Skip to main content
logoTetrate Service BridgeVersion: next

traffic.tsb.tetrate.io/v2

Resource Types:

Group

↩ Parent
NameTypeDescriptionRequired
apiVersionstringtraffic.tsb.tetrate.io/v2true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A traffic group manages the routing properties of proxy workloads in a group of namespaces owned by the parent workspace.

false
statusobject
false

Group.spec

↩ Parent

A traffic group manages the routing properties of proxy workloads in a group of namespaces owned by the parent workspace.

NameTypeDescriptionRequired
namespaceSelectorobject

Set of namespaces owned exclusively by this group.

true
configGenerationMetadataobject

Default metadata values that will be propagated to the children Istio generated configurations.

false
configModeenum

The Configuration types that will be added to this group.


Enum: BRIDGED, DIRECT

false
deletionProtectionEnabledboolean

When set, prevents the resource from being deleted.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
profiles[]string

List of profiles attached to the traffic group to be used to propagate default and mandatory configurations down to the children.

false

Group.spec.namespaceSelector

↩ Parent

Set of namespaces owned exclusively by this group.

NameTypeDescriptionRequired
names[]string

Under the tenant/workspace/group: - */ns1 implies ns1 namespace in any cluster.

true

Group.spec.configGenerationMetadata

↩ Parent

Default metadata values that will be propagated to the children Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceRoute

↩ Parent
NameTypeDescriptionRequired
apiVersionstringtraffic.tsb.tetrate.io/v2true
kindstringServiceRoutetrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A service route controls routing configurations for traffic to a service in a traffic group.

false
statusobject
false

ServiceRoute.spec

↩ Parent

A service route controls routing configurations for traffic to a service in a traffic group.

NameTypeDescriptionRequired
servicestring

The service on which the configuration is being applied.

true
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
httpRoutes[]object

HTTPRoutes are used when HTTP traffic needs to be matched on uri, headers and port and destination routes need to be set using subset-weight combinations specified within the route.

false
portLevelSettings[]object

In order to support multi-protocol routing, a list of all port/protocol combinations is needed.

false
stickySessionobject
false
subsets[]object

The set of versions of a service and the percentage of traffic to send to each version.

false
tcpRoutes[]object

TCPRoutes match TCP traffic based on port number.

false

ServiceRoute.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceRoute.spec.httpRoutes[index]

↩ Parent
NameTypeDescriptionRequired
namestring

Name of the route.

true
destination[]object

Destination host:port and subset where HTTP traffic should be directed.

false
faultobject

Fault injection policy to apply on HTTP traffic at the client side.

false
flaggerobject

FlaggerDestination will route traffic based on a Flagger Canary resource.

false
match[]object
false
mirrors[]object

Mirror HTTP traffic to multiple destinations in addition to forwarding the requests to the intended destination.

false

ServiceRoute.spec.httpRoutes[index].destination[index]

↩ Parent
NameTypeDescriptionRequired
portinteger
true
destinationHoststring

Service host where traffic should be routed to.

false
subsetstring
false
weightinteger
false

ServiceRoute.spec.httpRoutes[index].fault

↩ Parent

Fault injection policy to apply on HTTP traffic at the client side.

NameTypeDescriptionRequired
abortobject

Abort HTTP request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty.

false
delayobject

Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc.

false

ServiceRoute.spec.httpRoutes[index].fault.abort

↩ Parent

Abort HTTP request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty.

NameTypeDescriptionRequired
grpcStatusstring

GRPC status code to use to abort the request.

false
httpStatusinteger

HTTP status code to use to abort the HTTP request.


Format: int32

false
percentagenumber

Percentage of requests to be aborted with the error code provided.


Format: double

false

ServiceRoute.spec.httpRoutes[index].fault.delay

↩ Parent

Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc.

NameTypeDescriptionRequired
fixedDelaystring

Add a fixed delay before forwarding the request.

false
percentagenumber

Percentage of requests on which the delay will be injected.


Format: double

false

ServiceRoute.spec.httpRoutes[index].flagger

↩ Parent

FlaggerDestination will route traffic based on a Flagger Canary resource.

NameTypeDescriptionRequired
canarystring

Name of the Canary resource that will manage the deployment.

true
namespacestring

Namespace of the Canary resource that will manage the deployment.

true

ServiceRoute.spec.httpRoutes[index].match[index]

↩ Parent
NameTypeDescriptionRequired
namestring
true
headersmap[string]object
false
portinteger
false
uriobject
false

ServiceRoute.spec.httpRoutes[index].match[index].headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceRoute.spec.httpRoutes[index].match[index].uri

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceRoute.spec.httpRoutes[index].mirrors[index]

↩ Parent
NameTypeDescriptionRequired
portinteger
true
hoststring

The host where traffic should be routed to.

false
percentagenumber

Percentage of the traffic to be mirrored.


