Profile
The configuration profiles feature is in an alpha state, we will be making breaking changes to its API in release 1.12. Please contact Tetrate if you have any questions or concerns.
A Profile is a predefined configuration template that can be defined at the Organizations, Tenants, and Workspaces, and then can be attached to Organizations, Tenants, Workspaces and Groups. Profiles are intended for traffic-related settings and security policies that map to the resource itself, not for security policies (e.g. authorization policies) related to relationships between resources. They contain Default configurations, which can be overridden, and Mandates configurations, which can't be.
The following example creates a Profile named myprofile
that enforces mutual TLS authenticated connections across the whole tetrate
organization, also sets the default circuit breaking sensitivity to MEDIUM
.
It also configures the TCP KeepAlive as 300 seconds for all inbound connections to all the proxies in the tetrate
organization.
apiVersion: profile.tsb.tetrate.io/v2
kind: Profile
metadata:
name: myprofile
organization: tetrate
spec:
displayName: "mTLS enforcement and default circuit breaking"
mandates:
authenticationSettings:
trafficMode: "REQUIRED"
defaults:
trafficSettings:
inbound:
resilience:
connectionPool:
tcp:
keepAlive:
idleTime: 300s
outbound:
upstreamTrafficSettings:
- hosts:
- '*'
settings:
resilience:
circuitBreakerSensitivity: MEDIUM
Profile
A Profile
object can be created at Organization, Tenant, and Workspace levels. Once created, a profile can be
attached at its own level or down the hierarchy at Organization, Tenant, Workspace and Groups levels.
Once attached, all the configurations provided in the profile and compatible with the attachment point will be applied,
the others will be ignored.
Field | Description | Validation Rule |
---|---|---|
deletionProtectionEnabled | bool | – |
defaults | tetrateio.api.tsb.profile.v2.ProfileConfig | – |
mandates | tetrateio.api.tsb.profile.v2.ProfileConfig | – |
ProfileConfig
ProfileConfig holds the configuration objects that can be used as defaults or mandates.
Field | Description | Validation Rule |
---|---|---|
authenticationSettings | tetrateio.api.tsb.security.v2.AuthenticationSettings | – |
wafSettings | tetrateio.api.tsb.security.v2.WAFSettings | – |
wasmExtensions | List of tetrateio.api.tsb.types.v2.WasmExtensionAttachment | – |
unsetFields | List of string
| repeated = { |
traffic | tetrateio.api.tsb.profile.v2.TrafficSettings | – |
AuthenticationSettings
Configuration for connection authentication parameters. This allows the enforcement of mutual TLS connections to upstream services that do not have a sidecar. This ensures that gateways or mesh workloads do not communicate in plain text with services outside the mesh.
Field | Description | Validation Rule |
---|---|---|
trafficMode | tetrateio.api.tsb.profile.v2.AuthenticationSettings.AuthenticationMode | – |
ClientTLSSettings
Configure TLS parameters for the client
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.profile.v2.TLSMode | – |
files | tetrateio.api.tsb.profile.v2.TLSFileSource oneof _tls_key_source | – |
secretName | string oneof _tls_key_source | – |
subjectAltNames | List of string | – |
DownstreamResilienceSettings
DownstreamResilienceSettings control the reliability knobs in Envoy when accepting inbound connections.
Field | Description | Validation Rule |
---|---|---|
connectionPool | tetrateio.api.tsb.profile.v2.DownstreamResilienceSettings.ConnectionPoolSettings | – |
meshTimeout | tetrateio.api.tsb.profile.v2.DownstreamResilienceSettings.MeshTimeout | – |
ConnectionPoolSettings
Connection pool settings for downstream connections.
Field | Description | Validation Rule |
---|---|---|
tcp | tetrateio.api.tsb.profile.v2.DownstreamResilienceSettings.ConnectionPoolSettings.TCP | – |
TCP
TCP Settings for inbound requests.
