1606 lines
107 KiB
YAML
1606 lines
107 KiB
YAML
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: (devel)
|
|
creationTimestamp: null
|
|
name: servicepolicies.servicemesh.kubesphere.io
|
|
spec:
|
|
group: servicemesh.kubesphere.io
|
|
names:
|
|
kind: ServicePolicy
|
|
listKind: ServicePolicyList
|
|
plural: servicepolicies
|
|
singular: servicepolicy
|
|
scope: Namespaced
|
|
validation:
|
|
openAPIV3Schema:
|
|
description: ServicePolicy is the Schema for the servicepolicies API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: ServicePolicySpec defines the desired state of ServicePolicy
|
|
properties:
|
|
selector:
|
|
description: Label selector for destination rules.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector requirements.
|
|
The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector that contains
|
|
values, a key, and an operator that relates the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector applies
|
|
to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship to a
|
|
set of values. Valid operators are In, NotIn, Exists and
|
|
DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values. If the operator
|
|
is In or NotIn, the values array must be non-empty. If the
|
|
operator is Exists or DoesNotExist, the values array must
|
|
be empty. This array is replaced during a strategic merge
|
|
patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs. A single
|
|
{key,value} in the matchLabels map is equivalent to an element
|
|
of matchExpressions, whose key field is "key", the operator is
|
|
"In", and the values array contains only "value". The requirements
|
|
are ANDed.
|
|
type: object
|
|
type: object
|
|
template:
|
|
description: Template used to create a destination rule
|
|
properties:
|
|
metadata:
|
|
description: Metadata of the virtual services created from this
|
|
template
|
|
type: object
|
|
spec:
|
|
description: Spec indicates the behavior of a destination rule.
|
|
properties:
|
|
export_to:
|
|
description: "A list of namespaces to which this destination
|
|
rule is exported. The resolution of a destination rule to
|
|
apply to a service occurs in the context of a hierarchy of
|
|
namespaces. Exporting a destination rule allows it to be included
|
|
in the resolution hierarchy for services in other namespaces.
|
|
This feature provides a mechanism for service owners and mesh
|
|
administrators to control the visibility of destination rules
|
|
across namespace boundaries. \n If no namespaces are specified
|
|
then the destination rule is exported to all namespaces by
|
|
default. \n The value \".\" is reserved and defines an export
|
|
to the same namespace that the destination rule is declared
|
|
in. Similarly, the value \"*\" is reserved and defines an
|
|
export to all namespaces. \n NOTE: in the current release,
|
|
the `exportTo` value is restricted to \".\" or \"*\" (i.e.,
|
|
the current namespace or all namespaces)."
|
|
items:
|
|
type: string
|
|
type: array
|
|
host:
|
|
description: "The name of a service from the service registry.
|
|
Service names are looked up from the platform's service registry
|
|
(e.g., Kubernetes services, Consul services, etc.) and from
|
|
the hosts declared by [ServiceEntries](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry).
|
|
Rules defined for services that do not exist in the service
|
|
registry will be ignored. \n *Note for Kubernetes users*:
|
|
When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"),
|
|
Istio will interpret the short name based on the namespace
|
|
of the rule, not the service. A rule in the \"default\" namespace
|
|
containing a host \"reviews\" will be interpreted as \"reviews.default.svc.cluster.local\",
|
|
irrespective of the actual namespace associated with the reviews
|
|
service. _To avoid potential misconfigurations, it is recommended
|
|
to always use fully qualified domain names over short names._
|
|
\n Note that the host field applies to both HTTP and TCP services."
|
|
type: string
|
|
subsets:
|
|
description: One or more named sets that represent individual
|
|
versions of a service. Traffic policies can be overridden
|
|
at subset level.
|
|
items:
|
|
description: "A subset of endpoints of a service. Subsets
|
|
can be used for scenarios like A/B testing, or routing to
|
|
a specific version of a service. Refer to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService)
|
|
documentation for examples of using subsets in these scenarios.