Format: double

false
subsetstring
false

ServiceRoute.spec.portLevelSettings[index]

↩ Parent
NameTypeDescriptionRequired
portinteger
true
trafficTypeenum

Enum: HTTP, TCP, TLS_PASSTHROUGH

true
stickySessionobject

Since we are supporting multiple types of protocols, so we expect to have separate sticky sessions for each route (i.e.

false

ServiceRoute.spec.portLevelSettings[index].stickySession

↩ Parent

Since we are supporting multiple types of protocols, so we expect to have separate sticky sessions for each route (i.e.

NameTypeDescriptionRequired
cookieobject

Hash based on HTTP cookie.

false
headerstring

Hash based on a specific HTTP header.

false
useSourceIpboolean

Hash based on the source IP address.

false

ServiceRoute.spec.portLevelSettings[index].stickySession.cookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
pathstring

Path to set for the cookie.

true
ttlstring

Lifetime of the cookie.

true

ServiceRoute.spec.stickySession

↩ Parent
NameTypeDescriptionRequired
cookieobject

Hash based on HTTP cookie.

false
headerstring

Hash based on a specific HTTP header.

false
useSourceIpboolean

Hash based on the source IP address.

false

ServiceRoute.spec.stickySession.cookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
pathstring

Path to set for the cookie.

true
ttlstring

Lifetime of the cookie.

true

ServiceRoute.spec.subsets[index]

↩ Parent
NameTypeDescriptionRequired
namestring

Name used to refer to the subset.

true
labelsmap[string]string

Labels apply a filter over the endpoints of a service in the service registry.

false
portLevelSettings[]object

Port/Protocol/StickySession combination for which routes need to be generated specifically for a subset.

false
weightinteger

Percentage of traffic to be sent to this subset.

false

ServiceRoute.spec.subsets[index].portLevelSettings[index]

↩ Parent
NameTypeDescriptionRequired
portinteger
true
trafficTypeenum

Enum: HTTP, TCP, TLS_PASSTHROUGH

true
stickySessionobject

Since we are supporting multiple types of protocols, so we expect to have separate sticky sessions for each route (i.e.

false

ServiceRoute.spec.subsets[index].portLevelSettings[index].stickySession

↩ Parent

Since we are supporting multiple types of protocols, so we expect to have separate sticky sessions for each route (i.e.

NameTypeDescriptionRequired
cookieobject

Hash based on HTTP cookie.

false
headerstring

Hash based on a specific HTTP header.

false
useSourceIpboolean

Hash based on the source IP address.

false

ServiceRoute.spec.subsets[index].portLevelSettings[index].stickySession.cookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
pathstring

Path to set for the cookie.

true
ttlstring

Lifetime of the cookie.

true

ServiceRoute.spec.tcpRoutes[index]

↩ Parent
NameTypeDescriptionRequired
namestring
true
destination[]object
false
match[]object
false

ServiceRoute.spec.tcpRoutes[index].destination[index]

↩ Parent
NameTypeDescriptionRequired
portinteger
true
destinationHoststring

Service host where traffic should be routed to.

false
subsetstring
false
weightinteger
false

ServiceRoute.spec.tcpRoutes[index].match[index]

↩ Parent
NameTypeDescriptionRequired
namestring
true
portinteger
true

ServiceTrafficSetting

↩ Parent
NameTypeDescriptionRequired
apiVersionstringtraffic.tsb.tetrate.io/v2true
kindstringServiceTrafficSettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A service traffic setting applies configuration to a service in a traffic group.

false
statusobject
false

ServiceTrafficSetting.spec

↩ Parent

A service traffic setting applies configuration to a service in a traffic group.

NameTypeDescriptionRequired
servicestring

The service on which the configuration is being applied.

true
settingsobject

Traffic settings to apply to this service.

true
configGenerationMetadataobject

Metadata values that will be add into the mesh-generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false

ServiceTrafficSetting.spec.settings

↩ Parent

Traffic settings to apply to this service.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
inboundobject

Configures inbound traffic.

false
outboundobject

Configures outbound traffic.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
resilienceobject

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

false

ServiceTrafficSetting.spec.settings.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

ServiceTrafficSetting.spec.settings.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true
portinteger

Deprecated.


Format: int32

false

ServiceTrafficSetting.spec.settings.inbound

↩ Parent

Configures inbound traffic.

