Skip to main content
logoTetrate Service BridgeVersion: next

tsb.tetrate.io/v2

OrganizationSetting

↩ Parent

NameTypeDescriptionRequired
apiVersionstringtsb.tetrate.io/v2true
kindstringOrganizationSettingtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

Settings that apply globally to the entire organization.

false
statusobject
false

OrganizationSetting.spec

↩ Parent

Settings that apply globally to the entire organization.

NameTypeDescriptionRequired
defaultSecuritySettingobject

Security settings for all proxy workloads in this organization.

false
defaultTrafficSettingobject

Traffic settings for all proxy workloads in this organization.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
failoverSettingsobject

Failover settings for all proxies connecting to a host exposed in this organization.

false
fqnstring

Fully-qualified name of the resource.

false
networkSettingsobject

Reachability between clusters on various networks.

false
regionalFailover[]object

Default locality routing settings for all gateways.

false

OrganizationSetting.spec.defaultSecuritySetting

↩ Parent

Security settings for all proxy workloads in this organization.

NameTypeDescriptionRequired
authenticationenum

DEPRECATED: Specifies whether the proxy workloads should accept only mutual TLS authenticated traffic or allow legacy plaintext traffic as well.


Enum: UNSET, OPTIONAL, REQUIRED

false
authenticationSettingsobject

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

false
authorizationobject

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

false
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
etagstring

The etag for the resource.

false
extension[]object

Extensions specifies all the WasmExtensions assigned to this SecuritySettings with the specific configuration for each extension.

false
fqnstring

Fully-qualified name of the resource.

false
propagationStrategyenum

Propagation strategy specifies how a security setting is propagated along the configuration hierarchy.


Enum: REPLACE, STRICTER

false
wafobject

NOTICE: this feature is in alpha stage and under active development.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings

↩ Parent

Authentication settings is used to set workload-to-workload traffic and end-user/origin authentication configuration.

NameTypeDescriptionRequired
httpobject

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

false
trafficModeenum

Enum: UNSET, OPTIONAL, REQUIRED

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http

↩ Parent

HTTP request authentication is used to configure authentication of origin/end-user credentials like JSON Web Token (JWT).

NameTypeDescriptionRequired
jwtobject

Authenticate an HTTP request from a JWT Token attached to it.

false
oidcobject
false
rulesobject

List of rules how to authenticate an HTTP request.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt

↩ Parent

Authenticate an HTTP request from a JWT Token attached to it.

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.jwt.outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc

↩ Parent

NameTypeDescriptionRequired
clientIdstring

The client_id to be used in the authorize calls.

true
clientTokenSecretstring

The name of the Kubernetes secret containing the client secret.

true
providerobject

The OIDC Provider configuration.

true
redirectUristring

The redirect URI passed to the authorization endpoint It can also be formulated from request parameters For example: %REQ(x-forwarded-proto)%://%REQ(:authority)%/callback This URI should not contain any query parameters.

true
authScopes[]string

Optional list of OAuth scopes to be claimed in the authorization request.

false
authTypeenum

Defines how client_id and client_secret are sent in OAuth client to OAuth server requests.


Enum: DEFAULT_AUTH_TYPE, URL_ENCODED_BODY, BASIC_AUTH

false
grantTypeenum

Enum: DEFAULT_GRANT_TYPE, AUTHORIZATION_CODE

false
redirectPathMatcherstring

Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.

false
signoutPathstring

The path to sign a user out, clearing their credential cookies.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider

↩ Parent

The OIDC Provider configuration.

NameTypeDescriptionRequired
issuerstring

The OIDC Provider's issuer identifier.

true
authorizationEndpointstring

The OIDC Provider's authorization endpoint.

false
jwksstring

JSON string with the OIDC provider's JSON Web Key Sets.

false
jwksUristring

URI for the OIDC provider's JSON Web Key Sets.

false
tlsobject

The TLS settings used by the clients to connect with the OIDC provider.

false
tokenEndpointstring

The OIDC Provider's token endpoint.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls

↩ Parent

The TLS settings used by the clients to connect with the OIDC provider.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.oidc.provider.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules

↩ Parent

List of rules how to authenticate an HTTP request.