|
|
In addition, traffic policies defined at the service-level
|
|
can be overridden at a subset-level. The following rule
|
|
uses a round robin load balancing policy for all traffic
|
|
going to a subset named testversion that is composed of
|
|
endpoints (e.g., pods) with labels (version:v3). \n ```yaml
|
|
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule
|
|
metadata: name: bookinfo-ratings spec: host: ratings.prod.svc.cluster.local
|
|
\ trafficPolicy: loadBalancer: simple: LEAST_CONN
|
|
\ subsets: - name: testversion labels: version:
|
|
v3 trafficPolicy: loadBalancer: simple:
|
|
ROUND_ROBIN ``` \n **Note:** Policies specified for subsets
|
|
will not take effect until a route rule explicitly sends
|
|
traffic to this subset. \n One or more labels are typically
|
|
required to identify the subset destination, however, when
|
|
the corresponding DestinationRule represents a host that
|
|
supports multiple SNI hosts (e.g., an egress gateway), a
|
|
subset without labels may be meaningful. In this case a
|
|
traffic policy with [TLSSettings](#TLSSettings) can be used
|
|
to identify a specific SNI host corresponding to the named
|
|
subset."
|
|
properties:
|
|
labels:
|
|
additionalProperties:
|
|
type: string
|
|
description: Labels apply a filter over the endpoints
|
|
of a service in the service registry. See route rules
|
|
for examples of usage.
|
|
type: object
|
|
name:
|
|
description: Name of the subset. The service name and
|
|
the subset name can be used for traffic splitting in
|
|
a route rule.
|
|
type: string
|
|
traffic_policy:
|
|
description: Traffic policies that apply to this subset.
|
|
Subsets inherit the traffic policies specified at the
|
|
DestinationRule level. Settings specified at the subset
|
|
level will override the corresponding settings specified
|
|
at the DestinationRule level.
|
|
properties:
|
|
connection_pool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2_upgrade_policy:
|
|
description: Specify if http1.1 connection
|
|
should be upgraded to http2 for the associated
|
|
destination.
|
|
format: int32
|
|
type: integer
|
|
http1_max_pending_requests:
|
|
description: Maximum number of pending HTTP
|
|
requests to a destination. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
http2_max_requests:
|
|
description: Maximum number of requests to
|
|
a backend. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
idle_timeout:
|
|
description: The idle timeout for upstream
|
|
connection pool connections. The idle timeout
|
|
is defined as the period in which there
|
|
are no active requests. If not set, there
|
|
is no idle timeout. When the idle timeout
|
|
is reached the connection will be closed.
|
|
Note that request based timeouts mean that
|
|
HTTP/2 PINGs will not keep the connection
|
|
alive. Applies to both HTTP1.1 and HTTP2
|
|
connections.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds` field
|
|
and a positive or negative `nanos` field.
|
|
For durations of one second or more,
|
|
a non-zero value for the `nanos` field
|
|
must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to
|
|
+999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_requests_per_connection:
|
|
description: Maximum number of requests per
|
|
connection to a backend. Setting this parameter
|
|
to 1 disables keep alive. Default 0, meaning
|
|
"unlimited", up to 2^29.
|
|
format: int32
|
|
type: integer
|
|
max_retries:
|
|
description: Maximum number of retries that
|
|
can be outstanding to all hosts in a cluster
|
|
at a given time. Defaults to 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and
|
|
TCP upstream connections.
|
|
properties:
|
|
connect_timeout:
|
|
description: TCP connection timeout.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds` field
|
|
and a positive or negative `nanos` field.
|
|
For durations of one second or more,
|
|
a non-zero value for the `nanos` field
|
|
must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to
|
|
+999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_connections:
|
|
description: Maximum number of HTTP1 /TCP
|
|
connections to a destination host. Default
|
|
2^32-1.
|
|
format: int32
|
|
type: integer
|
|
tcp_keepalive:
|
|
description: If set then set SO_KEEPALIVE
|
|
on the socket to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between
|
|
keep-alive probes. Default is to use
|
|
the OS level configuration (unless overridden,
|
|
Linux defaults to 75s.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a
|
|
second at nanosecond resolution
|
|
of the span of time. Durations less
|
|
than one second are represented
|
|
with a 0 `seconds` field and a positive
|
|
or negative `nanos` field. For durations
|
|
of one second or more, a non-zero
|
|
value for the `nanos` field must
|
|
be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
probes:
|
|
description: Maximum number of keepalive
|
|
probes to send without response before
|
|
deciding the connection is dead. Default
|
|
is to use the OS level configuration
|
|
(unless overridden, Linux defaults to
|
|
9.)
