kuma-cp configuration reference
Kuma CP configuration
# Environment type. Available values are: "kubernetes" or "universal"environment: universal # ENV: KUMA_ENVIRONMENT# Mode in which Kuma CP is running. Available values are: "standalone", "global", "zone"mode: standalone # ENV: KUMA_MODE# Resource Store configurationstore: # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory" type: memory # ENV: KUMA_STORE_TYPE # Kubernetes Store configuration (used when store.type=kubernetes) kubernetes: # Namespace where Control Plane is installed to. systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE # Postgres Store configuration (used when store.type=postgres) postgres: # Host of the Postgres DB host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST # Port of the Postgres DB port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT # User of the Postgres DB user: kuma # ENV: KUMA_STORE_POSTGRES_USER # Password of the Postgres DB password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD # Database name of the Postgres DB dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME # Driver to use, one of: pgx, postgres driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME # Connection Timeout to the DB in seconds connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT # MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME # MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection. # This helps prevent all connections from being closed at the exact same time, starving the pool. maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER # HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections. healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL # MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS # MaxOpenConnections is the maximum number of open connections to the database # `0` value means number of open connections is unlimited maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS # MaxIdleConnections (applied only when driverName=postgres) is the maximum number of connections in the idle connection pool # <0 value means no idle connections and 0 means default max idle connections maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS # MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store. maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS # TLS settings tls: # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE # Path to TLS Certificate of the client. Required when server has METHOD=cert certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH # Path to TLS Key of the client. Required when server has METHOD=cert keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH # Path to the root certificate. Used in verifyCa and verifyFull modes. caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH # MinReconnectInterval (applied only when driverName=postgres) controls the duration to wait before trying to # re-establish the database connection after connection loss. After each # consecutive failure this interval is doubled, until MaxReconnectInterval # is reached. Successfully completing the connection establishment procedure # resets the interval back to MinReconnectInterval. minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL # MaxReconnectInterval (applied only when driverName=postgres) controls the maximum possible duration to wait before trying # to re-establish the database connection after connection loss. maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL # ReadReplica is a setting for a DB replica used only for read queries readReplica: # Host of the Postgres DB read replica. If not set, read replica is not used. host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST # Port of the Postgres DB read replica port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT # Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica. ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO # Cache for read only operations. This cache is local to the instance of the control plane. cache: # If true then cache is enabled enabled: true # ENV: KUMA_STORE_CACHE_ENABLED # Expiration time for elements in cache. expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME # Upsert (get and update) configuration upsert: # Base time for exponential backoff on upsert operations when retry is enabled conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF # Max retries on upsert (get and update) operation when retry is enabled conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES # Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s. conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT # If true, skips validation of resource delete. # For example you don't have to delete all Dataplane objects before you delete a Mesh unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE# Configuration of Bootstrap Server, which provides bootstrap config to DataplanesbootstrapServer: # Parameters of bootstrap configuration params: # Address of Envoy Admin adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS # Port of Envoy Admin adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT # Path to access log file of Envoy Admin adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT # Connection timeout to the XDS Server xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT# Monitoring Assignment Discovery Service (MADS) server configurationmonitoringAssignmentServer: # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS). port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT # Which MADS API versions to serve apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS # Interval for re-generating monitoring assignments for clients connected to the Control Plane. assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL # The default timeout for a single fetch-based discovery request, if not specified defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT # Path to TLS certificate file tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE # Path to TLS key file tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES# Envoy XDS server configurationxdsServer: # Interval for re-genarting configuration for Dataplanes connected to the Control Plane dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL # Interval for flushing status of Dataplanes connected to the Control Plane dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF # A delay between proxy terminating a connection and the CP trying to deregister the proxy. # It is used only in universal mode when you use direct lifecycle. # Setting this setting to 0s disables the delay. # Disabling this may cause