NameTypeDescriptionRequired
jwt[]object

List of rules how to authenticate an HTTP request from a JWT Token attached to it.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index]

↩ Parent

NameTypeDescriptionRequired
issuerstring

Identifies the issuer that issued the JWT.

true
audiences[]string

The list of JWT audiences.

false
fromCookies[]string

List of cookie names from which JWT is expected.

false
fromHeaders[]object

This field specifies the locations to extract JWT token.

false
jwksstring

JSON Web Key Set of public keys to validate signature of the JWT.

false
jwksUristring

URL of the provider's public key set to validate signature of the JWT.

false
outputClaimToHeaders[]object

This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.

false
outputPayloadToHeaderstring

This field specifies the header name to output a successfully verified JWT payload to the backend.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].fromHeaders[index]

↩ Parent

NameTypeDescriptionRequired
namestring

The HTTP header name.

true
prefixstring

The prefix that should be stripped before decoding the token.

false

OrganizationSetting.spec.defaultSecuritySetting.authenticationSettings.http.rules.jwt[index].outputClaimToHeaders[index]

↩ Parent

NameTypeDescriptionRequired
claimstring

The name of the claim to be copied from.

true
headerstring

The name of the header to be created.

true

OrganizationSetting.spec.defaultSecuritySetting.authorization

↩ Parent

The set of service accounts in one or more namespaces allowed or denied to access a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
httpobject

This is for configuring HTTP request authorization.

false
identityMatchenum

identity_match specifies the strategy for client identity verification to be employed during the evaluation of authorization (authz) rules within the service.


Enum: UNKNOWN, PEER_CERTIFICATE, PERMISSIVE, SOURCE_IDENTITY

false
modeenum

A short cut for specifying the set of allowed callers.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, DISABLED, CUSTOM, RULES

false
rulesobject

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

false
serviceAccounts[]string

When the mode is CUSTOM, serviceAccounts specify the allowed set of service accounts (and the workloads using them).

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http

↩ Parent

This is for configuring HTTP request authorization.

NameTypeDescriptionRequired
externalobject
false
localobject
false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external

↩ Parent

NameTypeDescriptionRequired
includeRequestHeaders[]string
false
tlsobject
false
uristring
false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls

↩ Parent

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.external.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local

↩ Parent

NameTypeDescriptionRequired
rules[]object
false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index]

↩ Parent

NameTypeDescriptionRequired
namestring

A friendly name to identify the binding.

true
from[]object

Subjects configure the actors (end users, other services) that are allowed to access the target resource.

false
to[]object

A set of HTTP rules that need to be satisfied by the HTTP requests to get access to the target resource.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index]

↩ Parent

NameTypeDescriptionRequired
jwtobject

JWT configuration to identity the subject.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].from[index].jwt

↩ Parent

JWT configuration to identity the subject.

NameTypeDescriptionRequired
issstring
false
othermap[string]string

A set of arbitrary claims that are required to qualify the subject.

false
substring
false

OrganizationSetting.spec.defaultSecuritySetting.authorization.http.local.rules[index].to[index]

↩ Parent

NameTypeDescriptionRequired
methods[]string

The HTTP methods that are allowed by this rule.

false
paths[]string

The request path where the request is made against.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules

↩ Parent

When the mode is RULES, you can allow or deny workload-to-workload communication by specifying in the rules field which target workloads are allowed or denied to communicate with other target workloads.

NameTypeDescriptionRequired
allow[]object

Allow specifies a list of rules.

false
deny[]object

Deny specifies a list of rules.

false
denyAllboolean

Deny all specifies whether all requests should be rejected.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.allow[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index]

↩ Parent

NameTypeDescriptionRequired
fromobject

From specifies the source of a request.

true
toobject

To specifies the destination of a request.

true

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].from

↩ Parent

From specifies the source of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the source of a request.

false

OrganizationSetting.spec.defaultSecuritySetting.authorization.rules.deny[index].to

↩ Parent

To specifies the destination of a request.

