1
# Environment type. Available values are: "kubernetes" or "universal"
2
environment: universal # ENV: KUMA_ENVIRONMENT
3
# Mode in which Kuma CP is running. Available values are: "global", "zone", "standalone" (deprecated, use "zone")
4
mode: zone # ENV: KUMA_MODE
5
# Resource Store configuration
7
# Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory"
8
type: memory # ENV: KUMA_STORE_TYPE
9
# Kubernetes Store configuration (used when store.type=kubernetes)
11
# Namespace where Control Plane is installed to.
12
systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
13
# Postgres Store configuration (used when store.type=postgres)
15
# Host of the Postgres DB
16
host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST
17
# Port of the Postgres DB
18
port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT
19
# User of the Postgres DB
20
user: kuma # ENV: KUMA_STORE_POSTGRES_USER
21
# Password of the Postgres DB
22
password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD
23
# Database name of the Postgres DB
24
dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME
25
# Driver to use, one of: pgx, postgres
26
driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME
27
# Connection Timeout to the DB in seconds
28
connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT
29
# MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed
30
maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME
31
# MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection.
32
# This helps prevent all connections from being closed at the exact same time, starving the pool.
33
maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER
34
# HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections.
35
healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL
36
# MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database
37
minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS
38
# MaxOpenConnections is the maximum number of open connections to the database
39
# `0` value means number of open connections is unlimited
40
maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS
41
# MaxIdleConnections is the maximum number of connections in the idle connection pool
42
# <0 value means no idle connections and 0 means default max idle connections.
43
# Deprecated: it's only used when driverName=postgres (lib/pq) which is deprecated, use driverName=pgx instead.
44
maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS
45
# MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store.
46
maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS
49
# Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
50
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
51
# Path to TLS Certificate of the client. Required when server has METHOD=cert
52
certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
53
# Path to TLS Key of the client. Required when server has METHOD=cert
54
keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
55
# Path to the root certificate. Used in verifyCa and verifyFull modes.
56
caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH
57
# MinReconnectInterval controls the duration to wait before trying to
58
# re-establish the database connection after connection loss. After each
59
# consecutive failure this interval is doubled, until MaxReconnectInterval
60
# is reached. Successfully completing the connection establishment procedure
61
# resets the interval back to MinReconnectInterval.
62
# Deprecated: it's only used when driverName=postgres (lib/pq) which is deprecated, use driverName=pgx instead.
63
minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL
64
# MaxReconnectInterval controls the maximum possible duration to wait before trying
65
# to re-establish the database connection after connection loss.
66
# Deprecated: it's only used when driverName=postgres (lib/pq) which is deprecated, use driverName=pgx instead.
67
maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL
68
# ReadReplica is a setting for a DB replica used only for read queries
70
# Host of the Postgres DB read replica. If not set, read replica is not used.
71
host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST
72
# Port of the Postgres DB read replica
73
port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT
74
# Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica.
75
ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO
76
# Cache for read only operations. This cache is local to the instance of the control plane.
78
# If true then cache is enabled
79
enabled: true # ENV: KUMA_STORE_CACHE_ENABLED
80
# Expiration time for elements in cache.
81
expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME
82
# Upsert (get and update) configuration
84
# Base time for exponential backoff on upsert operations when retry is enabled
85
conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF
86
# Max retries on upsert (get and update) operation when retry is enabled
87
conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES
88
# Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s.
89
conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT
90
# If true, skips validation of resource delete.
91
# For example you don't have to delete all Dataplane objects before you delete a Mesh
92
unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE
93
# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes
95
# Parameters of bootstrap configuration
97
# Address of Envoy Admin
98
adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS
100
adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT
101
# Path to access log file of Envoy Admin
102
adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH
103
# Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane
104
xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST
105
# Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT
106
xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT
107
# Connection timeout to the XDS Server
108
xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT
109
# Monitoring Assignment Discovery Service (MADS) server configuration
110
monitoringAssignmentServer:
111
# Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS).