|
|
format: int32
|
|
type: integer
|
|
time:
|
|
description: The time duration a connection
|
|
needs to be idle before keep-alive probes
|
|
start being sent. Default is to use
|
|
the OS level configuration (unless overridden,
|
|
Linux defaults to 7200s (ie 2 hours.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a
|
|
second at nanosecond resolution
|
|
of the span of time. Durations less
|
|
than one second are represented
|
|
with a 0 `seconds` field and a positive
|
|
or negative `nanos` field. For durations
|
|
of one second or more, a non-zero
|
|
value for the `nanos` field must
|
|
be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
load_balancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
type: object
|
|
outlier_detection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
base_ejection_time:
|
|
description: 'Minimum ejection duration. A host
|
|
will remain ejected for a period equal to the
|
|
product of minimum ejection duration and the
|
|
number of times the host has been ejected. This
|
|
technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 30s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field. For
|
|
durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the
|
|
same sign as the `seconds` field. Must be
|
|
from -999,999,999 to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
consecutive_errors:
|
|
description: Number of errors before a host is
|
|
ejected from the connection pool. Defaults to
|
|
5. When the upstream host is accessed over HTTP,
|
|
a 502, 503, or 504 return code qualifies as
|
|
an error. When the upstream host is accessed
|
|
over an opaque TCP connection, connect timeouts
|
|
and connection error/failure events qualify
|
|
as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep
|
|
analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 10s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field. For
|
|
durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the
|
|
same sign as the `seconds` field. Must be
|
|
from -999,999,999 to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_ejection_percent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
min_health_percent:
|
|
description: Outlier detection will be enabled
|
|
as long as the associated load balancing pool
|
|
has at least min_health_percent hosts in healthy
|
|
mode. When the percentage of healthy hosts in
|
|
the load balancing pool drops below this threshold,
|
|
outlier detection will be disabled and the proxy
|
|
will load balance across all hosts in the pool
|
|
(healthy and unhealthy). The threshold can be
|
|
disabled by setting it to 0%. The default is
|
|
0% as it's not typically applicable in k8s environments
|
|
with few pods per service.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port_level_settings:
|
|
description: Traffic policies specific to individual
|
|
ports. Note that port level settings will override
|
|
the destination-level settings. Traffic settings
|
|
specified at the destination-level will not be inherited
|
|
when overridden by port-level settings, i.e. default
|
|
values will be applied to fields omitted in port-level
|
|
traffic policies.
|
|
items:
|
|
description: Traffic policies that apply to specific
|
|
ports of the service
|
|
properties:
|
|
connection_pool:
|
|
description: Settings controlling the volume
|
|
of connections to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2_upgrade_policy:
|
|
description: Specify if http1.1 connection
|
|
should be upgraded to http2 for the
|
|
associated destination.
|
|
format: int32
|
|
type: integer
|
|
http1_max_pending_requests:
|
|
description: Maximum number of pending
|
|
HTTP requests to a destination. Default
|
|
2^32-1.
|
|
format: int32
|
|
type: integer
|
|
http2_max_requests:
|
|
description: Maximum number of requests
|
|
to a backend. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
idle_timeout:
|
|
description: The idle timeout for upstream
|
|
connection pool connections. The idle
|
|
timeout is defined as the period in
|
|
which there are no active requests.
|
|
If not set, there is no idle timeout.
|
|
When the idle timeout is reached the
|
|
connection will be closed. Note that
|
|
request based timeouts mean that HTTP/2
|
|
PINGs will not keep the connection
|
|
alive. Applies to both HTTP1.1 and
|
|
HTTP2 connections.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of
|
|
a second at nanosecond resolution
|
|
of the span of time. Durations
|
|
less than one second are represented
|
|
with a 0 `seconds` field and a
|
|
positive or negative `nanos` field.
|
|
For durations of one second or
|
|
more, a non-zero value for the
|
|
`nanos` field must be of the same
|
|
sign as the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of
|
|
the span of time. Must be from
|
|
-315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds
|
|
are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25
|
|
days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_requests_per_connection:
|
|
description: Maximum number of requests
|
|
per connection to a backend. Setting
|
|
this parameter to 1 disables keep
|
|
alive. Default 0, meaning "unlimited",
|
|
up to 2^29.
|
|
format: int32
|
|
type: integer
|
|
max_retries:
|
|
description: Maximum number of retries
|
|
that can be outstanding to all hosts
|
|
in a cluster at a given time. Defaults
|
|
to 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP
|
|
and TCP upstream connections.