Field | Description | Validation Rule |
---|---|---|
keepAlive | tetrateio.api.tsb.profile.v2.TcpKeepAlive | – |
MeshTimeout
Connection and Stream timeout settings for the mesh. These apply to the inbound connections at the Sidecars and Gateways.
Field | Description | Validation Rule |
---|---|---|
maxConnectionDuration | google.protobuf.Duration | – |
maxStreamDuration | google.protobuf.Duration | – |
maxDownstreamConnectionDuration | google.protobuf.Duration | – |
proxyType | tetrateio.api.tsb.profile.v2.ProxyType | enum = { |
ExternalRateLimitServiceSettings
Configuration for ratelimiting using an external ratelimit server The ratelimit server must expose Envoy's Rate Limit Service gRPC API.
If the rate limit service is called, and the response for any of the descriptors is over limit, a 429 response is returned. The rate limit filter also sets the x-envoy-ratelimited header.
If there is an error in calling rate limit service or rate limit service returns an error and failure_mode_deny is set to true, a 500 response is returned.
Field | Description | Validation Rule |
---|---|---|
domain | string | string = { |
failClosed | bool oneof __fail_closed | – |
rateLimitServerUri | string | string = { |
rules | List of tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitRule | repeated = { |
timeout | google.protobuf.Duration | – |
tls | tetrateio.api.tsb.profile.v2.ClientTLSSettings | – |
RateLimitDimension
RateLimitDimension is a set of conditions to match HTTP requests Once the conditions are satisfied, corresponding descriptors (set of keys and values) are emitted and sent to the external rate limit server. The server is expected to make a rate limit decision based on these descriptors. Please go through the Envoy RateLimit descriptor to get more information on descriptors
Field | Description | Validation Rule |
---|---|---|
sourceCluster | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension.SourceCluster oneof _dimension_specifier | – |
destinationCluster | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension.DestinationCluster oneof _dimension_specifier | – |
remoteAddress | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension.RemoteAddress oneof _dimension_specifier | – |
requestHeaders | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension.RequestHeaders oneof _dimension_specifier | – |
headerValueMatch | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension.HeaderValueMatch oneof _dimension_specifier | – |
DestinationCluster
Emit descriptor entry - a key-value pair of the form ("destination_cluster", "\<routed target cluster\>")
where destination_cluster
is the destination
envoy cluster to which traffic is bound to.
HeaderValueMatch
Emit descriptor entry - a key-value pair of the form ("header_match", "\<descriptor_value\>")
, where descriptor_value
is a user
specified value corresponding to a header match event.
Field | Description | Validation Rule |
---|---|---|
headers | map<string, tetrateio.api.tsb.profile.v2.StringMatch> | map = { |
descriptorValue | string | string = { |
dontMatch | bool oneof __dont_match | – |
RemoteAddress
Emit descriptor entry - a key-value pair of the form
("remote_address", "\<trusted address from x-forwarded-for\>")
RequestHeaders
Emit descriptor entry - a key-value pair of the form
("\<descriptor_key\>", "\<header_value_queried_from_header\>")
where descriptor_key
is a user specified key to emit when the
HTTP header is seen.
Field | Description | Validation Rule |
---|---|---|
headerName | string | string = { |
descriptorKey | string | string = { |
SourceCluster
Emit descriptor entry - a key-value pair of the form
("source_cluster", "\<local service cluster\>")
where source_cluster
is the source envoy cluster (corresponding to the --service-cluster
flag value set by Istio).
RateLimitRule
Field | Description | Validation Rule |
---|---|---|
dimensions | List of tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings.RateLimitDimension | repeated = { |
FailoverSettings
Failover settings for all proxies connecting to a host exposed in this workspace/organization based on the settings definition scope. Note that this is a server side setting.