NameTypeDescriptionRequired
fqnstring

The target resource identified by FQN which will be the destination of a request.

false

OrganizationSetting.spec.defaultSecuritySetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

OrganizationSetting.spec.defaultSecuritySetting.extension[index]

↩ Parent

NameTypeDescriptionRequired
fqnstring

Fqn of the extension to be executed.

true
configobject

Configuration parameters sent to the WASM plugin execution.

false
match[]object

Specifies the criteria to determine which traffic is passed to WasmExtension.

false

OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index]

↩ Parent

NameTypeDescriptionRequired
modeenum

Criteria for selecting traffic by their direction.


Enum: UNDEFINED, CLIENT, SERVER, CLIENT_AND_SERVER

false
ports[]object

Criteria for selecting traffic by their destination port.

false

OrganizationSetting.spec.defaultSecuritySetting.extension[index].match[index].ports[index]

↩ Parent

NameTypeDescriptionRequired
numberinteger
true

OrganizationSetting.spec.defaultSecuritySetting.waf

↩ Parent

NOTICE: this feature is in alpha stage and under active development.

NameTypeDescriptionRequired
rules[]string

Rules to be leveraged by WAF.

true

OrganizationSetting.spec.defaultTrafficSetting

↩ Parent

Traffic settings for all proxy workloads in this organization.

NameTypeDescriptionRequired
configGenerationMetadataobject

Metadata values that will be add into the Istio generated configurations.

false
descriptionstring

A description of the resource.

false
displayNamestring

User friendly name for the resource.

false
egressobject

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

false
etagstring

The etag for the resource.

false
fqnstring

Fully-qualified name of the resource.

false
inboundobject

Configures inbound traffic.

false
outboundobject

Configures outbound traffic.

false
rateLimitingobject

Configuration for rate limiting requests.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
resilienceobject

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients that are downstreams to the defined upstream hosts.

false

OrganizationSetting.spec.defaultTrafficSetting.configGenerationMetadata

↩ Parent

Metadata values that will be add into the Istio generated configurations.

NameTypeDescriptionRequired
annotationsmap[string]string

Set of key value paris that will be added into the metadata.annotations field of the Istio generated configurations.

false
labelsmap[string]string

Set of key value paris that will be added into the metadata.labels field of the Istio generated configurations.

false

OrganizationSetting.spec.defaultTrafficSetting.egress

↩ Parent

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true
portinteger

Deprecated.


Format: int32

false

OrganizationSetting.spec.defaultTrafficSetting.inbound

↩ Parent

Configures inbound traffic.

NameTypeDescriptionRequired
failoverSettingsobject

Failover settings apply to all clients accessing the hostname defined in this section.

false
rateLimitingobject

Configuration for rate limiting requests.

false
resilienceobject

Resiliency configuration for inbound connections.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.failoverSettings

↩ Parent

Failover settings apply to all clients accessing the hostname defined in this section.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

OrganizationSetting.spec.defaultTrafficSetting.inbound.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience

↩ Parent

Resiliency configuration for inbound connections.

NameTypeDescriptionRequired
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
tcpobject
false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
keepAliveobject

Keep Alive Settings.

false

OrganizationSetting.spec.defaultTrafficSetting.inbound.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound

↩ Parent

Configures outbound traffic.

NameTypeDescriptionRequired
egressobject

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

false
reachabilityobject

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

false
upstreamTrafficSettings[]object

List of hosts and the associated traffic settings to be used by the clients sending traffic to them.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.egress

↩ Parent

Specifies the details of the egress proxy to which traffic to services that are not part to the mesh should be forwarded to from the proxy workloads.

NameTypeDescriptionRequired
hoststring

Specifies the egress gateway hostname.

true

OrganizationSetting.spec.defaultTrafficSetting.outbound.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false
outlierDetectionobject

Outlier detection settings for the upstream host when custom mode is used.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

OrganizationSetting.spec.defaultTrafficSetting.outbound.upstreamTrafficSettings[index].settings.resilience.outlierDetection

↩ Parent

Outlier detection settings for the upstream host when custom mode is used.