|
|
properties:
|
|
connect_timeout:
|
|
description: TCP connection timeout.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of
|
|
a second at nanosecond resolution
|
|
of the span of time. Durations
|
|
less than one second are represented
|
|
with a 0 `seconds` field and a
|
|
positive or negative `nanos` field.
|
|
For durations of one second or
|
|
more, a non-zero value for the
|
|
`nanos` field must be of the same
|
|
sign as the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of
|
|
the span of time. Must be from
|
|
-315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds
|
|
are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25
|
|
days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_connections:
|
|
description: Maximum number of HTTP1
|
|
/TCP connections to a destination
|
|
host. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
tcp_keepalive:
|
|
description: If set then set SO_KEEPALIVE
|
|
on the socket to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between
|
|
keep-alive probes. Default is
|
|
to use the OS level configuration
|
|
(unless overridden, Linux defaults
|
|
to 75s.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions
|
|
of a second at nanosecond
|
|
resolution of the span of
|
|
time. Durations less than
|
|
one second are represented
|
|
with a 0 `seconds` field and
|
|
a positive or negative `nanos`
|
|
field. For durations of one
|
|
second or more, a non-zero
|
|
value for the `nanos` field
|
|
must be of the same sign as
|
|
the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds
|
|
of the span of time. Must
|
|
be from -315,576,000,000 to
|
|
+315,576,000,000 inclusive.
|
|
Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr
|
|
* 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
probes:
|
|
description: Maximum number of keepalive
|
|
probes to send without response
|
|
before deciding the connection
|
|
is dead. Default is to use the
|
|
OS level configuration (unless
|
|
overridden, Linux defaults to
|
|
9.)
|
|
format: int32
|
|
type: integer
|
|
time:
|
|
description: The time duration a
|
|
connection needs to be idle before
|
|
keep-alive probes start being
|
|
sent. Default is to use the OS
|
|
level configuration (unless overridden,
|
|
Linux defaults to 7200s (ie 2
|
|
hours.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions
|
|
of a second at nanosecond
|
|
resolution of the span of
|
|
time. Durations less than
|
|
one second are represented
|
|
with a 0 `seconds` field and
|
|
a positive or negative `nanos`
|
|
field. For durations of one
|
|
second or more, a non-zero
|
|
value for the `nanos` field
|
|
must be of the same sign as
|
|
the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds
|
|
of the span of time. Must
|
|
be from -315,576,000,000 to
|
|
+315,576,000,000 inclusive.
|
|
Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr
|
|
* 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
load_balancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
type: object
|
|
outlier_detection:
|
|
description: Settings controlling eviction of
|
|
unhealthy hosts from the load balancing pool
|
|
properties:
|
|
base_ejection_time:
|
|
description: 'Minimum ejection duration.
|
|
A host will remain ejected for a period
|
|
equal to the product of minimum ejection
|
|
duration and the number of times the host
|
|
has been ejected. This technique allows
|
|
the system to automatically increase the
|
|
ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE
|
|
>=1ms. Default is 30s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds`
|
|
field and a positive or negative `nanos`
|
|
field. For durations of one second
|
|
or more, a non-zero value for the
|
|
`nanos` field must be of the same
|
|
sign as the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60
|
|
sec/min * 60 min/hr * 24 hr/day *
|
|
365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
consecutive_errors:
|
|
description: Number of errors before a host
|
|
is ejected from the connection pool. Defaults
|
|
to 5. When the upstream host is accessed
|
|
over HTTP, a 502, 503, or 504 return code
|
|
qualifies as an error. When the upstream
|
|
host is accessed over an opaque TCP connection,
|
|
connect timeouts and connection error/failure
|
|
events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection
|
|
sweep analysis. format: 1h/1m/1s/1ms.
