	object	Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.	false
etag	string	The etag for the resource.	false
fqn	string	Fully-qualified name of the resource.	false
inbound	object	Configures inbound traffic.	false
outbound	object	Configures outbound traffic.	false
rateLimiting	object	Configuration for rate limiting requests.	false
reachability	object	The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.	false
resilience	object	Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.	false
upstreamTrafficSettings	[]object	List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.	false

OrganizationSetting.spec.defaultTrafficSetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

Name	Type	Description	Required
annotations	map[string]string	Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.	false
labels	map[string]string	Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.	false

OrganizationSetting.spec.defaultTrafficSetting.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	true
port	integer	Deprecated. Format: int32	false

OrganizationSetting.spec.defaultTrafficSetting.inbound

↩ Parent

Configures inbound traffic.

Name	Type	Description	Required
failoverSettings	object	Failover settings apply to all clients accessing the hostname defined in this section.	false
rateLimiting	object	Configuration for rate limiting requests.	false
resilience	object	Resiliency configuration for inbound connections.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

Name	Type	Description	Required
failoverPriority	[]string	FailoverPriority specifies the failover priority for traffic.	false
regionalFailover	[]object	Locality routing settings for all gateways in the Workspace/Organization for which this is defined.	false
topologyChoice	enum	TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.failoverSettings.regionalFailover[index]

↩ Parent

Name	Type	Description	Required
from	string	Originating region.	false
to	string	Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	true
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	true
rules	[]object	A set of rate limit rules.	true
failClosed	boolean	If the rate limit service is unavailable, the request will fail if failClosed is set to true.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object	Configure TLS parameters to be used when connecting to the external rate limit server.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index]

↩ Parent

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	true
headers	map[string]object	Specifies a set of headers that the rate limit action should match on.	true
dontMatch	boolean	If set to true, the condition will be met when the header value does not match.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	true
headerName	string	The header name to be queried from the request headers.	true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

Name	Type	Description	Required
files	object	TLS key source from files.	false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string	TLS key source from a Kubernetes Secret.	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

Name	Type	Description	Required
caCertificates	string	File containing CA certificates to verify the certificates presented by the server.	false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings

↩ Parent

Name	Type	Description	Required
rules	[]object	A list of rules for ratelimiting.	true
failClosed	boolean	If the rate limit service is unavailable, the request will fail if failClosed is set to true.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index]

↩ Parent

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	true
limit	object	The ratelimit value that will be configured for the above rules.	true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	true
dontMatch	boolean	If set to true, the condition will be met when the header value does not match.	false
value	object	Value of the header to match on if matching on a specific value.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit.	true
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	true

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

Name	Type	Description	Required
connectionPool	object	Configures tolerance and other settings for TCP/HTTP connections to the service.	false
meshTimeout	object	Configures the max connection and stream durations for HTTP and TCP connections.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

Name	Type	Description	Required
tcp	object		false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp

↩ Parent

Name	Type	Description	Required
keepAlive	object	Keep Alive Settings.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

Name	Type	Description	Required
idleTime	integer	The number of seconds a connection needs to be idle before keep-alive probes start being sent.	false
interval	integer	The number of seconds between keep-alive probes.	false
probes	integer	The total number of unacknowledged probes to send before deciding the connection is dead.	false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.meshTimeout

↩ Parent

Configures the max connection and stream durations for HTTP and TCP connections.

Name	Type	Description	Required
maxConnectionDuration	string	This specifies the duration of time after which a downstream and upstream connection will be drained and/or closed, starting from when it was first established.	false
maxDownstreamConnectionDuration	string	The maximum duration of a TCP connection.	false
maxStreamDuration	string	The max stream duration is the maximum time that a stream’s lifetime will span.	false
proxyType	enum	Specifies the type of proxy to which to apply the mesh timeout settings. Enum: ANY, SIDECAR, GATEWAY	false

OrganizationSetting.spec.defaultTrafficSetting.outbound

↩ Parent

Configures outbound traffic.