NameTypeDescriptionRequired
baseEjectionTimestring

The base time that a host is ejected for.

false
consecutive5xxinteger

The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs.

false
consecutiveGatewayFailureinteger

The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs.

false
consecutiveLocalOriginFailureinteger
false
enforcingConsecutive5xxinteger

The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx.

false
enforcingConsecutiveGatewayFailureinteger

The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures.

false
enforcingConsecutiveLocalOriginFailureinteger

The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures.

false
intervalstring

The time interval between ejection analysis sweeps.

false
splitExternalLocalOriginErrorsboolean

Determines whether to distinguish local origin failures from external errors.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting

↩ Parent

Configuration for rate limiting requests.

NameTypeDescriptionRequired
externalServiceobject

Configure ratelimiting using an external ratelimit server.

false
settingsobject
false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService

↩ Parent

Configure ratelimiting using an external ratelimit server.

NameTypeDescriptionRequired
domainstring

The rate limit domain to use when calling the rate limit service.

true
rateLimitServerUristring

The URI at which the external rate limit server can be reached.

true
rules[]object

A set of rate limit rules.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the external rate limit server RPC.

false
tlsobject

Configure TLS parameters to be used when connecting to the external rate limit server.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions that are to be applied for this rate limit configuration.

true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
destinationClusterobject

Rate limit on destination envoy cluster.

false
headerValueMatchobject

Rate limit on the existence of certain request headers.

false
remoteAddressobject

Rate limit on remote address of client.

false
requestHeadersobject

Rate limit on the value of certain request headers.

false
sourceClusterobject

Rate limit on source envoy cluster.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch

↩ Parent

Rate limit on the existence of certain request headers.

NameTypeDescriptionRequired
descriptorValuestring

The value to use in the descriptor entry.

true
headersmap[string]object

Specifies a set of headers that the rate limit action should match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].headerValueMatch.headers[key]

↩ Parent

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.rules[index].dimensions[index].requestHeaders

↩ Parent

Rate limit on the value of certain request headers.

NameTypeDescriptionRequired
descriptorKeystring

The key to use in the descriptor entry.

true
headerNamestring

The header name to be queried from the request headers.

true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls

↩ Parent

Configure TLS parameters to be used when connecting to the external rate limit server.

NameTypeDescriptionRequired
filesobject

TLS key source from files.

false
modeenum

Enum: DISABLED, SIMPLE, MUTUAL

false
secretNamestring

TLS key source from a Kubernetes Secret.

false
subjectAltNames[]string
false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.externalService.tls.files

↩ Parent

TLS key source from files.

NameTypeDescriptionRequired
caCertificatesstring

File containing CA certificates to verify the certificates presented by the server.

false
clientCertificatestring

Certificate file to authenticate the client.

false
privateKeystring

Private key file associated with the client certificate.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings

↩ Parent

NameTypeDescriptionRequired
rules[]object

A list of rules for ratelimiting.

true
failClosedboolean

If the rate limit service is unavailable, the request will fail if failClosed is set to true.

false
timeoutstring

The timeout in seconds for the rate limit server RPC.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index]

↩ Parent

NameTypeDescriptionRequired
dimensions[]object

A list of dimensions to define each ratelimit rule.

true
limitobject

The ratelimit value that will be configured for the above rules.

true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index]

↩ Parent

NameTypeDescriptionRequired
headerobject

Rate limit on certain HTTP headers.

false
remoteAddressobject

Rate limit on the remote address of client.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header

↩ Parent

Rate limit on certain HTTP headers.

NameTypeDescriptionRequired
namestring

Name of the header to match on.

true
dontMatchboolean

If set to true, the condition will be met when the header value does not match.

false
valueobject

Value of the header to match on if matching on a specific value.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].header.value

↩ Parent

Value of the header to match on if matching on a specific value.

NameTypeDescriptionRequired
exactstring

Exact string match.

false
prefixstring

Prefix-based match.

false
regexstring

ECMAscript style regex-based match.

false

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].dimensions[index].remoteAddress

↩ Parent

Rate limit on the remote address of client.