|
|
MUST BE >=1ms. Default is 10s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds`
|
|
field and a positive or negative `nanos`
|
|
field. For durations of one second
|
|
or more, a non-zero value for the
|
|
`nanos` field must be of the same
|
|
sign as the `seconds` field. Must
|
|
be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60
|
|
sec/min * 60 min/hr * 24 hr/day *
|
|
365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_ejection_percent:
|
|
description: Maximum % of hosts in the load
|
|
balancing pool for the upstream service
|
|
that can be ejected. Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
min_health_percent:
|
|
description: Outlier detection will be enabled
|
|
as long as the associated load balancing
|
|
pool has at least min_health_percent hosts
|
|
in healthy mode. When the percentage of
|
|
healthy hosts in the load balancing pool
|
|
drops below this threshold, outlier detection
|
|
will be disabled and the proxy will load
|
|
balance across all hosts in the pool (healthy
|
|
and unhealthy). The threshold can be disabled
|
|
by setting it to 0%. The default is 0%
|
|
as it's not typically applicable in k8s
|
|
environments with few pods per service.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the number of a port
|
|
on the destination service on which this policy
|
|
is being applied.
|
|
properties:
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
ca_certificates:
|
|
description: 'OPTIONAL: The path to the
|
|
file containing certificate authority
|
|
certificates to use in verifying a presented
|
|
server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate.
|
|
Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
client_certificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
The path to the file holding the client-side
|
|
TLS certificate to use. Should be empty
|
|
if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: Indicates whether connections
|
|
to this port should be secured using TLS.
|
|
The value of this field determines how
|
|
TLS is enforced.
|
|
format: int32
|
|
type: integer
|
|
private_key:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
The path to the file holding the client's
|
|
private key. Should be empty if mode is
|
|
`ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the
|
|
server during TLS handshake.
|
|
type: string
|
|
subject_alt_names:
|
|
description: A list of alternate names to
|
|
verify the subject identity in the certificate.
|
|
If specified, the proxy will verify that
|
|
the server certificate's subject alt name
|
|
matches one of the specified values. If
|
|
specified, this list overrides the value
|
|
of subject_alt_names from the ServiceEntry.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
ca_certificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in
|
|
verifying a presented server certificate. If
|
|
omitted, the proxy will not verify the server''s
|
|
certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
client_certificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client-side TLS
|
|
certificate to use. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: Indicates whether connections to
|
|
this port should be secured using TLS. The value
|
|
of this field determines how TLS is enforced.
|
|
format: int32
|
|
type: integer
|
|
private_key:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client's private
|
|
key. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake.
|
|
type: string
|
|
subject_alt_names:
|
|
description: A list of alternate names to verify
|
|
the subject identity in the certificate. If
|
|
specified, the proxy will verify that the server
|
|
certificate's subject alt name matches one of
|
|
the specified values. If specified, this list
|
|
overrides the value of subject_alt_names from
|
|
the ServiceEntry.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: array
|
|
traffic_policy:
|
|
description: Traffic policies to apply (load balancing policy,
|
|
connection pool sizes, outlier detection).
|
|
properties:
|
|
connection_pool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2_upgrade_policy:
|
|
description: Specify if http1.1 connection should
|
|
be upgraded to http2 for the associated destination.
|
|
format: int32
|
|
type: integer
|
|
http1_max_pending_requests:
|
|
description: Maximum number of pending HTTP requests
|
|
to a destination. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
http2_max_requests:
|
|
description: Maximum number of requests to a backend.
|
|
Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
idle_timeout:
|
|
description: The idle timeout for upstream connection
|
|
pool connections. The idle timeout is defined
|
|
as the period in which there are no active requests.
|
|
If not set, there is no idle timeout. When the
|
|
idle timeout is reached the connection will be
|
|
closed. Note that request based timeouts mean
|
|
that HTTP/2 PINGs will not keep the connection
|
|
alive. Applies to both HTTP1.1 and HTTP2 connections.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second at
|
|
nanosecond resolution of the span of time.
|
|
Durations less than one second are represented
|
|
with a 0 `seconds` field and a positive or
|
|
negative `nanos` field. For durations of one
|
|
second or more, a non-zero value for the `nanos`
|
|
field must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day *
|
|
365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_requests_per_connection:
|
|
description: Maximum number of requests per connection
|
|
to a backend. Setting this parameter to 1 disables
|
|
keep alive. Default 0, meaning "unlimited", up
|
|
to 2^29.
|
|
format: int32
|
|
type: integer
|
|
max_retries:
|
|
description: Maximum number of retries that can
|
|
be outstanding to all hosts in a cluster at a
|
|
given time. Defaults to 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connect_timeout:
|
|
description: TCP connection timeout.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second at
|
|
nanosecond resolution of the span of time.