Field | Description | Validation Rule |
---|---|---|
topologyChoice | tetrateio.api.tsb.profile.v2.FailoverSettings.TopologyChoice | enum = { |
failoverPriority | List of string For getting the labels to be populated on the endpoints generated by the TSB for multicluster and eastwest scenario,
you will need to label the kubernetes service of your gateway or east-west exposed service
using a label with prefix Example of failoverPriority using these labels:
Another way to label the endpoints for eastwest scenario is to create a ServiceRoute object for the service and specify the labels in the ServiceRoute object. If there is any pod with such label present in the remote cluster, the endpoints for it will have these labels and thus it could be used in failoverPriority API. For example: Suppose if one of your clusters has service reviews only with version v1 and a second cluster with reviews only with version v2, Then use the below serviceroute object to populate service labels to the endpoints dynamically:
Example of failoverPriority using these labels:
| repeated = { |
regionalFailover | List of tetrateio.api.tsb.profile.v2.RegionalFailover Explicitly specify the region traffic will land on when endpoints in the local region become unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect. | – |
HTTPRetry
HTTPRetry defines the parameters for retrying API calls to a service.
Field | Description | Validation Rule |
---|---|---|
attempts | int32 oneof __attempts Actual number of retries attempted depends on the httpReqTimeout. google.protobuf.Int32Value attempts = 1 [(validate.rules).int32.gte = 0, (google.api.field_behavior) = REQUIRED]; The above field is defined as optional to allow users to specify 0 attempts (zero value) when using it from config profiles. | int32 = { |
perTryTimeout | google.protobuf.Duration | – |
retryOn | string | string = { |
InboundTrafficSetting
Configuration for inbound traffic.
Field | Description | Validation Rule |
---|---|---|
rateLimiting | tetrateio.api.tsb.profile.v2.RateLimiting | – |
resilience | tetrateio.api.tsb.profile.v2.DownstreamResilienceSettings | – |
failoverSettings | tetrateio.api.tsb.profile.v2.FailoverSettings | – |
LoadBalancerSettings
Defines Load Balancing policies to be applied on the client requests.
Field | Description | Validation Rule |
---|---|---|
simple | tetrateio.api.tsb.profile.v2.LoadBalancerSettings.SimpleLB oneof _lb_policy | enum = { |
consistentHash | tetrateio.api.tsb.profile.v2.LoadBalancerSettings.ConsistentHashLB oneof _lb_policy | – |
ConsistentHashLB
Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties. The affinity to a particular destination host may be lost when one or more hosts are added/removed from the destination service.
Note: consistent hashing is less reliable at maintaining affinity than common
"sticky sessions" implementations, which often encode a specific destination in
a cookie, ensuring affinity is maintained as long as the backend remains.
With consistent hash, the guarantees are weaker; any host addition or removal can
break affinity for 1/backends
requests.
Warning: consistent hashing depends on each proxy having a consistent view of endpoints. This is not the case when locality load balancing is enabled. Locality load balancing and consistent hash will only work together when all proxies are in the same locality, or a high level load balancer handles locality affinity.
Field | Description | Validation Rule |
---|---|---|
httpHeaderName | string oneof _hash_key | – |
httpCookie | tetrateio.api.tsb.profile.v2.LoadBalancerSettings.ConsistentHashLB.HTTPCookie oneof _hash_key | – |
useSourceIp | bool oneof _hash_key | – |
httpQueryParameterName | string oneof _hash_key | – |
ringHash | tetrateio.api.tsb.profile.v2.LoadBalancerSettings.ConsistentHashLB.RingHash oneof _hash_algorithm | – |
maglev | tetrateio.api.tsb.profile.v2.LoadBalancerSettings.ConsistentHashLB.MagLev oneof _hash_algorithm | – |
HTTPCookie
Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer. If the cookie is not present, it will be generated.
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
path | string | – |
ttl | google.protobuf.Duration | duration = { |
MagLev
Implements consistent hashing to upstream hosts.
It can be used as a drop in replacement for RingHash
. It has higher speed than RingHash with faster hash table lookups.