Name	Type	Description	Required
egress	object	Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.	false
reachability	object	The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.	false
upstreamTrafficSettings	[]object	List of hosts and the associated traffic settings to be used by the clients sending traffic to them.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

Name	Type	Description	Required
host	string	Specifies the egress gateway hostname.	true

OrganizationSetting.spec.defaultTrafficSetting.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

Name	Type	Description	Required
hosts	[]string	When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.	false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index]

↩ Parent

Name	Type	Description	Required
hosts	[]string	List of hosts for which the settings will be created.	false
settings	object	A single setting to be applied to all the clients connecting to the upstream hosts.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

Name	Type	Description	Required
authentication	object	Configuration for connection authentication parameters.	false
loadBalancer	object	Load balancing settings for the clients.	false
resilience	object	Resilience settings for the clients.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

Name	Type	Description	Required
trafficMode	enum	If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected. Enum: UNSET, OPTIONAL, REQUIRED	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

Name	Type	Description	Required
consistentHash	object	Use consistent hash load balancing which can provide soft session affinity.	false
simple	enum	Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

Name	Type	Description	Required
httpCookie	object	Hash based on HTTP cookie.	false
httpHeaderName	string	Hash based on a specific HTTP header.	false
httpQueryParameterName	string	Hash based on a specific HTTP query parameter.	false
maglev	object	The Maglev load balancer implements consistent hashing to backend hosts.	false
ringHash	object	The ring/modulo hash load balancer implements consistent hashing to backend hosts.	false
useSourceIp	boolean	Hash based on the source IP address.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

Name	Type	Description	Required
name	string	Name of the cookie.	true
ttl	string	Lifetime of the cookie.	true
path	string	Path to set for the cookie.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

Name	Type	Description	Required
tableSize	integer	The table size for Maglev hashing.	true

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

Name	Type	Description	Required
minimumRingSize	integer	The minimum number of virtual nodes to use for the hash ring.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM	false
connectionPool	object	Configures tolerance and other settings for TCP/HTTP connections to the service.	false
outlierDetection	object	Outlier detection settings for the upstream host when custom mode is used.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

Name	Type	Description	Required
http	object		false
tcp	object		false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

Name	Type	Description	Required
maxRequests	integer	Maximum number of active requests to the service.	false
maxRequestsPerConnection	integer	Maximum number of requests per connection to the service.	false
requestTimeout	string	Timeout for HTTP requests.	false
retries	object	Retry policy for HTTP requests.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	true
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

Name	Type	Description	Required
connectTimeout	string	TCP connection timeout.	false
keepAlive	object	Keep Alive Settings.	false
maxConnections	integer	Maximum number of HTTP1 /TCP connections to the service.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

Name	Type	Description	Required
idleTime	integer	The number of seconds a connection needs to be idle before keep-alive probes start being sent.	false
interval	integer	The number of seconds between keep-alive probes.	false
probes	integer	The total number of unacknowledged probes to send before deciding the connection is dead.	false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.outlierDetection

↩ Parent

Outlier detection settings for the upstream host when custom mode is used.

Name	Type	Description	Required
baseEjectionTime	string	The base time that a host is ejected for.	false
consecutive5xx	integer	The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs.	false
consecutiveGatewayFailure	integer	The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs.	false
consecutiveLocalOriginFailure	integer		false
enforcingConsecutive5xx	integer	The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx.	false
enforcingConsecutiveGatewayFailure	integer	The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures.	false
enforcingConsecutiveLocalOriginFailure	integer	The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures.	false
interval	string	The time interval between ejection analysis sweeps.	false
splitExternalLocalOriginErrors	boolean	Determines whether to distinguish local origin failures from external errors.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting

↩ Parent

Configuration for rate limiting requests.

Name	Type	Description	Required
externalService	object	Configure ratelimiting using an external ratelimit server.	false
settings	object		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

Name	Type	Description	Required
domain	string	The rate limit domain to use when calling the rate limit service.	true
rateLimitServerUri	string	The URI at which the external rate limit server can be reached.	true
rules	[]object	A set of rate limit rules.	true
failClosed	boolean	If the rate limit service is unavailable, the request will fail if failClosed is set to true.	false
timeout	string	The timeout in seconds for the external rate limit server RPC.	false
tls	object	Configure TLS parameters to be used when connecting to the external rate limit server.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

↩ Parent

Name	Type	Description	Required
dimensions	[]object	A list of dimensions that are to be applied for this rate limit configuration.	true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