|
|
Durations less than one second are represented
|
|
with a 0 `seconds` field and a positive or
|
|
negative `nanos` field. For durations of one
|
|
second or more, a non-zero value for the `nanos`
|
|
field must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day *
|
|
365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_connections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
tcp_keepalive:
|
|
description: If set then set SO_KEEPALIVE on the
|
|
socket to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between keep-alive
|
|
probes. Default is to use the OS level configuration
|
|
(unless overridden, Linux defaults to 75s.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field.
|
|
For durations of one second or more, a
|
|
non-zero value for the `nanos` field must
|
|
be of the same sign as the `seconds` field.
|
|
Must be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note: these
|
|
bounds are computed from: 60 sec/min *
|
|
60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
probes:
|
|
description: Maximum number of keepalive probes
|
|
to send without response before deciding the
|
|
connection is dead. Default is to use the
|
|
OS level configuration (unless overridden,
|
|
Linux defaults to 9.)
|
|
format: int32
|
|
type: integer
|
|
time:
|
|
description: The time duration a connection
|
|
needs to be idle before keep-alive probes
|
|
start being sent. Default is to use the OS
|
|
level configuration (unless overridden, Linux
|
|
defaults to 7200s (ie 2 hours.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field.
|
|
For durations of one second or more, a
|
|
non-zero value for the `nanos` field must
|
|
be of the same sign as the `seconds` field.
|
|
Must be from -999,999,999 to +999,999,999
|
|
inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note: these
|
|
bounds are computed from: 60 sec/min *
|
|
60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
load_balancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
type: object
|
|
outlier_detection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
base_ejection_time:
|
|
description: 'Minimum ejection duration. A host will
|
|
remain ejected for a period equal to the product of
|
|
minimum ejection duration and the number of times
|
|
the host has been ejected. This technique allows the
|
|
system to automatically increase the ejection period
|
|
for unhealthy upstream servers. format: 1h/1m/1s/1ms.
|
|
MUST BE >=1ms. Default is 30s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second at nanosecond
|
|
resolution of the span of time. Durations less
|
|
than one second are represented with a 0 `seconds`
|
|
field and a positive or negative `nanos` field.
|
|
For durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the same
|
|
sign as the `seconds` field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of time.
|
|
Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
consecutive_errors:
|
|
description: Number of errors before a host is ejected
|
|
from the connection pool. Defaults to 5. When the
|
|
upstream host is accessed over HTTP, a 502, 503, or
|
|
504 return code qualifies as an error. When the upstream
|
|
host is accessed over an opaque TCP connection, connect
|
|
timeouts and connection error/failure events qualify
|
|
as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep analysis.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second at nanosecond
|
|
resolution of the span of time. Durations less
|
|
than one second are represented with a 0 `seconds`
|
|
field and a positive or negative `nanos` field.
|
|
For durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the same
|
|
sign as the `seconds` field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of time.
|
|
Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_ejection_percent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
min_health_percent:
|
|
description: Outlier detection will be enabled as long
|
|
as the associated load balancing pool has at least
|
|
min_health_percent hosts in healthy mode. When the
|
|
percentage of healthy hosts in the load balancing
|
|
pool drops below this threshold, outlier detection
|
|
will be disabled and the proxy will load balance across
|
|
all hosts in the pool (healthy and unhealthy). The
|
|
threshold can be disabled by setting it to 0%. The
|
|
default is 0% as it's not typically applicable in
|
|
k8s environments with few pods per service.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port_level_settings:
|
|
description: Traffic policies specific to individual ports.
|
|
Note that port level settings will override the destination-level
|
|
settings. Traffic settings specified at the destination-level
|
|
will not be inherited when overridden by port-level settings,
|
|
i.e. default values will be applied to fields omitted
|
|
in port-level traffic policies.
|
|
items:
|
|
description: Traffic policies that apply to specific ports
|
|
of the service
|
|
properties:
|
|
connection_pool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
h2_upgrade_policy:
|
|
description: Specify if http1.1 connection
|
|
should be upgraded to http2 for the associated
|
|
destination.
|
|
format: int32
|
|
type: integer
|
|
http1_max_pending_requests:
|
|
description: Maximum number of pending HTTP
|
|
requests to a destination. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
http2_max_requests:
|
|
description: Maximum number of requests to
|
|
a backend. Default 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
idle_timeout:
|
|
description: The idle timeout for upstream
|
|
connection pool connections. The idle timeout
|
|
is defined as the period in which there
|
|
are no active requests. If not set, there
|
|
is no idle timeout. When the idle timeout
|
|
is reached the connection will be closed.