race conditions that one instance of CP removes proxy object # while proxy is connected to another instance of the CP. dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY# API Server configurationapiServer: # HTTP configuration of the API Server http: # If true then API Server will be served on HTTP enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED # Network interface on which HTTP API Server will be exposed interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE # Port of the API Server port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT # HTTPS configuration of the API Server https: # If true then API Server will be served on HTTPS enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED # Network interface on which HTTPS API Server will be exposed interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE # Port of the HTTPS API Server port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE # Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates. tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES # If true, then HTTPS connection will require client cert. requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets auth: # Directory of authorized client certificates (only validate in HTTPS) clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR # Api Server Authentication configuration authn: # Type of authentication mechanism (available values: "adminClientCerts", "tokens") type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE # Localhost is authenticated as a user admin of group admin localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN # Configuration for tokens authentication tokens: # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER # Token validator configuration validator: # If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys. useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS # List of public keys used to validate the token. Example: # - kid: 1 # key: | # -----BEGIN RSA PUBLIC KEY----- # MIIBCgKCAQEAq.... # -----END RSA PUBLIC KEY----- # - kid: 2 # keyFile: /keys/public.pem publicKeys: [] # If true, then API Server will operate in read only mode (serving GET requests) readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp corsAllowedDomains: - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS # Can be used if you use a reverse proxy rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL # The path to serve the API from basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH # configuration specific to the GUI gui: # Whether to serve the gui (if mode=zone this has no effect) enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED # Can be used if you use a reverse proxy or want to serve the gui from a different path rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL # The path to serve the GUI from basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH# Environment-specific configurationruntime: # Kubernetes-specific configuration kubernetes: # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL. controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME # Name of Service Account that is used to run the Control Plane serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME # Taint controller that prevents applications from scheduling until CNI is ready. nodeTaintController: # If true enables the taint controller. enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED # Value of app label on CNI pod that indicates if node can be ready. cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP # Value of CNI namespace. cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE # Admission WebHook Server configuration admissionServer: # Address the Admission WebHook Server should be listening on address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS # Port the Admission WebHook Server should be listening on port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT # Directory with a TLS cert and private key for the Admission WebHook Server. # TLS certificate file must be named `tls.crt`. # TLS key file must be named `tls.key`. certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir # Injector defines configuration of a Kuma Sidecar Injector. injector: # if true runs kuma-cp in CNI compatible mode cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED # list of exceptions for Kuma injection exceptions: # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value. labels: openshift.io/build.name: "*" openshift.io/deployer-pod-for.name: "*" # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe # serves on sub-path of insecure port 'virtualProbesPort', # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT # CaCertFile is CA certificate which will be used to verify a connection to the control plane. caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE # SidecarContainer defines configuration of the Kuma sidecar container. sidecarContainer: # Image name. image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE # Redirect port for inbound traffic. redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND # Redirect port for inbound traffic. redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6 # Redirect port for outbound traffic. redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND # User ID. uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID # Group ID. gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI # Drain time for listeners. drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME # Readiness probe. readinessProbe: # Number of seconds after the container has started before readiness probes are initiated. initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS # Number of seconds after which the probe times out. timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS # Number of seconds after which the probe times out. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS # Minimum consecutive successes for the probe to be considered successful after having failed. successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD # Minimum consecutive failures for the probe to be considered failed after having succeeded. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD # Liveness probe. livenessProbe: # Number of seconds after the container has started before liveness probes are initiated. initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS # Number of seconds after which the probe times out. timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS # How often (in seconds) to perform the probe. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS # Minimum consecutive failures for the probe to be considered failed after having succeeded. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD # Compute resource requirements. resources: # Minimum amount of compute resources required. requests: # CPU, in cores. (500m = .5 cores) cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY # Maximum amount of compute resources allowed. limits: # CPU, in cores. (500m = .5 cores) cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY # Additional environment variables that can be placed on Kuma DP sidecar envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS # If true, it enables a postStart script that waits until Envoy is ready. # With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete. waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY # InitContainer defines configuration of the Kuma init container initContainer: # Image name. image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE # ContainerPatches is an optional list of ContainerPatch names which will be applied # to init and sidecar containers if workload is not annotated with a patch list. containerPatches: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES # Configuration for a traffic that is intercepted by sidecar sidecarTraffic: # List of inbound ports that will be excluded from interception. # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod. excludeInboundPorts: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS # List of outbound ports that will be excluded from interception. # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod. excludeOutboundPorts: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS builtinDNS: # Use the built-in DNS enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED # Redirect port for DNS port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT # EBPF defines configuration for the ebpf, when transparent proxy is marked to be # installed using ebpf instead of iptables ebpf: # Install transparent proxy using ebpf enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED # Name of the environmental variable which will include IP address of the pod instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME # Path where BPF file system will be mounted for pinning ebpf programs and maps bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH # Path of mounted cgroup2 cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH # Name of the network interface which should be used to attach to it TC programs # when not specified, we will try to automatically determine it tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE # Path where compiled eBPF programs are placed programsSourcePath: /kuma/ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME # Kubernetes's resources reconciliation concurrency configuration controllersConcurrency: # PodController defines maximum concurrent reconciliations of Pod resources # Default value 10. If set to 0 kube controller-runtime default value of 1 will be used. podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER # Kubernetes client configuration clientConfig: # Qps defines maximum requests kubernetes client is allowed to make per second. # Default value 100. If set to 0 kube-client default value of 5 will be used. qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS # BurstQps defines maximum burst requests kubernetes client is allowed to make per second # Default value 100. If set to 0 kube-client default value of 10 will be used. burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS leaderElection: # LeaseDuration is the duration that non-leader candidates will # wait to force acquire leadership. This is measured against time of # last observed ack. Default is 15 seconds. leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION # RenewDeadline is the duration that the acting controlplane will retry # refreshing leadership before giving up. Default is 10 seconds. renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE # Universal-specific configuration universal: # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE# Default Kuma entities configurationdefaults: # If true, it skips creating the default Mesh skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION # If true, it skips creating the default tenant resources skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES# Metrics configurationmetrics: dataplane: # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT # How long data plane proxy can stay Online without active xDS connection idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT zone: # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT # How long zone can stay Online without active KDS connection idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT # Compact finished metrics (do not store config and details of KDS exchange). compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS mesh: # Minimum time between 2 refresh of insights minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL # time between triggering a full refresh of all the insights fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL # the size of the buffer between event creation and processing bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE # the number of workers that process metrics events eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS controlPlane: # If true metrics show number of resources in the system should be reported reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT# Reports configurationreports: # If true then usage stats will be reported enabled: false # ENV: KUMA_REPORTS_ENABLED# General configurationgeneral: # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers. tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers. tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES # WorkDir defines a path to the working directory # Kuma stores in this directory autogenerated entities like certificates. # If empty then the working directory is $HOME/.kuma workDir: "" # ENV: KUMA_GENERAL_WORK_DIR# DNS Server configurationdnsServer: # The domain that the server will resolve the services for domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN # The CIDR range used to allocate CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR # Will create a service "<kuma.io/service>.mesh" dns entry for every service. serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED # The port to use along with the `<kuma.io/service>.mesh` dns entry serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT# Multizone modemultizone: global: kds: # Port of a gRPC server that serves Kuma Discovery Service (KDS). grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT # Interval for refreshing state of the world refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL # Interval for flushing Zone Insights (stats of multi-zone communication) zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL # TlsEnabled turns on TLS for KDS tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED # TlsCertFile defines a path to a file with PEM-encoded TLS cert. tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE # TlsKeyFile defines a path to a file with PEM-encoded TLS key. tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE # TlsMinVersion the minimum version of TLS tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. # In practice this means a limit on full list of one resource type. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE # MsgSendTimeout defines a timeout on sending a single KDS message. # KDS stream between control planes is terminated if the control plane hits this timeout. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT # Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF # DisableSOTW if true doesn't expose SOTW version of KDS. Default: false disableSOTW: false # ENV: KUMA_MULTIZONE_GLOBAL_KDS_DISABLE_SOTW # Response backoff is a time Global CP waits before sending ACK/NACK. # This is a way to slow down Zone CP from sending resources too often. responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF zone: # Kuma Zone name used to mark the zone dataplane resources name: "" # ENV: KUMA_MULTIZONE_ZONE_NAME # GlobalAddress URL of Global Kuma CP globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS kds: # Interval for refreshing state of the world refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it. rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE # If true, TLS connection to the server won't be verified. tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. # In practice this means a limit on full list of one resource type. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE # MsgSendTimeout defines a timeout on sending a single KDS message. # KDS stream between control planes is terminated if the control plane hits this timeout. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT # Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF # Response backoff is a time Zone CP waits before sending ACK/NACK. # This is a way to slow down Global CP from sending resources too often. responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF# Diagnostics configurationdiagnostics: # Port of Diagnostic Server for checking health and readiness of the Control Plane serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS # Whether tls is enabled or not tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE # TlsMinVersion the minimum version of TLS tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.dpServer: # Port of the DP Server port: 5678 # ENV: KUMA_DP_SERVER_PORT # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE # TlsMinVersion the minimum version of TLS tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES # ReadHeaderTimeout defines the amount of time DP server will be allowed # to read request headers. The connection's read deadline is reset # after reading the headers and the Handler can decide what is considered # too slow for the body. If ReadHeaderTimeout is zero there is no timeout. # The timeout is configurable as in rare cases, when Kuma CP was restarting, # 1s which is explicitly set in other servers was insufficient and DPs # were failing to reconnect (we observed this in Projected Service Account # Tokens e2e tests, which started flaking a lot after introducing explicit # 1s timeout) readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT # Auth defines an authentication configuration for the DP Server # DEPRECATED: use "authn" section. auth: # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE # Authn defines an authentication configuration for the DP Server authn: # Configuration for data plane proxy authentication. dpProxy: # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. type: "" # Configuration of dpToken authentication method dpToken: # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. enableIssuer: true # DP Token validator configuration. validator: # If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys. useSecrets: true # List of public keys used to validate the token. Example: # - kid: 1 # mesh: default # key: | # -----BEGIN RSA PUBLIC KEY----- # MIIBCgKCAQEAq.... # -----END RSA PUBLIC KEY----- # - kid: 2 # mesh: demo # keyFile: /keys/public.pem publicKeys: [] # Configuration for zone proxy authentication. zoneProxy: # Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none". # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal. type: "" # Configuration for zoneToken authentication method. zoneToken: # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. enableIssuer: true # Zone Token validator configuration. validator: # If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys. useSecrets: true # List of public keys used to validate the token. Example: # - kid: 1 # key: | # -----BEGIN RSA PUBLIC KEY----- # MIIBCgKCAQEAq.... # -----END RSA PUBLIC KEY----- # - kid: 2 # keyFile: /keys/public.pem publicKeys: [] # If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart. enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS # Hds defines a Health Discovery Service configuration hds: # Enabled if true then Envoy will actively check application's ports, but only on Universal. # On Kubernetes this feature disabled for now regardless the flag value enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED # Interval for Envoy to send statuses for HealthChecks interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL # Check defines a HealthCheck configuration checkDefaults: # Timeout is a time to wait for a health check response. If the timeout is reached the # health check attempt will be considered a failure timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT # Interval between health checks interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL # NoTrafficInterval is a special health check interval that is used when a cluster has # never had traffic routed to it noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL # HealthyThreshold is a number of healthy health checks required before a host is marked healthy healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD# Intercommunication CP configurationinterCp: # Catalog configuration. Catalog keeps a record of all live CP instances in the