Please refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev
Field | Description | Validation Rule |
---|---|---|
tableSize | uint32 | uint32 = { |
RingHash
Implements consistent hashing to upstream hosts. Each upstream host is mapped onto a circle (ring) by hashing its address, each request is then routed using some hash property of the request. Please refer https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash
Field | Description | Validation Rule |
---|---|---|
minimumRingSize | uint32 | – |
OutboundTrafficSetting
Field | Description | Validation Rule |
---|---|---|
reachability | tetrateio.api.tsb.profile.v2.ReachabilitySettings | – |
egress | tetrateio.api.tsb.profile.v2.OutboundTrafficSetting.EgressGateway | – |
upstreamTrafficSettings | List of tetrateio.api.tsb.profile.v2.UpstreamTrafficSettings | – |
EgressGateway
EgressGateway specifies the gateway where traffic external to the mesh will be redirected.
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
RateLimitSettings
Configuration for ratelimiting HTTP/gRPC requests This has a list of rate limit rules that can be configured. With each rule a list of dimensions can be defined. A request counts towards the limit if all of the dimensions match the attributes of the request. When the matched requests exceed the limit, a 429 response is returned.
Field | Description | Validation Rule |
---|---|---|
rules | List of tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitRule | repeated = { |
failClosed | bool oneof __fail_closed | – |
timeout | google.protobuf.Duration | – |
RateLimitDimension
RateLimitDimension is a condition to match HTTP requests that should be rate limited.
Field | Description | Validation Rule |
---|---|---|
remoteAddress | tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitDimension.RemoteAddress oneof _dimension_specifier | – |
header | tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitDimension.Header oneof _dimension_specifier | – |
Header
RateLimit based on certain headers
Field | Description | Validation Rule |
---|---|---|
name | string | string = { |
value | tetrateio.api.tsb.profile.v2.StringMatch | – |
dontMatch | bool oneof __dont_match | – |
RemoteAddress
RateLimit based on the client's remote address, extracted from the trusted X-Forwarded-For header.
Field | Description | Validation Rule |
---|---|---|
value | string | string = { |
RateLimitRule
RateLimitRule is the block to define each internal ratelimit configuration.
Field | Description | Validation Rule |
---|---|---|
dimensions | List of tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitDimension | repeated = { |
limit | tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitValue | message = { |
RateLimitValue
RateLimitValue specifies the values that will be used to determine the rate limit.
Field | Description | Validation Rule |
---|---|---|
requestsPerUnit | uint32 oneof __requests_per_unit | – |
unit | tetrateio.api.tsb.profile.v2.RateLimitSettings.RateLimitValue.Unit | enum = { |
RateLimiting
Configuration for ratelimiting HTTP/gRPC requests can be rate limited based on a variety of attributes in the request such as headers (including cookies), URL path/prefixes, client remote address etc.
Field | Description | Validation Rule |
---|---|---|
settings | tetrateio.api.tsb.profile.v2.RateLimitSettings oneof _ratelimit_specifier | – |
externalService | tetrateio.api.tsb.profile.v2.ExternalRateLimitServiceSettings oneof _ratelimit_specifier | – |
ReachabilitySettings
ReachabilitySettings
define the set of services and hosts
accessed by a workload (and hence its sidecar) in the
mesh. Defining the set of services accessed by a workload (i.e. its
dependencies) in advance reduces the memory and CPU consumption
both the Istio control plane and the individual Envoy proxy workloads in
the data plane.
Field | Description | Validation Rule |
---|---|---|
mode | tetrateio.api.tsb.profile.v2.ReachabilitySettings.Mode | – |
hosts | List of string
| – |
RegionalFailover
Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
Field | Description | Validation Rule |
---|---|---|
from | string | – |
to | string | – |
StringMatch
Describes how to match a given string in HTTP headers. Match is case-sensitive.