Name	Type	Description	Required
destinationCluster	object	Rate limit on destination envoy cluster.	false
headerValueMatch	object	Rate limit on the existence of certain request headers.	false
remoteAddress	object	Rate limit on remote address of client.	false
requestHeaders	object	Rate limit on the value of certain request headers.	false
sourceCluster	object	Rate limit on source envoy cluster.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

Name	Type	Description	Required
descriptorValue	string	The value to use in the descriptor entry.	true
headers	map[string]object	Specifies a set of headers that the rate limit action should match on.	true
dontMatch	boolean	If set to true, the condition will be met when the header value does not match.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

Name	Type	Description	Required
descriptorKey	string	The key to use in the descriptor entry.	true
headerName	string	The header name to be queried from the request headers.	true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

Name	Type	Description	Required
files	object	TLS key source from files.	false
mode	enum	Enum: DISABLED, SIMPLE, MUTUAL	false
secretName	string	TLS key source from a Kubernetes Secret.	false
subjectAltNames	[]string		false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

Name	Type	Description	Required
caCertificates	string	File containing CA certificates to verify the certificates presented by the server.	false
clientCertificate	string	Certificate file to authenticate the client.	false
privateKey	string	Private key file associated with the client certificate.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings

↩ Parent

Name	Type	Description	Required
rules	[]object	A list of rules for ratelimiting.	true
failClosed	boolean	If the rate limit service is unavailable, the request will fail if failClosed is set to true.	false
timeout	string	The timeout in seconds for the rate limit server RPC.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

↩ Parent

Name	Type	Description	Required
dimensions	[]object	A list of dimensions to define each ratelimit rule.	true
limit	object	The ratelimit value that will be configured for the above rules.	true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

Name	Type	Description	Required
header	object	Rate limit on certain HTTP headers.	false
remoteAddress	object	Rate limit on the remote address of client.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

Name	Type	Description	Required
name	string	Name of the header to match on.	true
dontMatch	boolean	If set to true, the condition will be met when the header value does not match.	false
value	object	Value of the header to match on if matching on a specific value.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

Name	Type	Description	Required
exact	string	Exact string match.	false
prefix	string	Prefix-based match.	false
regex	string	ECMAscript style regex-based match.	false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

Name	Type	Description	Required
value	string	Ratelimit on a specific remote address.	true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

Name	Type	Description	Required
requestsPerUnit	integer	Specifies the value of the rate limit.	true
unit	enum	Specifies the unit of time for rate limit. Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY	true

OrganizationSetting.spec.defaultTrafficSetting.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

Name	Type	Description	Required
hosts	[]string	When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.	false
mode	enum	A short cut for specifying the set of services accessed by the workload. Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM	false

OrganizationSetting.spec.defaultTrafficSetting.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

Name	Type	Description	Required
circuitBreakerSensitivity	enum	This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity. Enum: UNSET, LOW, MEDIUM, HIGH	false
httpRequestTimeout	string	This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.	false
httpRetries	object	This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.	false
keepAlive	object	Keep Alive Settings.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	true
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive

↩ Parent

Keep Alive Settings.

Name	Type	Description	Required
tcp	object	TCP Keep Alive settings associated with the upstream and downstream TCP connections.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

Name	Type	Description	Required
downstream	object	TCP Keep Alive Settings associated with the downstream (client) connection.	false
upstream	object	This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

Name	Type	Description	Required
idleTime	integer	The number of seconds a connection needs to be idle before keep-alive probes start being sent.	false
interval	integer	The number of seconds between keep-alive probes.	false
probes	integer	The total number of unacknowledged probes to send before deciding the connection is dead.	false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

Name	Type	Description	Required
idleTime	integer	The number of seconds a connection needs to be idle before keep-alive probes start being sent.	false
interval	integer	The number of seconds between keep-alive probes.	false
probes	integer	The total number of unacknowledged probes to send before deciding the connection is dead.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index]

↩ Parent

Name	Type	Description	Required
hosts	[]string	List of hosts for which the settings will be created.	false
settings	object	A single setting to be applied to all the clients connecting to the upstream hosts.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

Name	Type	Description	Required
authentication	object	Configuration for connection authentication parameters.	false
loadBalancer	object	Load balancing settings for the clients.	false
resilience	object	Resilience settings for the clients.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