|
|
Note that request based timeouts mean that
|
|
HTTP/2 PINGs will not keep the connection
|
|
alive. Applies to both HTTP1.1 and HTTP2
|
|
connections.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds` field
|
|
and a positive or negative `nanos` field.
|
|
For durations of one second or more,
|
|
a non-zero value for the `nanos` field
|
|
must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to
|
|
+999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_requests_per_connection:
|
|
description: Maximum number of requests per
|
|
connection to a backend. Setting this parameter
|
|
to 1 disables keep alive. Default 0, meaning
|
|
"unlimited", up to 2^29.
|
|
format: int32
|
|
type: integer
|
|
max_retries:
|
|
description: Maximum number of retries that
|
|
can be outstanding to all hosts in a cluster
|
|
at a given time. Defaults to 2^32-1.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and
|
|
TCP upstream connections.
|
|
properties:
|
|
connect_timeout:
|
|
description: TCP connection timeout.
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span
|
|
of time. Durations less than one second
|
|
are represented with a 0 `seconds` field
|
|
and a positive or negative `nanos` field.
|
|
For durations of one second or more,
|
|
a non-zero value for the `nanos` field
|
|
must be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999 to
|
|
+999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span
|
|
of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from: 60 sec/min
|
|
* 60 min/hr * 24 hr/day * 365.25 days/year
|
|
* 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_connections:
|
|
description: Maximum number of HTTP1 /TCP
|
|
connections to a destination host. Default
|
|
2^32-1.
|
|
format: int32
|
|
type: integer
|
|
tcp_keepalive:
|
|
description: If set then set SO_KEEPALIVE
|
|
on the socket to enable TCP Keepalives.
|
|
properties:
|
|
interval:
|
|
description: The time duration between
|
|
keep-alive probes. Default is to use
|
|
the OS level configuration (unless overridden,
|
|
Linux defaults to 75s.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a
|
|
second at nanosecond resolution
|
|
of the span of time. Durations less
|
|
than one second are represented
|
|
with a 0 `seconds` field and a positive
|
|
or negative `nanos` field. For durations
|
|
of one second or more, a non-zero
|
|
value for the `nanos` field must
|
|
be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
probes:
|
|
description: Maximum number of keepalive
|
|
probes to send without response before
|
|
deciding the connection is dead. Default
|
|
is to use the OS level configuration
|
|
(unless overridden, Linux defaults to
|
|
9.)
|
|
format: int32
|
|
type: integer
|
|
time:
|
|
description: The time duration a connection
|
|
needs to be idle before keep-alive probes
|
|
start being sent. Default is to use
|
|
the OS level configuration (unless overridden,
|
|
Linux defaults to 7200s (ie 2 hours.)
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a
|
|
second at nanosecond resolution
|
|
of the span of time. Durations less
|
|
than one second are represented
|
|
with a 0 `seconds` field and a positive
|
|
or negative `nanos` field. For durations
|
|
of one second or more, a non-zero
|
|
value for the `nanos` field must
|
|
be of the same sign as the `seconds`
|
|
field. Must be from -999,999,999
|
|
to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the
|
|
span of time. Must be from -315,576,000,000
|
|
to +315,576,000,000 inclusive. Note:
|
|
these bounds are computed from:
|
|
60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
load_balancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
type: object
|
|
outlier_detection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
base_ejection_time:
|
|
description: 'Minimum ejection duration. A host
|
|
will remain ejected for a period equal to the
|
|
product of minimum ejection duration and the
|
|
number of times the host has been ejected. This
|
|
technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 30s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field. For
|
|
durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the
|
|
same sign as the `seconds` field. Must be
|
|
from -999,999,999 to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
consecutive_errors:
|
|
description: Number of errors before a host is
|
|
ejected from the connection pool. Defaults to
|
|
5. When the upstream host is accessed over HTTP,
|
|
a 502, 503, or 504 return code qualifies as
|
|
an error. When the upstream host is accessed
|
|
over an opaque TCP connection, connect timeouts
|
|
and connection error/failure events qualify
|
|
as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep
|
|
analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 10s.'