NameTypeDescriptionRequired
valuestring

Ratelimit on a specific remote address.

true

OrganizationSetting.spec.defaultTrafficSetting.rateLimiting.settings.rules[index].limit

↩ Parent

The ratelimit value that will be configured for the above rules.

NameTypeDescriptionRequired
requestsPerUnitinteger

Specifies the value of the rate limit.

true
unitenum

Specifies the unit of time for rate limit.


Enum: UNKNOWN, SECOND, MINUTE, HOUR, DAY

true

OrganizationSetting.spec.defaultTrafficSetting.reachability

↩ Parent

The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh.

NameTypeDescriptionRequired
hosts[]string

When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach.

false
modeenum

A short cut for specifying the set of services accessed by the workload.


Enum: UNSET, NAMESPACE, GROUP, WORKSPACE, CLUSTER, CUSTOM

false

OrganizationSetting.spec.defaultTrafficSetting.resilience

↩ Parent

Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.circuitBreakerSensitivity.


Enum: UNSET, LOW, MEDIUM, HIGH

false
httpRequestTimeoutstring

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.requestTimeout.

false
httpRetriesobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

false
keepAliveobject

Keep Alive Settings.

false
tcpKeepaliveboolean

Deprecated.

false

OrganizationSetting.spec.defaultTrafficSetting.resilience.httpRetries

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.http.retries.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
tcpobject

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp

↩ Parent

TCP Keep Alive settings associated with the upstream and downstream TCP connections.

NameTypeDescriptionRequired
downstreamobject

TCP Keep Alive Settings associated with the downstream (client) connection.

false
upstreamobject

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.downstream

↩ Parent

TCP Keep Alive Settings associated with the downstream (client) connection.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

OrganizationSetting.spec.defaultTrafficSetting.resilience.keepAlive.tcp.upstream

↩ Parent

This field is DEPRECATED in favor of upstreamTrafficSettings.resilience.connectionPool.tcp.keepAlive.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index]

↩ Parent

NameTypeDescriptionRequired
hosts[]string

List of hosts for which the settings will be created.

false
settingsobject

A single setting to be applied to all the clients connecting to the upstream hosts.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings

↩ Parent

A single setting to be applied to all the clients connecting to the upstream hosts.

NameTypeDescriptionRequired
authenticationobject

Configuration for connection authentication parameters.

false
loadBalancerobject

Load balancing settings for the clients.

false
resilienceobject

Resilience settings for the clients.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.authentication

↩ Parent

Configuration for connection authentication parameters.

NameTypeDescriptionRequired
trafficModeenum

If set to REQUIRED, client sidecars under this configuration will be configured to initiate mTLS connections using mesh-generated client certificates to services that do not have a sidecar injected.


Enum: UNSET, OPTIONAL, REQUIRED

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer

↩ Parent

Load balancing settings for the clients.

NameTypeDescriptionRequired
consistentHashobject

Use consistent hash load balancing which can provide soft session affinity.

false
simpleenum

Use standard load balancing algorithms that require no tuning.


Enum: UNSPECIFIED, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash

↩ Parent

Use consistent hash load balancing which can provide soft session affinity.

NameTypeDescriptionRequired
httpCookieobject

Hash based on HTTP cookie.

false
httpHeaderNamestring

Hash based on a specific HTTP header.

false
httpQueryParameterNamestring

Hash based on a specific HTTP query parameter.

false
maglevobject

The Maglev load balancer implements consistent hashing to backend hosts.

false
ringHashobject

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

false
useSourceIpboolean

Hash based on the source IP address.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.httpCookie

↩ Parent

Hash based on HTTP cookie.

NameTypeDescriptionRequired
namestring

Name of the cookie.

true
ttlstring

Lifetime of the cookie.

true
pathstring

Path to set for the cookie.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.maglev

↩ Parent

The Maglev load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
tableSizeinteger

The table size for Maglev hashing.

true

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.loadBalancer.consistentHash.ringHash

↩ Parent

The ring/modulo hash load balancer implements consistent hashing to backend hosts.