zone. catalog: # Indicates an address on which other control planes can communicate with this CP. # If empty then it's autoconfigured by taking the first IP of the nonloopback network interface. instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS # Interval on which CP will send heartbeat to a leader. heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL # Interval on which CP will write all instances to a catalog. writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL # Intercommunication CP server configuration server: # Port of the inter-cp server port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT # TlsMinVersion the minimum version of TLS tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION # TlsMaxVersion the maximum version of TLS tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION # TlsCipherSuites the list of cipher suites tlsCipherSuites: [ ] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES# Access Control configurationaccess: # Type of access strategy (available values: "static") type: static # Configuration of static access strategy static: # AdminResources defines an access to admin resources (Secret/GlobalSecret) adminResources: # List of users that are allowed to access admin resources users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS # List of groups that are allowed to access admin resources groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS # GenerateDPToken defines an access to generating dataplane token generateDpToken: # List of users that are allowed to generate dataplane token users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS # List of groups that are allowed to generate dataplane token groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS # GenerateUserToken defines an access to generating user token generateUserToken: # List of users that are allowed to generate user token users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS # List of groups that are allowed to generate user token groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS # GenerateZoneToken defines an access to generating zone token generateZoneToken: # List of users that are allowed to generate zone token users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS # List of groups that are allowed to generate zone token groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS viewConfigDump: # List of users that are allowed to get envoy config dump users: [ ] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS # List of groups that are allowed to get envoy config dump groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS viewStats: # List of users that are allowed to get envoy stats users: [ ] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS # List of groups that are allowed to get envoy stats groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS viewClusters: # List of users that are allowed to get envoy clusters users: [ ] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS # List of groups that are allowed to get envoy clusters groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS# Configuration of experimental features of Kumaexperimental: # If true, experimental Gateway API is enabled gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS # Tag first virtual outbound model is compressed version of default Virtual Outbound model # It is recommended to use tag first model for deployments with more than 2k services # You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled # you need to first disable this flag and redeploy cp, after config is rewritten to default # format you can downgrade your cp useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL # If true, KDS will sync using incremental xDS updates kdsDeltaEnabled: true # ENV: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED # List of prefixes that will be used to filter out tags by keys from ingress' available services section. # This can trim the size of the ZoneIngress object significantly. # The drawback is that you cannot use filtered out tags for traffic routing. # If empty, no filter is applied. ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS # KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config. kdsEventBasedWatchdog: # If true, then experimental event based watchdog to generate KDS snapshot is used. enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED # How often we flush changes when experimental event based watchdog is used. flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL # How often we schedule full KDS resync when experimental event based watchdog is used. fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL # If true, then initial full resync is going to be delayed by 0 to FullResyncInterval. delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC # If true then control plane computes reachable services automatically based on MeshTrafficPermission. # Lack of MeshTrafficPermission is treated as Deny the traffic. autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES # KDSSyncNameWithHashSuffix if true then during KDS sync resource name is going to be suffixed with hash. # The hash is computed based on various resource characteristics like mesh, namespace, etc. The feature prevents name # collisions when syncing policies with the same names but different meshes from Global(Universal) to Zone(Kubernetes). # More extensive explanation of the problem and solution can be found in the MADR https://github.com/kumahq/kuma/blob/master/docs/madr/decisions/029-kds-sync-hash-suffix.md KDSSyncNameWithHashSuffix: false # ENV: KUMA_EXPERIMENTAL_KDS_SYNC_NAME_WITH_HASH_SUFFIXproxy: gateway: # Sets the envoy runtime value to limit maximum number of incoming # connections to a builtin gateway data plane proxy globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONStracing: openTelemetry: endpoint: "" # e.g. otel-collector:4317# Configuration of the event bus which is local to one instance of CPeventBus: # BufferSize controls the buffer for every single event listener. # If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS. bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE
Helm values.yaml