NameTypeDescriptionRequired
failoverSettingsobject

Failover settings apply to all clients accessing the hostname defined in this section.

false
rateLimitingobject

Configuration for rate limiting requests.

false
resilienceobject

Resiliency configuration for inbound connections.

false

ServiceTrafficSetting.spec.settings.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

ServiceTrafficSetting.spec.settings.inbound.failoverSettings.regionalFailover[index]

↩ Parent
NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings

↩ Parent
NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

ServiceTrafficSetting.spec.settings.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

ServiceTrafficSetting.spec.settings.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

NameTypeDescriptionRequired
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

ServiceTrafficSetting.spec.settings.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
tcpobject
false

ServiceTrafficSetting.spec.settings.inbound.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
keepAliveobject

Keep Alive Settings.

false

ServiceTrafficSetting.spec.settings.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

ServiceTrafficSetting.spec.settings.outbound

↩ Parent

Configures outbound traffic.

NameTypeDescriptionRequired
egressobject

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients sending traffic to them.

false

ServiceTrafficSetting.spec.settings.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true

ServiceTrafficSetting.spec.settings.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index]

↩ Parent
NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent
NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

ServiceTrafficSetting.spec.settings.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

ServiceTrafficSetting.spec.settings.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

ServiceTrafficSetting.spec.settings.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

ServiceTrafficSetting.spec.settings.rateLimiting.settings

↩ Parent
NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

ServiceTrafficSetting.spec.settings.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

ServiceTrafficSetting.spec.settings.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

ServiceTrafficSetting.spec.settings.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity.


Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.

false
httpRetriesobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

ServiceTrafficSetting.spec.settings.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

ServiceTrafficSetting.spec.settings.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

ServiceTrafficSetting.spec.settings.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

false

ServiceTrafficSetting.spec.settings.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

ServiceTrafficSetting.spec.settings.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index]

↩ Parent
NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent
NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

ServiceTrafficSetting.spec.settings.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

ServiceTrafficSetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the mesh-generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

TrafficSetting

↩ Parent
NameTypeDescriptionRequired
apiVersionstringtraffic.tsb.tetrate.io/v2true
kindstringTrafficSettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace.

false
statusobject
false

TrafficSetting.spec

↩ Parent

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
inboundobject

Configures inbound traffic.

false
outboundobject

Configures outbound traffic.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
resilienceobject

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

false

TrafficSetting.spec.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

TrafficSetting.spec.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true
portinteger

Deprecated.


Format: int32

false

TrafficSetting.spec.inbound

↩ Parent

Configures inbound traffic.

NameTypeDescriptionRequired
failoverSettingsobject

Failover settings apply to all clients accessing the hostname defined in this section.

false
rateLimitingobject

Configuration for rate limiting requests.

false
resilienceobject

Resiliency configuration for inbound connections.

false

TrafficSetting.spec.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

TrafficSetting.spec.inbound.failoverSettings.regionalFailover[index]

↩ Parent
NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

TrafficSetting.spec.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

TrafficSetting.spec.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

TrafficSetting.spec.inbound.rateLimiting.externalService.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

TrafficSetting.spec.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

TrafficSetting.spec.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

TrafficSetting.spec.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TrafficSetting.spec.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

TrafficSetting.spec.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

TrafficSetting.spec.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

TrafficSetting.spec.inbound.rateLimiting.settings

↩ Parent
NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

TrafficSetting.spec.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

TrafficSetting.spec.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

NameTypeDescriptionRequired
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

TrafficSetting.spec.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
tcpobject
false

TrafficSetting.spec.inbound.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
keepAliveobject

Keep Alive Settings.

false

TrafficSetting.spec.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

TrafficSetting.spec.outbound

↩ Parent

Configures outbound traffic.

NameTypeDescriptionRequired
egressobject

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients sending traffic to them.

false

TrafficSetting.spec.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true

TrafficSetting.spec.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index]

↩ Parent
NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent
NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

TrafficSetting.spec.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

TrafficSetting.spec.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

TrafficSetting.spec.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

TrafficSetting.spec.rateLimiting.externalService.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent
NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TrafficSetting.spec.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

TrafficSetting.spec.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

TrafficSetting.spec.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

TrafficSetting.spec.rateLimiting.settings

↩ Parent
NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

TrafficSetting.spec.rateLimiting.settings.rules[index]

↩ Parent
NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent
NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

TrafficSetting.spec.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

TrafficSetting.spec.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

TrafficSetting.spec.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

TrafficSetting.spec.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity.


Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.

false
httpRetriesobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

TrafficSetting.spec.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

TrafficSetting.spec.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

TrafficSetting.spec.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

false

TrafficSetting.spec.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

TrafficSetting.spec.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

TrafficSetting.spec.upstreamTrafficSettings[index]

↩ Parent
NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

TrafficSetting.spec.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent
NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent
NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

TrafficSetting.spec.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false