112
port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT
113
# Which MADS API versions to serve
114
apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS
115
# Interval for re-generating monitoring assignments for clients connected to the Control Plane.
116
assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL
117
# The default timeout for a single fetch-based discovery request, if not specified
118
defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT
119
# Path to TLS certificate file
120
tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE
121
# Path to TLS key file
122
tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE
123
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
124
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION
125
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
126
tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION
127
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
128
tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES
129
# Envoy XDS server configuration
131
# Interval for re-genarting configuration for Dataplanes connected to the Control Plane
132
dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL
133
# Interval for flushing status of Dataplanes connected to the Control Plane
134
dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL
135
# Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane
136
nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF
137
# A delay between proxy terminating a connection and the CP trying to deregister the proxy.
138
# It is used only in universal mode when you use direct lifecycle.
139
# Setting this setting to 0s disables the delay.
140
# Disabling this may cause race conditions that one instance of CP removes proxy object
141
# while proxy is connected to another instance of the CP.
142
dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY
143
# API Server configuration
145
# HTTP configuration of the API Server
147
# If true then API Server will be served on HTTP
148
enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED
149
# Network interface on which HTTP API Server will be exposed
150
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE
151
# Port of the API Server
152
port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT
153
# HTTPS configuration of the API Server
155
# If true then API Server will be served on HTTPS
156
enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED
157
# Network interface on which HTTPS API Server will be exposed
158
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE
159
# Port of the HTTPS API Server
160
port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT
161
# Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty
162
tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
163
# Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty
164
tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
165
# Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates.