Field | Description | Validation Rule |
---|---|---|
exact | – | |
prefix | – | |
regex | string oneof _match_type | – |
TLSFileSource
TLSFileSource is used to load the keys and certificates from files accessible to the workload
Field | Description | Validation Rule |
---|---|---|
clientCertificate | string oneof __client_certificate | – |
privateKey | string oneof __private_key | – |
caCertificates | string oneof __ca_certificates | – |
TcpKeepAlive
Field | Description | Validation Rule |
---|---|---|
probes | google.protobuf.UInt32Value | – |
idleTime | google.protobuf.UInt32Value | – |
interval | google.protobuf.UInt32Value | – |
TrafficSettings
Traffic settings is used to configure inbound and outbound traffic of proxy workloads belonging to traffic groups or workspaces via profiles. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.
Field | Description | Validation Rule |
---|---|---|
inbound | tetrateio.api.tsb.profile.v2.InboundTrafficSetting | – |
outbound | tetrateio.api.tsb.profile.v2.OutboundTrafficSetting | – |
UpstreamResilienceSettings
UpstreamResilienceSettings controls the reliability knobs for client connections to the upstream hosts.
Field | Description | Validation Rule |
---|---|---|
connectionPool | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings.ConnectionPoolSettings | – |
circuitBreakerSensitivity | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings.Sensitivity | enum = { |
outlierDetection | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings.OutlierDetection | – |
ConnectionPoolSettings
Connection pool settings for the upstream host.
Field | Description | Validation Rule |
---|---|---|
http | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings.ConnectionPoolSettings.HTTP | – |
tcp | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings.ConnectionPoolSettings.TCP | – |
HTTP
HTTP Settings for outbound requests.
Field | Description | Validation Rule |
---|---|---|
requestTimeout | google.protobuf.Duration | – |
retries | tetrateio.api.tsb.profile.v2.HTTPRetry | – |
maxRequests | uint32 oneof __max_requests | – |
maxRequestsPerConnection | uint32 oneof __max_requests_per_connection | – |
TCP
TCP Settings for outbound requests.
Field | Description | Validation Rule |
---|---|---|
keepAlive | tetrateio.api.tsb.profile.v2.TcpKeepAlive | – |
maxConnections | uint32 oneof __max_connections | – |
connectTimeout | google.protobuf.Duration | duration = { |
OutlierDetection
Outlier detection settings for the upstream host.
Field | Description | Validation Rule |
---|---|---|
consecutiveGatewayFailure | google.protobuf.UInt32Value | – |
enforcingConsecutiveGatewayFailure | google.protobuf.UInt32Value | uint32 = { |
consecutive5xx | google.protobuf.UInt32Value | – |
enforcingConsecutive5xx | google.protobuf.UInt32Value | uint32 = { |
splitExternalLocalOriginErrors | bool oneof __split_external_local_origin_errors The number of consecutive locally originated failures before ejection occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors is set to true. | – |
consecutiveLocalOriginFailure | – | |
enforcingConsecutiveLocalOriginFailure | google.protobuf.UInt32Value | uint32 = { |
interval | google.protobuf.Duration | duration = { |
baseEjectionTime | google.protobuf.Duration | duration = { |
maxEjectionTime | google.protobuf.Duration | duration = { |
maxEjectionPercent | google.protobuf.UInt32Value | uint32 = { |
UpstreamTrafficSettings
Traffic settings for the clients that are downstreams to the defined upstream hosts.
Field | Description | Validation Rule |
---|---|---|
hosts | List of string | repeated = { |
settings | tetrateio.api.tsb.profile.v2.UpstreamTrafficSettings.Settings | – |
Settings
Traffic settings to be applied to the clients of the upstream hosts.
Field | Description | Validation Rule |
---|---|---|
resilience | tetrateio.api.tsb.profile.v2.UpstreamResilienceSettings | – |
loadBalancer | tetrateio.api.tsb.profile.v2.LoadBalancerSettings | – |
authentication | tetrateio.api.tsb.profile.v2.AuthenticationSettings | – |
AuthenticationMode
AuthenticationMode configures whether to initiate only mutual TLS connections or to allow plaintext traffic as well.
