Skip to main content
Version: 1.5.x

Traffic Setting

Traffic Settings allow configuring the behavior of the proxy workloads in a set of namespaces owned by a traffic group. Specifically, it allows configuring the dependencies of proxy workloads on namespaces outside the traffic group as well as reliability settings for outbound calls made by the proxy workloads to other services.

The following example creates a traffic group for the proxy workloads in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany. It then defines a traffic setting for the all workloads in these namespaces, adding a dependency on all the services in the shared db namespace, and forwarding all unknown traffic via the egress gateway in the istio-system namespace.

apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
name: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED

And the associated traffic settings for the proxy workloads:

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
reachability:
mode: CUSTOM
hosts:
- "ns1/*"
- "ns2/*"
- "ns3/*"
- "db/*"
resilience:
circuitBreakerSensitivity: MEDIUM
egress:
host: istio-system/istio-egressgateway

The following traffic setting confines the reachability of proxy workloads in the traffic group t1 to other namespaces inside the group. The resilience and egress gateway settings will be inherited from the workspace wide traffic setting.

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
name: defaults
group: t1
workspace: w1
tenant: mycompany
organization: myorg
spec:
reachability:
mode: GROUP

HTTPRetry

HTTPRetry defines the parameters for retrying API calls to a service.

FieldDescriptionValidation Rule

attempts

int32
REQUIRED
Number of retries for a given request. The interval between retries will be determined automatically (25ms+).

Actual number of retries attempted depends on the httpReqTimeout.

int32 = {
  gte: 1
}

perTryTimeout

google.protobuf.Duration
Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.

retryOn

string
Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. See the retry policies and gRPC retry policies for more details.

string = {
  pattern: ^$|^(5xx|gateway-error|reset|connect-failure|envoy-ratelimited|retriable-4xx|refused-stream|retriable-status-codes|retriable-headers|cancelled|deadline-exceeded|internal|resource-exhausted|unavailable)(,(5xx|gateway-error|reset|connect-failure|envoy-ratelimited|retriable-4xx|refused-stream|retriable-status-codes|retriable-headers|cancelled|deadline-exceeded|internal|resource-exhausted|unavailable))*$
}

KeepAliveSettings

Keep Alive Settings.

FieldDescriptionValidation Rule

tcp

tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings
TCP Keep Alive settings associated with the upstream and downstream TCP connections.

TcpKeepAliveSettings

TCP Keep Alive Settings.

FieldDescriptionValidation Rule

downstream

tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings.TcpKeepAlive
TCP Keep Alive Settings associated with the downstream (client) connection.

upstream

tetrateio.api.tsb.traffic.v2.KeepAliveSettings.TcpKeepAliveSettings.TcpKeepAlive
TCP Keep Alive Settings associated with the upstream (backend) connection.

TcpKeepAlive

FieldDescriptionValidation Rule

probes

google.protobuf.UInt32Value
The total number of unacknowledged probes to send before deciding the connection is dead. Default is to use the OS level configuration, Linux defaults to 9.

idleTime

google.protobuf.UInt32Value
The number of seconds a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration, Linux defaults to 7200s.

interval

google.protobuf.UInt32Value
The number of seconds between keep-alive probes. Default is to use the OS level configuration, Linux defaults to 75s.

ReachabilitySettings

ReachabilitySettings define the set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.

FieldDescriptionValidation Rule

mode

tetrateio.api.tsb.traffic.v2.ReachabilitySettings.Mode
A short cut for specifying the set of services accessed by the workload.

hosts

List of string
When the mode is CUSTOM, hosts specify the set of services that the sidecar should be able to reach. Must be in the <namespace>/<fqdn> format.

- ./* indicates all services in the namespace where the sidecar resides.

- ns1/* indicates all services in the ns1 namespace.

- ns1/svc1.com indicates svc1.com service in ns1 namespace.

- */svc1.com indicates svc1.com service in any namespace.

Mode

A short cut for defining the common reachability patterns

NameNumberDescription

UNSET

0

Inherit from parent if possible. Otherwise treated as CLUSTER.

NAMESPACE

1

The workload may talk to any service in its own namespace.

GROUP

2

The workload may talk to any service in the traffic group.

WORKSPACE

3

The workload may talk to any service in the workspace.

CLUSTER

4

The workload may talk to any service in the cluster.

CUSTOM

5

The workload may talk to services defined explicitly.

ResilienceSettings

ResilienceSettings control the reliability knobs in Envoy when making outbound connections from a gateway or proxy workload.

FieldDescriptionValidation Rule

httpRequestTimeout

google.protobuf.Duration
Timeout for HTTP requests. Disabled if not set.

httpRetries

tetrateio.api.tsb.traffic.v2.HTTPRetry
Retry policy for HTTP requests. Disabled if not set.

tcpKeepalive

google.protobuf.BoolValue
Deprecated. This field will be removed in upcoming releases. Please use the keep_alive field instead. If enabled, sets SO_KEEPALIVE on the socket to enable TCP keepalive.

keepAlive

tetrateio.api.tsb.traffic.v2.KeepAliveSettings
Keep Alive Settings.

circuitBreakerSensitivity

tetrateio.api.tsb.traffic.v2.ResilienceSettings.Sensitivity
Circuit breakers in Envoy are applied per endpoint in a load balancing pool. By default, circuit breakers are disabled. If set, the sensitivity level determines the maximum number of consecutive failures that Envoy will tolerate before ejecting an endpoint from the load balancing pool.

Sensitivity

Available sensitivity levels for the circuit breaker.

NameNumberDescription

UNSET

0

Default values will be used.

LOW

1

Tolerate up to 20 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.

MEDIUM

2

Tolerate up to 10 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.

HIGH

3

Tolerate up to 5 consecutive 5xx or connection failures from an endpoint before ejecting it temporarily from the load balancing pool.

TrafficSetting

A traffic setting applies configuration to a set of proxy workloads in a traffic group or a workspace. When applied to a traffic group, missing fields will inherit values from the workspace-wide setting if any.

FieldDescriptionValidation Rule

reachability

tetrateio.api.tsb.traffic.v2.ReachabilitySettings
The set of services and hosts accessed by a workload (and hence its sidecar) in the mesh. Defining the set of services accessed by a workload (i.e. its dependencies) in advance reduces the memory and CPU consumption both the Istio control plane and the individual Envoy proxy workloads in the data plane.

resilience

tetrateio.api.tsb.traffic.v2.ResilienceSettings
Resilience settings such as timeouts, retries, etc., affecting outbound traffic from proxy workloads.

egress

tetrateio.api.tsb.traffic.v2.TrafficSetting.EgressGateway
Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the proxy workload. If not specified, the proxy workload will send the unknown traffic directly to the IP requested by the application.

rateLimiting

tetrateio.api.tsb.gateway.v2.RateLimiting
Configuration for rate limiting requests. These settings are only applied to sidecar proxies in the traffic group. Use the rateLimiting field in the Tier1Gateway and the Ingressgateway API to configure ratelimiting at the ingressgateway proxies.

EgressGateway

EgressGateway specifies the gateway where traffic external to the mesh will be redirected.

FieldDescriptionValidation Rule

host

string
REQUIRED
Specifies the egress gateway hostname. Must be in <namespace>/<fqdn> format.

string = {
  pattern: ^[^/]+/[^/]+$
}

port

int32
Deprecated. This field is ignored and will be removed in upcoming releases. Specifies the port on the host to connect to.