166
tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE
167
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
168
tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION
169
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
170
tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION
171
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
172
tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES
173
# If true, then HTTPS connection will require client cert.
174
requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT
175
# Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets
177
# Directory of authorized client certificates (only validate in HTTPS)
178
clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
179
# Api Server Authentication configuration
181
# Type of authentication mechanism (available values: "adminClientCerts", "tokens")
182
type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE
183
# Localhost is authenticated as a user admin of group admin
184
localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
185
# Configuration for tokens authentication
187
# If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret
188
bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN
189
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
190
enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER
191
# Token validator configuration
193
# If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys.
194
useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS
195
# List of public keys used to validate the token. Example:
198
# -----BEGIN RSA PUBLIC KEY-----
200
# -----END RSA PUBLIC KEY-----
202
# keyFile: /keys/public.pem
204
# If true, then API Server will operate in read only mode (serving GET requests)
205
readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY
206
# Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp
208
- ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS
209
# Can be used if you use a reverse proxy
210
rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL
211
# The path to serve the API from
212
basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH
213
# configuration specific to the GUI
215
# Whether to serve the gui (if mode=zone this has no effect)
216
enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED
217
# Can be used if you use a reverse proxy or want to serve the gui from a different path
218
rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL
219
# The path to serve the GUI from
220
basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH
221
# Environment-specific configuration
223
# Kubernetes-specific configuration
225
# Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
226
controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
227
# Name of Service Account that is used to run the Control Plane
228
serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
229
# Taint controller that prevents applications from scheduling until CNI is ready.
231
# If true enables the taint controller.
232
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
233
# Value of app label on CNI pod that indicates if node can be ready.
234
cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
235
# Value of CNI namespace.
236
cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE
237
# Admission WebHook Server configuration
239
# Address the Admission WebHook Server should be listening on
240
address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS
241
# Port the Admission WebHook Server should be listening on
242
port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
243
# Directory with a TLS cert and private key for the Admission WebHook Server.
244
# TLS certificate file must be named `tls.crt`.
245
# TLS key file must be named `tls.key`.
246
certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir
247
# Injector defines configuration of a Kuma Sidecar Injector.
249
# if true runs kuma-cp in CNI compatible mode
250
cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
251
# list of exceptions for Kuma injection
253
# a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value.
255
openshift.io/build.name: "*"
256
openshift.io/deployer-pod-for.name: "*"
257
# VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe
258
# serves on sub-path of insecure port 'virtualProbesPort',
259
# i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort
260
virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED
261
# VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS
262
virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT
263
# CaCertFile is CA certificate which will be used to verify a connection to the control plane.
264
caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
265
# SidecarContainer defines configuration of the Kuma sidecar container.
268
image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
269
# Redirect port for inbound traffic.
270
redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
271
# Redirect port for inbound traffic.
272
redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6
273
# Redirect port for outbound traffic.
274
redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
276
uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID
278
gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI
279
# Drain time for listeners.
280
drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME
283
# Number of seconds after the container has started before readiness probes are initiated.
284
initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS
285
# Number of seconds after which the probe times out.
286
timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS
287
# Number of seconds after which the probe times out.
288
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS
289
# Minimum consecutive successes for the probe to be considered successful after having failed.
290
successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD
291
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
292
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD
295
# Number of seconds after the container has started before liveness probes are initiated.
296
initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS
297
# Number of seconds after which the probe times out.
298
timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS
299
# How often (in seconds) to perform the probe.
300
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS
301
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
302
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD
303
# Compute resource requirements.
305
# Minimum amount of compute resources required.
307
# CPU, in cores. (500m = .5 cores)
308
cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU
309
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
310
memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY
311
# Maximum amount of compute resources allowed.
313
# CPU, in cores. (500m = .5 cores)
314
cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU
315
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
316
memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY
317
# Additional environment variables that can be placed on Kuma DP sidecar
318
envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS
319
# If true, it enables a postStart script that waits until Envoy is ready.
320
# With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete.
321
waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY
322
# InitContainer defines configuration of the Kuma init container
325
image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
326
# ContainerPatches is an optional list of ContainerPatch names which will be applied
327
# to init and sidecar containers if workload is not annotated with a patch list.
328
containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES
329
# Configuration for a traffic that is intercepted by sidecar
331
# List of inbound ports that will be excluded from interception.
332
# This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod.
333
excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS
334
# List of outbound ports that will be excluded from interception.
335
# This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod.
336
excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS
338
# Use the built-in DNS
339
enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
340
# Redirect port for DNS
341
port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
342
# Enable coredns query logging if true
343
logging: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING
344
# EBPF defines configuration for the ebpf, when transparent proxy is marked to be
345
# installed using ebpf instead of iptables
347
# Install transparent proxy using ebpf
348
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
349
# Name of the environmental variable which will include IP address of the pod
350
instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
351
# Path where BPF file system will be mounted for pinning ebpf programs and maps
352
bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
353
# Path of mounted cgroup2
354
cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
355
# Name of the network interface which should be used to attach to it TC programs
356
# when not specified, we will try to automatically determine it
357
tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
358
# Path where compiled eBPF programs are placed
359
programsSourcePath: /kuma/ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
360
# IgnoredServiceSelectorLabels defines a list ignored labels in Service selector.
361
# If Pod matches a Service with ignored labels, but does not match it fully, it gets Ignored inbound.
362
# It is useful when you change Service selector and expect traffic to be sent immediately.
363
# An example of this is ArgoCD's BlueGreen deployment and "rollouts-pod-template-hash" selector.
364
ignoredServiceSelectorLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_IGNORED_SERVICE_SELECTOR_LABELS
365
marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME
366
# Kubernetes's resources reconciliation concurrency configuration
367
controllersConcurrency:
368
# PodController defines maximum concurrent reconciliations of Pod resources
369
# Default value 10. If set to 0 kube controller-runtime default value of 1 will be used.
370
podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER
371
# Kubernetes client configuration
373
# Qps defines maximum requests kubernetes client is allowed to make per second.
374
# Default value 100. If set to 0 kube-client default value of 5 will be used.
375
qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS
376
# BurstQps defines maximum burst requests kubernetes client is allowed to make per second
377
# Default value 100. If set to 0 kube-client default value of 10 will be used.
378
burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS
380
# LeaseDuration is the duration that non-leader candidates will
381
# wait to force acquire leadership. This is measured against time of
382
# last observed ack. Default is 15 seconds.
383
leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION
384
# RenewDeadline is the duration that the acting controlplane will retry
385
# refreshing leadership before giving up. Default is 10 seconds.
386
renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE
387
# Universal-specific configuration
389
# DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
390
dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE
391
# VIPRefreshInterval defines how often all meshes' VIPs should be recomputed
392
vipRefreshInterval: 500ms # ENV: KUMA_RUNTIME_UNIVERSAL_VIP_REFRESH_INTERVAL
393
# Default Kuma entities configuration
395
# If true, it skips creating the default Mesh
396
skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
397
# If true, it skips creating the default tenant resources
398
skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES
399
# If true, it creates the default routing (TrafficPermisson and TrafficRoute) resources for a new Mesh
400
createMeshRoutingResources: false # ENV: KUMA_DEFAULTS_CREATE_MESH_ROUTING_RESOURCES