Field | Number | Description |
---|---|---|
UNSET | 0 | Default is UNSET. |
OPTIONAL | 1 | Accept both plaintext and mTLS authenticated connections. |
REQUIRED | 2 | Always initiate mutual TLS authenticated connections, and fail if the upstream does not support it. |
TopologyChoice
TopologyChoice specifies the topology preference for traffic priority.
Field | Number | Description |
---|---|---|
NONE | 0 | Inherit from parent if possible. Otherwise treated as |
CLUSTER | 1 | Prefer traffic to stay in the cluster as much as possible. |
LOCALITY | 2 | Prefer traffic to stay in the region/zone/subzone as much as possible irrespective of the cluster. |
SimpleLB
Standard load balancing algorithms that require no tuning.
Field | Number | Description |
---|---|---|
UNSPECIFIED | 0 | No load balancing algorithm has been specified by the user. An appropriate default will be used. |
RANDOM | 2 | The random load balancer selects a random healthy host. The random load balancer generally performs better than round robin if no health checking policy is configured. |
PASSTHROUGH | 3 | This option will forward the connection to the original IP address requested by the caller without doing any form of load balancing. This option must be used with care. It is meant for advanced use cases. Refer to Original Destination load balancer in Envoy for further details. |
ROUND_ROBIN | 4 | A basic round robin load balancing policy. This is generally unsafe for many scenarios (e.g. when enpoint weighting is used) as it can overburden endpoints. In general, prefer to use LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN. |
LEAST_REQUEST | 5 | The least request load balancer spreads load across endpoints, favoring endpoints with the least outstanding requests. This is generally safer and outperforms ROUND_ROBIN in nearly all cases. Prefer to use LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN. |
ProxyType
ProxyType defines the type of a proxy within the service mesh.
This enum is used to apply configurations based on the type of the proxy.
Field | Number | Description |
---|---|---|
ANY | 0 | ANY is the default proxy type that represents both sidecar, and gateway proxies. Use this value to apply configurations to both sidecars and gateways. |
SIDECAR | 1 | SIDECAR represents a sidecar proxy that runs alongside an application. Use this value to apply configurations only to the sidecars. |
GATEWAY | 2 | GATEWAY represents a gateway proxy that runs standalone and, acts as an entry/exit point into/out of the service mesh. Use this value to apply configurations only to the gateways. |
Unit
Units of time.
Field | Number | Description |
---|---|---|
UNKNOWN | 0 | |
SECOND | 1 | |
MINUTE | 2 | |
HOUR | 3 | |
DAY | 4 |
Mode
A short cut for defining the common reachability patterns
Field | Number | Description |
---|---|---|
UNSET | 0 | Inherit from parent if possible. Otherwise treated as |
NAMESPACE | 1 | The workload may talk to any service in its own namespace. |
GROUP | 2 | The workload may talk to any service in the traffic group. |
WORKSPACE | 3 | The workload may talk to any service in the workspace. |
CLUSTER | 4 | The workload may talk to any service in the cluster. |
CUSTOM | 5 | The workload may talk to services defined explicitly. |
TLSMode
Describes how authentication is performed as part of establishing TLS connection
Field | Number | Description |
---|---|---|
DISABLED | 0 | TLS is not used and communication is in plaintext. |
SIMPLE | 1 | Only the server is authenticated. |
MUTUAL | 2 | Both the peers in the communication must present their certificate for TLS authentication |
Sensitivity
Available sensitivity levels for the circuit breaker.
Field | Number | Description |
---|---|---|
UNSET | 0 | Default values will be used. |
LOW | 1 | Tolerate up to 20 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool. |
MEDIUM | 2 | Tolerate up to 10 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool. |
HIGH | 3 | Tolerate up to 5 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool. |
CUSTOM | 4 | When selected, the outlier detection settings must be specified in the resilience.outlierDetection field. If that field is set but the mode is not CUSTOM, those settings will be ignored. |