Skip to main content
logoTetrate Service BridgeVersion: next

profile.tsb.tetrate.io/v2

Resource Types:

Profile

↩ Parent

NameTypeDescriptionRequired
apiVersionstringprofile.tsb.tetrate.io/v2true
kindstringProfiletrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A Profile object can be created at Organization, Tenant, and Workspace levels.

false
statusobject
false

Profile.spec

↩ Parent

A Profile object can be created at Organization, Tenant, and Workspace levels.

NameTypeDescriptionRequired
defaultsobject

Defaults section of the profile is meant for configurations which are allowed to be overwritten by subsequent profiles or by user defined configurations in the attached resources.

false
deletionProtectionEnabledboolean

When set, prevents the resource from being deleted.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
mandatesobject

Mandates section of the profile is meant for configurations which can't be relaxed.

false

Profile.spec.defaults

↩ Parent

Defaults section of the profile is meant for configurations which are allowed to be overwritten by subsequent profiles or by user defined configurations in the attached resources.

NameTypeDescriptionRequired
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
trafficSettingsobject

Traffic settings for proxy workloads.

false
unsetFields[]string

Unset fields specify fields that must not have any value.

false
wafSettingsobject

WAF settings is used to set firewall rules.

false
wasmExtensions[]object

Wasm Extensions specifies all the WasmExtensions assigned to this profile with the specific configuration for each extension.

false

Profile.spec.defaults.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.defaults.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

Profile.spec.defaults.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Profile.spec.defaults.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Profile.spec.defaults.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Profile.spec.defaults.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

Profile.spec.defaults.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

Profile.spec.defaults.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.defaults.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.defaults.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

Profile.spec.defaults.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Profile.spec.defaults.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Profile.spec.defaults.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Profile.spec.defaults.trafficSettings

↩ Parent

Traffic settings for proxy workloads.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
inboundobject

Configures inbound traffic.

false
outboundobject

Configures outbound traffic.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
resilienceobject

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

false

Profile.spec.defaults.trafficSettings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

Profile.spec.defaults.trafficSettings.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true
portinteger

Deprecated.


Format: int32

false

Profile.spec.defaults.trafficSettings.inbound

↩ Parent

Configures inbound traffic.

NameTypeDescriptionRequired
failoverSettingsobject

Failover settings apply to all clients accessing the hostname defined in this section.

false
rateLimitingobject

Configuration for rate limiting requests.

false
resilienceobject

Resiliency configuration for inbound connections.

false

Profile.spec.defaults.trafficSettings.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

Profile.spec.defaults.trafficSettings.inbound.failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Profile.spec.defaults.trafficSettings.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Profile.spec.defaults.trafficSettings.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

NameTypeDescriptionRequired
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
tcpobject
false

Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
keepAliveobject

Keep Alive Settings.

false

Profile.spec.defaults.trafficSettings.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.defaults.trafficSettings.outbound

↩ Parent

Configures outbound traffic.

NameTypeDescriptionRequired
egressobject

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients sending traffic to them.

false

Profile.spec.defaults.trafficSettings.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true

Profile.spec.defaults.trafficSettings.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

Profile.spec.defaults.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.defaults.trafficSettings.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.defaults.trafficSettings.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.defaults.trafficSettings.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Profile.spec.defaults.trafficSettings.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Profile.spec.defaults.trafficSettings.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

Profile.spec.defaults.trafficSettings.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity.


Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.

false
httpRetriesobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

Profile.spec.defaults.trafficSettings.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.defaults.trafficSettings.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

false

Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.defaults.trafficSettings.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

Profile.spec.defaults.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.defaults.wafSettings

↩ Parent

WAF settings is used to set firewall rules.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

Profile.spec.defaults.wasmExtensions[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

Profile.spec.defaults.wasmExtensions[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

Profile.spec.defaults.wasmExtensions[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

Profile.spec.mandates

↩ Parent

Mandates section of the profile is meant for configurations which can't be relaxed.

NameTypeDescriptionRequired
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
trafficSettingsobject

Traffic settings for proxy workloads.

false
unsetFields[]string

Unset fields specify fields that must not have any value.

false
wafSettingsobject

WAF settings is used to set firewall rules.

false
wasmExtensions[]object

Wasm Extensions specifies all the WasmExtensions assigned to this profile with the specific configuration for each extension.

false

Profile.spec.mandates.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.mandates.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

Profile.spec.mandates.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Profile.spec.mandates.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Profile.spec.mandates.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Profile.spec.mandates.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

Profile.spec.mandates.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

Profile.spec.mandates.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.mandates.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.mandates.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

Profile.spec.mandates.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

Profile.spec.mandates.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

Profile.spec.mandates.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

Profile.spec.mandates.trafficSettings

↩ Parent

Traffic settings for proxy workloads.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
inboundobject

Configures inbound traffic.

false
outboundobject

Configures outbound traffic.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
resilienceobject

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

false

Profile.spec.mandates.trafficSettings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

Profile.spec.mandates.trafficSettings.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true
portinteger

Deprecated.


Format: int32

false

Profile.spec.mandates.trafficSettings.inbound

↩ Parent

Configures inbound traffic.

NameTypeDescriptionRequired
failoverSettingsobject

Failover settings apply to all clients accessing the hostname defined in this section.

false
rateLimitingobject

Configuration for rate limiting requests.

false
resilienceobject

Resiliency configuration for inbound connections.

false

Profile.spec.mandates.trafficSettings.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

Profile.spec.mandates.trafficSettings.inbound.failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Profile.spec.mandates.trafficSettings.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Profile.spec.mandates.trafficSettings.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

NameTypeDescriptionRequired
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
tcpobject
false

Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
keepAliveobject

Keep Alive Settings.

false

Profile.spec.mandates.trafficSettings.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.mandates.trafficSettings.outbound

↩ Parent

Configures outbound traffic.

NameTypeDescriptionRequired
egressobject

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients sending traffic to them.

false

Profile.spec.mandates.trafficSettings.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true

Profile.spec.mandates.trafficSettings.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

Profile.spec.mandates.trafficSettings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.mandates.trafficSettings.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

Profile.spec.mandates.trafficSettings.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

Profile.spec.mandates.trafficSettings.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

Profile.spec.mandates.trafficSettings.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

Profile.spec.mandates.trafficSettings.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

Profile.spec.mandates.trafficSettings.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity.


Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.

false
httpRetriesobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

Profile.spec.mandates.trafficSettings.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.mandates.trafficSettings.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

false

Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.mandates.trafficSettings.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

Profile.spec.mandates.trafficSettings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

Profile.spec.mandates.wafSettings

↩ Parent

WAF settings is used to set firewall rules.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

Profile.spec.mandates.wasmExtensions[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

Profile.spec.mandates.wasmExtensions[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

Profile.spec.mandates.wasmExtensions[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true