401
# Metrics configuration
404
# How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited
405
subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT
406
# How long data plane proxy can stay Online without active xDS connection
407
idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT
409
# How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited
410
subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT
411
# How long zone can stay Online without active KDS connection
412
idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT
413
# Compact finished metrics (do not store config and details of KDS exchange).
414
compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS
416
# Minimum time between 2 refresh of insights
417
minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL
418
# time between triggering a full refresh of all the insights
419
fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL
420
# the size of the buffer between event creation and processing
421
bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE
422
# the number of workers that process metrics events
423
eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS
425
# If true metrics show number of resources in the system should be reported
426
reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT
427
# Reports configuration
429
# If true then usage stats will be reported
430
enabled: false # ENV: KUMA_REPORTS_ENABLED
431
# General configuration
433
# dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name
434
dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL
435
# TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers.
436
tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE
437
# TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers.
438
tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE
439
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
440
tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION
441
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
442
tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION
443
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
444
tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES
445
# WorkDir defines a path to the working directory
446
# Kuma stores in this directory autogenerated entities like certificates.
447
# If empty then the working directory is $HOME/.kuma
448
workDir: "" # ENV: KUMA_GENERAL_WORK_DIR
449
# DNS Server configuration
451
# The domain that the server will resolve the services for
452
domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN
453
# The CIDR range used to allocate
454
CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR
455
# Will create a service "<kuma.io/service>.mesh" dns entry for every service.
456
serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED
457
# The port to use along with the `<kuma.io/service>.mesh` dns entry
458
serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT
463
# Port of a gRPC server that serves Kuma Discovery Service (KDS).
464
grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT
465
# Interval for refreshing state of the world
466
refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
467
# Interval for flushing Zone Insights (stats of multi-zone communication)
468
zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
469
# TlsEnabled turns on TLS for KDS
470
tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
471
# TlsCertFile defines a path to a file with PEM-encoded TLS cert.
472
tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
473
# TlsKeyFile defines a path to a file with PEM-encoded TLS key.
474
tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
475
# TlsMinVersion the minimum version of TLS
476
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION
477
# TlsMaxVersion the maximum version of TLS
478
tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION
479
# TlsCipherSuites the list of cipher suites
480
tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES
481
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
482
# In practice this means a limit on full list of one resource type.
483
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE
484
# MsgSendTimeout defines a timeout on sending a single KDS message.
485
# KDS stream between control planes is terminated if the control plane hits this timeout.
486
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT
487
# Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane
488
nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF
489
# DisableSOTW if true doesn't expose SOTW version of KDS. Default: false
490
disableSOTW: false # ENV: KUMA_MULTIZONE_GLOBAL_KDS_DISABLE_SOTW
491
# Response backoff is a time Global CP waits before sending ACK/NACK.
492
# This is a way to slow down Zone CP from sending resources too often.
493
responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF
495
# Kuma Zone name used to mark the zone dataplane resources
496
name: "default" # ENV: KUMA_MULTIZONE_ZONE_NAME
497
# GlobalAddress URL of Global Kuma CP
498
globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
500
# Interval for refreshing state of the world
501
refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL
502
# RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it.
503
rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
504
# If true, TLS connection to the server won't be verified.
505
tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
506
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
507
# In practice this means a limit on full list of one resource type.
508
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE
509
# MsgSendTimeout defines a timeout on sending a single KDS message.
510
# KDS stream between control planes is terminated if the control plane hits this timeout.
511
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT
512
# Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane
513
nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF
514
# Response backoff is a time Zone CP waits before sending ACK/NACK.
515
# This is a way to slow down Global CP from sending resources too often.
516
responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF
517
# disableOriginLabelValidation disables validation of the origin label when applying resources on Zone CP
518
disableOriginLabelValidation: false # ENV: KUMA_MULTIZONE_ZONE_DISABLE_ORIGIN_LABEL_VALIDATION
519
# Diagnostics configuration
521
# Port of Diagnostic Server for checking health and readiness of the Control Plane
522
serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT
523
# If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints
524
debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS
525
# Whether tls is enabled or not
526
tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED
527
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
528
tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE
529
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
530
tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE
531
# TlsMinVersion the minimum version of TLS
532
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION
533
# TlsMaxVersion the maximum version of TLS
534
tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION
535
# TlsCipherSuites the list of cipher suites
536
tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES
537
# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.
539
# Port of the DP Server
540
port: 5678 # ENV: KUMA_DP_SERVER_PORT
541
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
542
tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE
543
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
544
tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE
545
# TlsMinVersion the minimum version of TLS
546
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION
547
# TlsMaxVersion the maximum version of TLS
548
tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION
549
# TlsCipherSuites the list of cipher suites
550
tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES
551
# ReadHeaderTimeout defines the amount of time DP server will be allowed
552
# to read request headers. The connection's read deadline is reset
553
# after reading the headers and the Handler can decide what is considered
554
# too slow for the body. If ReadHeaderTimeout is zero there is no timeout.
555
# The timeout is configurable as in rare cases, when Kuma CP was restarting,
556
# 1s which is explicitly set in other servers was insufficient and DPs
557
# were failing to reconnect (we observed this in Projected Service Account
558
# Tokens e2e tests, which started flaking a lot after introducing explicit
560
readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT
561
# Auth defines an authentication configuration for the DP Server
562
# DEPRECATED: use "authn" section.
564
# Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
565
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
566
type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE
567
# Authn defines an authentication configuration for the DP Server
569
# Configuration for data plane proxy authentication.
571
# Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
572
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
574
# Configuration of dpToken authentication method
576
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
578
# DP Token validator configuration.
580
# If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys.
582
# List of public keys used to validate the token. Example:
586
# -----BEGIN RSA PUBLIC KEY-----
588
# -----END RSA PUBLIC KEY-----
591
# keyFile: /keys/public.pem
593
# Configuration for zone proxy authentication.
595
# Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none".
596
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal.