global: image: # -- Default registry for all Kuma Images registry: "docker.io/kumahq" # -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion tag: # -- Add `imagePullSecrets` to all the service accounts used for Kuma components imagePullSecrets: []# -- Whether to patch the target namespace with the system labelpatchSystemNamespace: trueinstallCrdsOnUpgrade: # -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma) enabled: true # -- The `imagePullSecrets` to attach to the Service Account running CRD installation. # This field will be deprecated in a future release, please use .global.imagePullSecrets imagePullSecrets: []# -- Whether to disable all helm hooksnoHelmHooks: false# -- Whether to restart control-plane by calculating a new checksum for the secretrestartOnSecretChange: truecontrolPlane: # -- Environment that control plane is run in, useful when running universal global control plane on k8s environment: "kubernetes" # -- Labels to add to resources in addition to default labels extraLabels: {} # -- Kuma CP log level: one of off,info,debug logLevel: "info" # -- Kuma CP log output path: Defaults to /dev/stdout logOutputPath: "" # -- Kuma CP modes: one of standalone,zone,global mode: "standalone" # -- (string) Kuma CP zone, if running multizone zone: # -- Only used in `zone` mode kdsGlobalAddress: "" # -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled replicas: 1 # -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available. minReadySeconds: 0 # -- Annotations applied only to the `Deployment` resource deploymentAnnotations: {} # -- Annotations applied only to the `Pod` resource podAnnotations: {} # Horizontal Pod Autoscaling configuration autoscaling: # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster enabled: false # -- The minimum CP pods to allow minReplicas: 2 # -- The max CP pods to scale to maxReplicas: 5 # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used targetCPUUtilizationPercentage: 80 # -- For clusters that do support autoscaling/v2, use metrics metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 80 # -- Node selector for the Kuma Control Plane pods nodeSelector: kubernetes.io/os: linux # -- Tolerations for the Kuma Control Plane pods tolerations: [] podDisruptionBudget: # -- Whether to create a pod disruption budget enabled: false # -- The maximum number of unavailable pods allowed by the budget maxUnavailable: 1 # -- Affinity placement rule for the Kuma Control Plane pods. # This is rendered as a template, so you can reference other helm variables or includes. affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: # These match the selector labels used on the deployment. matchExpressions: - key: app.kubernetes.io/name operator: In values: - '{{ include "kuma.name" . }}' - key: app.kubernetes.io/instance operator: In values: - '{{ .Release.Name }}' - key: app operator: In values: - '{{ include "kuma.name" . }}-control-plane' topologyKey: kubernetes.io/hostname # -- Topology spread constraints rule for the Kuma Control Plane pods. # This is rendered as a template, so you can use variables to generate match labels. topologySpreadConstraints: # -- Failure policy of the mutating webhook implemented by the Kuma Injector component injectorFailurePolicy: Fail service: apiServer: http: # -- Port on which Http api server Service is exposed on Node for service of type NodePort nodePort: 30681 https: # -- Port on which Https api server Service is exposed on Node for service of type NodePort nodePort: 30682 # -- Whether to create a service resource. enabled: true # -- (string) Optionally override of the Kuma Control Plane Service's name name: # -- Service type of the Kuma Control Plane type: ClusterIP # -- Additional annotations to put on the Kuma Control Plane annotations: { } # Kuma API and GUI ingress settings. Useful if you want to expose the # API and GUI of Kuma outside the k8s cluster. ingress: # -- Install K8s Ingress resource that exposes GUI and API enabled: false # -- IngressClass defines which controller will implement the resource ingressClassName: # -- Ingress hostname hostname: # -- Map of ingress annotations. annotations: {} # -- Ingress path. path: / # -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) pathType: ImplementationSpecific # -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port servicePort: 5681 globalZoneSyncService: # -- Whether to create a k8s service for the global zone sync # service. It will only be created when enabled and deploying the global # control plane. enabled: true # -- Service type of the Global-zone sync type: LoadBalancer # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer loadBalancerIP: # -- Optionally specify allowed source ranges that can access the load balancer loadBalancerSourceRanges: [] # -- Additional annotations to put on the Global Zone Sync Service annotations: { } # -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort nodePort: 30685 # -- Port on which Global Zone Sync Service is exposed port: 5685 # -- Protocol of the Global Zone Sync service port protocol: grpc defaults: # -- Whether to skip creating the default Mesh skipMeshCreation: false # -- Whether to automountServiceAccountToken for cp. Optionally set to false automountServiceAccountToken: true # -- Optionally override the resource spec resources: requests: cpu: 500m memory: 256Mi limits: memory: 256Mi # -- Pod lifecycle settings (useful for adding a preStop hook, when # using AWS ALB or NLB) lifecycle: {} # -- Number of seconds to wait before force killing the pod. Make sure to # update this if you add a preStop hook. terminationGracePeriodSeconds: 30 # TLS for various servers tls: general: # -- Secret that contains tls.crt, tls.key [and ca.crt when no # controlPlane.tls.general.caSecretName specified] for protecting # Kuma in-cluster communication secretName: "" # -- Secret that contains ca.crt that was used to sign cert for protecting # Kuma in-cluster communication (ca.crt present in this secret # have precedence over the one provided in the controlPlane.tls.general.secretName) caSecretName: "" # -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt) caBundle: "" apiServer: # -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS secretName: "" # -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS clientCertsSecretName: "" # - if not creating the global control plane, then do nothing # - if secretName is empty and create is false, then do nothing # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName # - if secretName is empty and create is true, then create a secret with a default name and use it # - if secretName is non-empty and create is true, then create the secret using the provided name kdsGlobalServer: # -- Name of the K8s TLS Secret resource. If you set this and don't set # create=true, you have to create the secret manually. secretName: "" # -- Whether to create the TLS secret in helm. create: false # -- The TLS certificate to offer. cert: "" # -- The TLS key to use. key: "" # - if not creating the zonal control plane, then do nothing # - if secretName is empty