NameTypeDescriptionRequired
minimumRingSizeinteger

The minimum number of virtual nodes to use for the hash ring.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience

↩ Parent

Resilience settings for the clients.

NameTypeDescriptionRequired
circuitBreakerSensitivityenum

Circuit breakers in Envoy are applied per endpoint in a load balancing pool.


Enum: UNSET, LOW, MEDIUM, HIGH, CUSTOM

false
connectionPoolobject

Configures tolerance and other settings for TCP/HTTP connections to the service.

false
outlierDetectionobject

Outlier detection settings for the upstream host when custom mode is used.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool

↩ Parent

Configures tolerance and other settings for TCP/HTTP connections to the service.

NameTypeDescriptionRequired
httpobject
false
tcpobject
false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http

↩ Parent

NameTypeDescriptionRequired
maxRequestsinteger

Maximum number of active requests to the service.

false
maxRequestsPerConnectioninteger

Maximum number of requests per connection to the service.

false
requestTimeoutstring

Timeout for HTTP requests.

false
retriesobject

Retry policy for HTTP requests.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.http.retries

↩ Parent

Retry policy for HTTP requests.

NameTypeDescriptionRequired
attemptsinteger

Number of retries for a given request.


Format: int32

true
perTryTimeoutstring

Timeout per retry attempt for a given request.

false
retryOnstring

Specifies the conditions under which retry takes place.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp

↩ Parent

NameTypeDescriptionRequired
connectTimeoutstring

TCP connection timeout.

false
keepAliveobject

Keep Alive Settings.

false
maxConnectionsinteger

Maximum number of HTTP1 /TCP connections to the service.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.connectionPool.tcp.keepAlive

↩ Parent

Keep Alive Settings.

NameTypeDescriptionRequired
idleTimeinteger

The number of seconds a connection needs to be idle before keep-alive probes start being sent.

false
intervalinteger

The number of seconds between keep-alive probes.

false
probesinteger

The total number of unacknowledged probes to send before deciding the connection is dead.

false

OrganizationSetting.spec.defaultTrafficSetting.upstreamTrafficSettings[index].settings.resilience.outlierDetection

↩ Parent

Outlier detection settings for the upstream host when custom mode is used.

NameTypeDescriptionRequired
baseEjectionTimestring

The base time that a host is ejected for.

false
consecutive5xxinteger

The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; for Redis, failure to respond PONG; etc.) before a consecutive 5xx ejection occurs.

false
consecutiveGatewayFailureinteger

The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive gateway failure ejection occurs.

false
consecutiveLocalOriginFailureinteger
false
enforcingConsecutive5xxinteger

The percentage of a host to be actually ejected when an outlier status is detected through consecutive 5xx.

false
enforcingConsecutiveGatewayFailureinteger

The percentage of a host to be ejected when an outlier status is detected through consecutive gateway failures.

false
enforcingConsecutiveLocalOriginFailureinteger

The percentage of a host to be actually ejected when an outlier status is detected through consecutive locally originated failures.

false
intervalstring

The time interval between ejection analysis sweeps.

false
splitExternalLocalOriginErrorsboolean

Determines whether to distinguish local origin failures from external errors.

false

OrganizationSetting.spec.failoverSettings

↩ Parent

Failover settings for all proxies connecting to a host exposed in this organization.

NameTypeDescriptionRequired
failoverPriority[]string

FailoverPriority specifies the failover priority for traffic.

false
regionalFailover[]object

Locality routing settings for all gateways in the Workspace/Organization for which this is defined.

false
topologyChoiceenum

TopologyChoice specifies the topology preference for traffic priority.


Enum: NONE, CLUSTER, LOCALITY

false

OrganizationSetting.spec.failoverSettings.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false

OrganizationSetting.spec.networkSettings

↩ Parent

Reachability between clusters on various networks.

NameTypeDescriptionRequired
networkReachabilitymap[string]string

Reachability between clusters on various networks.

false

OrganizationSetting.spec.regionalFailover[index]

↩ Parent

NameTypeDescriptionRequired
fromstring

Originating region.

false
tostring

Destination region the traffic will fail over to when endpoints in the 'from' region become unhealthy.

false