Name	Type	Description	Required
trafficMode	enum	If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected. Enum: UNSET, OPTIONAL, REQUIRED	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

Name	Type	Description	Required
consistentHash	object	Use consistent hash load balancing which can provide soft session affinity.	false
simple	enum	Use standard load balancing algorithms that require no tuning. Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

Name	Type	Description	Required
httpCookie	object	Hash based on HTTP cookie.	false
httpHeaderName	string	Hash based on a specific HTTP header.	false
httpQueryParameterName	string	Hash based on a specific HTTP query parameter.	false
maglev	object	The Maglev load balancer implements consistent hashing to backend hosts.	false
ringHash	object	The ring/modulo hash load balancer implements consistent hashing to backend hosts.	false
useSourceIp	boolean	Hash based on the source IP address.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

Name	Type	Description	Required
name	string	Name of the cookie.	true
ttl	string	Lifetime of the cookie.	true
path	string	Path to set for the cookie.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

Name	Type	Description	Required
tableSize	integer	The table size for Maglev hashing.	true

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

Name	Type	Description	Required
minimumRingSize	integer	The minimum number of virtual nodes to use for the hash ring.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

Name	Type	Description	Required
circuitBreakerSensitivity	enum	Circuit breakers in Envoy are applied per endpoint in a load balancing pool. Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM	false
connectionPool	object	Configures tolerance and other settings for TCP/HTTP connections to the service.	false
outlierDetection	object	Outlier detection settings for the upstream host when custom mode is used.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

Name	Type	Description	Required
http	object		false
tcp	object		false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

Name	Type	Description	Required
maxRequests	integer	Maximum number of active requests to the service.	false
maxRequestsPerConnection	integer	Maximum number of requests per connection to the service.	false
requestTimeout	string	Timeout for HTTP requests.	false
retries	object	Retry policy for HTTP requests.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

Name	Type	Description	Required
attempts	integer	Number of retries for a given request. Format: int32	true
perTryTimeout	string	Timeout per retry attempt for a given request.	false
retryOn	string	Specifies the conditions under which retry takes place.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

Name	Type	Description	Required
connectTimeout	string	TCP connection timeout.	false
keepAlive	object	Keep Alive Settings.	false
maxConnections	integer	Maximum number of HTTP1 /TCP connections to the service.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

Name	Type	Description	Required
idleTime	integer	The number of seconds a connection needs to be idle before keep-alive probes start being sent.	false
interval	integer	The number of seconds between keep-alive probes.	false
probes	integer	The total number of unacknowledged probes to send before deciding the connection is dead.	false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.outlierDetection

↩ Parent

Outlier detection settings for the upstream host when custom mode is used.

Name	Type	Description	Required
baseEjectionTime	string	The base time that a host is ejected for.	false
consecutive5xx	integer	The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs.	false
consecutiveGatewayFailure	integer	The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs.	false
consecutiveLocalOriginFailure	integer		false
enforcingConsecutive5xx	integer	The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx.	false
enforcingConsecutiveGatewayFailure	integer	The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures.	false
enforcingConsecutiveLocalOriginFailure	integer	The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures.	false
interval	string	The time interval between ejection analysis sweeps.	false
splitExternalLocalOriginErrors	boolean	Determines whether to distinguish local origin failures from external errors.	false

OrganizationSetting.spec.failoverSettings

↩ Parent

Failover settings for all proxies connecting to a host exposed in this organization.

Name	Type	Description	Required
failoverPriority	[]string	FailoverPriority specifies the failover priority for traffic.	false
regionalFailover	[]object	Locality routing settings for all gateways in the Workspace/Organization for which this is defined.	false
topologyChoice	enum	TopologyChoice specifies the topology preference for traffic priority. Enum: NONE, CLUSTER, LOCALITY	false

OrganizationSetting.spec.failoverSettings.regionalFailover[index]

↩ Parent

Name	Type	Description	Required
from	string	Originating region.	false
to	string	Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.	false

OrganizationSetting.spec.networkSettings

↩ Parent

Reachability between clusters on various networks.

Name	Type	Description	Required
networkReachability	map[string]string	Reachability between clusters on various networks.	false

OrganizationSetting.spec.regionalFailover[index]

↩ Parent

Name	Type	Description	Required
from	string	Originating region.	false
to	string	Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.	false