|
|
properties:
|
|
nanos:
|
|
description: Signed fractions of a second
|
|
at nanosecond resolution of the span of
|
|
time. Durations less than one second are
|
|
represented with a 0 `seconds` field and
|
|
a positive or negative `nanos` field. For
|
|
durations of one second or more, a non-zero
|
|
value for the `nanos` field must be of the
|
|
same sign as the `seconds` field. Must be
|
|
from -999,999,999 to +999,999,999 inclusive.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: 'Signed seconds of the span of
|
|
time. Must be from -315,576,000,000 to +315,576,000,000
|
|
inclusive. Note: these bounds are computed
|
|
from: 60 sec/min * 60 min/hr * 24 hr/day
|
|
* 365.25 days/year * 10000 years'
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
max_ejection_percent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
min_health_percent:
|
|
description: Outlier detection will be enabled
|
|
as long as the associated load balancing pool
|
|
has at least min_health_percent hosts in healthy
|
|
mode. When the percentage of healthy hosts in
|
|
the load balancing pool drops below this threshold,
|
|
outlier detection will be disabled and the proxy
|
|
will load balance across all hosts in the pool
|
|
(healthy and unhealthy). The threshold can be
|
|
disabled by setting it to 0%. The default is
|
|
0% as it's not typically applicable in k8s environments
|
|
with few pods per service.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the number of a port on the
|
|
destination service on which this policy is being
|
|
applied.
|
|
properties:
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
ca_certificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in
|
|
verifying a presented server certificate. If
|
|
omitted, the proxy will not verify the server''s
|
|
certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
client_certificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client-side TLS
|
|
certificate to use. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: Indicates whether connections to
|
|
this port should be secured using TLS. The value
|
|
of this field determines how TLS is enforced.
|
|
format: int32
|
|
type: integer
|
|
private_key:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client's private
|
|
key. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake.
|
|
type: string
|
|
subject_alt_names:
|
|
description: A list of alternate names to verify
|
|
the subject identity in the certificate. If
|
|
specified, the proxy will verify that the server
|
|
certificate's subject alt name matches one of
|
|
the specified values. If specified, this list
|
|
overrides the value of subject_alt_names from
|
|
the ServiceEntry.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the
|
|
upstream service.
|
|
properties:
|
|
ca_certificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in verifying
|
|
a presented server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate. Should
|
|
be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
client_certificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client-side TLS certificate
|
|
to use. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: Indicates whether connections to this port
|
|
should be secured using TLS. The value of this field
|
|
determines how TLS is enforced.
|
|
format: int32
|
|
type: integer
|
|
private_key:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client's private key. Should
|
|
be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake.
|
|
type: string
|
|
subject_alt_names:
|
|
description: A list of alternate names to verify the
|
|
subject identity in the certificate. If specified,
|
|
the proxy will verify that the server certificate's
|
|
subject alt name matches one of the specified values.
|
|
If specified, this list overrides the value of subject_alt_names
|
|
from the ServiceEntry.
|
|
items:
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: ServicePolicyStatus defines the observed state of ServicePolicy
|
|
properties:
|
|
completionTime:
|
|
description: Represents time when the strategy was completed. It is
|
|
represented in RFC3339 form and is in UTC.
|
|
format: date-time
|
|
type: string
|
|
conditions:
|
|
description: The latest available observations of an object's current
|
|
state.
|
|
items:
|
|
description: StrategyCondition describes current state of a strategy.
|
|
properties:
|
|
lastProbeTime:
|
|
description: Last time the condition was checked.
|
|
format: date-time
|
|
type: string
|
|
lastTransitionTime:
|
|
description: Last time the condition transit from one status to
|
|
another
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: Human readable message indicating details about last
|
|
transition.
|
|
type: string
|
|
reason:
|
|
description: reason for the condition's last transition
|
|
type: string
|
|
status:
|
|
description: Status of the condition, one of True, False, Unknown
|
|
type: string
|
|
type:
|
|
description: Type of strategy condition, Complete or Failed.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
startTime:
|
|
description: Represents time when the strategy was acknowledged by the
|
|
controller. It is represented in RFC3339 form and is in UTC.
|
|
format: date-time
|
|
type: string
|
|
type: object
|
|
type: object
|
|
version: v1alpha2
|
|
versions:
|
|
- name: v1alpha2
|
|
served: true
|
|
storage: true
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|