and create is false, then do nothing # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName # - if secretName is empty and create is true, then create a secret with a default name and use it # - if secretName is non-empty and create is true, then create the secret using the provided name kdsZoneClient: # -- Name of the K8s Secret resource that contains ca.crt which was # used to sign the certificate of KDS Global Server. If you set this # and don't set create=true, you have to create the secret manually. secretName: "" # -- Whether to create the TLS secret in helm. create: false # -- CA bundle that was used to sign the certificate of KDS Global Server. cert: "" # -- If true, TLS cert of the server is not verified. skipVerify: false # -- Annotations to add for Control Plane's Service Account serviceAccountAnnotations: { } image: # -- Kuma CP ImagePullPolicy pullPolicy: IfNotPresent # -- Kuma CP image repository repository: "kuma-cp" # -- Kuma CP Image tag. When not specified, the value is copied from global.tag tag: # -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables, # where `Env` is the name of the env variable, # `Secret` is the name of the Secret, # and `Key` is the key of the Secret value to use secrets: # someSecret: # Secret: some-secret # Key: secret_key # Env: SOME_SECRET # -- Additional environment variables that will be passed to the control plane envVars: { } # -- Additional config maps to mount into the control plane, with optional inline values extraConfigMaps: [ ]# - name: extra-config# mountPath: /etc/extra-config# readOnly: true# values:# extra-config-key: |# extra-config-value # -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane, # where `Env` is the name of the env variable, # `Secret` is the name of the Secret, # and `Key` is the key of the Secret value to use extraSecrets: # extraConfig: # name: extra-config # mountPath: /etc/extra-config # readOnly: true webhooks: validator: # -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma. additionalRules: "" ownerReference: # -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma. additionalRules: "" # -- Specifies if the deployment should be started in hostNetwork mode. hostNetwork: false # -- Define a new server port for the admission controller. Recommended to set in combination with # hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS). admissionServerPort: 5443 # -- Security context at the pod level for control plane. podSecurityContext: runAsNonRoot: true # -- Security context at the container level for control plane. containerSecurityContext: readOnlyRootFilesystem: truecni: # -- Install Kuma with CNI instead of proxy init container enabled: false # -- Install CNI in chained mode chained: false # -- Set the CNI install directory netDir: /etc/cni/multus/net.d # -- Set the CNI bin directory binDir: /var/lib/cni/bin # -- Set the CNI configuration name confName: kuma-cni.conf # -- CNI log level: one of off,info,debug logLevel: info # -- Node Selector for the CNI pods nodeSelector: kubernetes.io/os: linux # -- Tolerations for the CNI pods tolerations: [] # -- Additional pod annotations podAnnotations: { } # -- Set the CNI namespace namespace: kube-system image: # -- CNI image repository repository: "kuma-cni" # -- CNI image tag - defaults to .Chart.AppVersion tag: # -- CNI image pull policy imagePullPolicy: IfNotPresent # -- it's only useful in tests to trigger a possible race condition delayStartupSeconds: 0 # -- use new CNI (experimental) experimental: imageEbpf: # -- CNI experimental eBPF image registry registry: "docker.io/kumahq" # -- CNI experimental eBPF image repository repository: "merbridge" # -- CNI experimental eBPF image tag tag: "0.8.5" resources: requests: cpu: 100m memory: 100Mi limits: memory: 100Mi # -- Security context at the pod level for cni podSecurityContext: {} # -- Security context at the container level for cni containerSecurityContext: readOnlyRootFilesystem: true runAsNonRoot: false runAsUser: 0 runAsGroup: 0dataPlane: image: # -- The Kuma DP image repository repository: "kuma-dp" # -- Kuma DP ImagePullPolicy pullPolicy: IfNotPresent # -- Kuma DP Image Tag. When not specified, the value is copied from global.tag tag: initImage: # -- The Kuma DP init image repository repository: "kuma-init" # -- Kuma DP init image tag When not specified, the value is copied from global.tag tag:ingress: # -- If true, it deploys Ingress for cross cluster communication enabled: false # -- Labels to add to resources, in addition to default labels extraLabels: {} # -- Time for which old listener will still be active as draining drainTime: 30s # -- Number of replicas of the Ingress. Ignored when autoscaling is enabled. replicas: 1 # -- Log level for ingress (available values: off|info|debug) logLevel: info # -- Define the resources to allocate to mesh ingress resources: requests: cpu: 50m memory: 64Mi limits: cpu: 1000m memory: 512Mi # -- Pod lifecycle settings (useful for adding a preStop hook, when # using AWS ALB or NLB) lifecycle: {} # -- Number of seconds to wait before force killing the pod. Make sure to # update this if you add a preStop hook. terminationGracePeriodSeconds: 40 # Horizontal Pod Autoscaling configuration autoscaling: # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster enabled: false # -- The minimum CP pods to allow minReplicas: 2 # -- The max CP pods to scale to maxReplicas: 5 # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used targetCPUUtilizationPercentage: 80 # -- For clusters that do support autoscaling/v2, use metrics metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 80 service: # -- Whether to create a Service resource. enabled: true # -- Service type of the Ingress type: LoadBalancer # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer loadBalancerIP: # -- Additional annotations to put on the Ingress service annotations: { } # -- Port on which Ingress is exposed port: 10001 # -- Port on which service is exposed on Node for service of type NodePort nodePort: # -- Additional pod annotations (deprecated favor `podAnnotations`) annotations: { } # -- Additional pod annotations podAnnotations: { } # -- Node Selector for the Ingress pods nodeSelector: kubernetes.io/os: linux # -- Tolerations for the Ingress pods tolerations: [] podDisruptionBudget: # -- Whether to create a pod disruption budget enabled: false # -- The maximum number of unavailable pods allowed by the budget maxUnavailable: 1 # -- Affinity placement rule for the Kuma Ingress pods # This is rendered as a template, so you can reference other helm variables # or includes. affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: # These match the selector labels used on the deployment. matchExpressions: - key: app.kubernetes.io/name operator: In values: - '{{ include "kuma.name" . }}' - key: app.kubernetes.io/instance operator: In values: - '{{ .Release.Name }}' - key: app operator: In values: - kuma-ingress topologyKey: kubernetes.io/hostname # -- Topology spread constraints rule for the Kuma Mesh Ingress pods. # This is rendered as a template, so you can use variables to generate match labels. topologySpreadConstraints: # -- Security context at the pod level for ingress podSecurityContext: runAsNonRoot: true runAsUser: 5678 runAsGroup: 5678 # -- Security context at the container level for ingress containerSecurityContext: readOnlyRootFilesystem: true # -- Annotations to add for Control Plane's Service Account serviceAccountAnnotations: { } # -- Whether to automountServiceAccountToken for cp. Optionally set to false automountServiceAccountToken: trueegress: # -- If true, it deploys Egress for cross cluster communication enabled: false # -- Labels to add to resources, in addition to the default labels. extraLabels: {} # -- Time for which old listener will still be active as draining drainTime: 30s # -- Number of replicas of the Egress. Ignored when autoscaling is enabled. replicas: 1 # -- Log level for egress (available values: off|info|debug) logLevel: info # Horizontal Pod Autoscaling configuration autoscaling: # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster enabled: false # -- The minimum CP pods to allow minReplicas: 2 # -- The max CP pods to scale to maxReplicas: 5 # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used targetCPUUtilizationPercentage: 80 # -- For clusters that do support autoscaling/v2, use metrics metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 80 resources: requests: cpu: 50m memory: 64Mi limits: cpu: 1000m memory: 512Mi service: # -- Whether to create the service object enabled: true # -- Service type of the Egress type: ClusterIP # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer loadBalancerIP: # -- Additional annotations to put on the Egress service annotations: { } # -- Port on which Egress is exposed port: 10002 # -- Port on which service is exposed on Node for service of type NodePort nodePort: # -- Additional pod annotations (deprecated favor `podAnnotations`) annotations: { } # -- Additional pod annotations podAnnotations: { } # -- Node Selector for the Egress pods nodeSelector: kubernetes.io/os: linux # -- Tolerations for the Egress pods tolerations: [] podDisruptionBudget: # -- Whether to create a pod disruption budget enabled: false # -- The maximum number of unavailable pods allowed by the budget maxUnavailable: 1 # -- Affinity placement rule for the Kuma Egress pods. # This is rendered as a template, so you can reference other helm variables or includes. affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: # These match the selector labels used on the deployment. matchExpressions: - key: app.kubernetes.io/name operator: In values: - '{{ include "kuma.name" . }}' - key: app.kubernetes.io/instance operator: In values: - '{{ .Release.Name }}' - key: app operator: In values: - kuma-egress topologyKey: kubernetes.io/hostname # -- Topology spread constraints rule for the Kuma Egress pods. # This is rendered as a template, so you can use variables to generate match labels. topologySpreadConstraints: # -- Security context at the pod level for egress podSecurityContext: runAsNonRoot: true runAsUser: 5678 runAsGroup: 5678 # -- Security context at the container level for egress containerSecurityContext: readOnlyRootFilesystem: true # -- Annotations to add for Control Plane's Service Account serviceAccountAnnotations: { } # -- Whether to automountServiceAccountToken for cp. Optionally set to false automountServiceAccountToken: truekumactl: image: # -- The kumactl image repository repository: kumactl # -- The kumactl image tag. When not specified, the value is copied from global.tag tag:kubectl: image: # -- The kubectl image registry registry: docker.io # -- The kubectl image repository repository: bitnami/kubectl # -- The kubectl image tag tag: "1.27.5"hooks: # -- Node selector for the HELM hooks nodeSelector: kubernetes.io/os: linux # -- Tolerations for the HELM hooks tolerations: [] # -- Security context at the pod level for crd/webhook/ns podSecurityContext: runAsNonRoot: true # -- Security context at the container level for crd/webhook/ns containerSecurityContext: readOnlyRootFilesystem: true # -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs # Changing below values will potentially break ebpf cleanup completely, # so be cautious when doing so. ebpfCleanup: # -- Security context at the pod level for crd/webhook/cleanup-ebpf podSecurityContext: runAsNonRoot: false # -- Security context at the container level for crd/webhook/cleanup-ebpf containerSecurityContext: readOnlyRootFilesystem: falseexperimental: # -- If true, it installs experimental Gateway API support gatewayAPI: false # Configuration for the experimental ebpf mode for transparent proxy ebpf: # -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy enabled: false # -- Name of the environmental variable which will contain the IP address of a pod instanceIPEnvVarName: INSTANCE_IP # -- Path where BPF file system should be mounted bpffsPath: /sys/fs/bpf # -- Host's cgroup2 path cgroupPath: /sys/fs/cgroup # -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty tcAttachIface: "" # -- Path where compiled eBPF programs which will be installed can be found programsSourcePath: /kuma/ebpf # -- If false, it uses legacy API for resource synchronization deltaKds: true# Postgres' settings for universal control plane on k8spostgres: # -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets" # with the Env value "KUMA_STORE_POSTGRES_PASSWORD". # Example: # controlPlane: # secrets: # - Secret: postgres-postgresql # Key: postgresql-password # Env: KUMA_STORE_POSTGRES_PASSWORD port: "5432" # TLS settings tls: # -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE # -- Whether to disable SNI the postgres `sslsni` option. disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI # -- Secret name that contains the ca.crt caSecretName: # -- Secret name that contains the client tls.crt, tls.key secretName:# @ignored for helm-docsplugins: policies: meshaccesslogs: {} meshcircuitbreakers: {} meshfaultinjections: {} meshhealthchecks: {} meshhttproutes: {} meshloadbalancingstrategies: {} meshproxypatches: {} meshratelimits: {} meshretries: {} meshtcproutes: {} meshtimeouts: {} meshtraces: {} meshtrafficpermissions: {}
我的书签
添加书签
移除书签