598
# Configuration for zoneToken authentication method.
600
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
602
# Zone Token validator configuration.
604
# If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys.
606
# List of public keys used to validate the token. Example:
609
# -----BEGIN RSA PUBLIC KEY-----
611
# -----END RSA PUBLIC KEY-----
613
# keyFile: /keys/public.pem
615
# If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart.
616
enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
617
# Hds defines a Health Discovery Service configuration
619
# Enabled if true then Envoy will actively check application's ports, but only on Universal.
620
# On Kubernetes this feature disabled for now regardless the flag value
621
enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED
622
# Interval for Envoy to send statuses for HealthChecks
623
interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL
624
# RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane
625
refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL
626
# Check defines a HealthCheck configuration
628
# Timeout is a time to wait for a health check response. If the timeout is reached the
629
# health check attempt will be considered a failure
630
timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT
631
# Interval between health checks
632
interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL
633
# NoTrafficInterval is a special health check interval that is used when a cluster has
634
# never had traffic routed to it
635
noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL
636
# HealthyThreshold is a number of healthy health checks required before a host is marked healthy
637
healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD
638
# UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy
639
unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD
640
# Intercommunication CP configuration
642
# Catalog configuration. Catalog keeps a record of all live CP instances in the zone.
644
# Indicates an address on which other control planes can communicate with this CP.
645
# If empty then it's autoconfigured by taking the first IP of the nonloopback network interface.
646
instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
647
# Interval on which CP will send heartbeat to a leader.
648
heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL
649
# Interval on which CP will write all instances to a catalog.
650
writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL
651
# Intercommunication CP server configuration
653
# Port of the inter-cp server
654
port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT
655
# TlsMinVersion the minimum version of TLS
656
tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION
657
# TlsMaxVersion the maximum version of TLS
658
tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION
659
# TlsCipherSuites the list of cipher suites
660
tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES
661
# Access Control configuration
663
# Type of access strategy (available values: "static")
665
# Configuration of static access strategy
667
# AdminResources defines an access to admin resources (Secret/GlobalSecret)
669
# List of users that are allowed to access admin resources
670
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS
671
# List of groups that are allowed to access admin resources
672
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS
673
# GenerateDPToken defines an access to generating dataplane token
675
# List of users that are allowed to generate dataplane token
676
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS
677
# List of groups that are allowed to generate dataplane token
678
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS
679
# GenerateUserToken defines an access to generating user token
681
# List of users that are allowed to generate user token
682
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS
683
# List of groups that are allowed to generate user token
684
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS
685
# GenerateZoneToken defines an access to generating zone token
687
# List of users that are allowed to generate zone token
688
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS
689
# List of groups that are allowed to generate zone token
690
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS
692
# List of users that are allowed to get envoy config dump
693
users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS
694
# List of groups that are allowed to get envoy config dump
695
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS
697
# List of users that are allowed to get envoy stats
698
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS
699
# List of groups that are allowed to get envoy stats
700
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS
702
# List of users that are allowed to get envoy clusters
703
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS
704
# List of groups that are allowed to get envoy clusters
705
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS
706
# Configuration of experimental features of Kuma
708
# If true, experimental Gateway API is enabled
709
gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API
710
# If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap
711
# This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config
712
kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS
713
# Tag first virtual outbound model is compressed version of default Virtual Outbound model
714
# It is recommended to use tag first model for deployments with more than 2k services
715
# You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled
716
# you need to first disable this flag and redeploy cp, after config is rewritten to default
717
# format you can downgrade your cp
718
useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL
719
# If true, KDS will sync using incremental xDS updates
720
kdsDeltaEnabled: true # ENV: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
721
# List of prefixes that will be used to filter out tags by keys from ingress' available services section.
722
# This can trim the size of the ZoneIngress object significantly.
723
# The drawback is that you cannot use filtered out tags for traffic routing.
724
# If empty, no filter is applied.
725
ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS
726
# KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config.
727
kdsEventBasedWatchdog:
728
# If true, then experimental event based watchdog to generate KDS snapshot is used.
729
enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED
730
# How often we flush changes when experimental event based watchdog is used.
731
flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL
732
# How often we schedule full KDS resync when experimental event based watchdog is used.
733
fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL
734
# If true, then initial full resync is going to be delayed by 0 to FullResyncInterval.
735
delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC
736
# If true then control plane computes reachable services automatically based on MeshTrafficPermission.
737
# Lack of MeshTrafficPermission is treated as Deny the traffic.
738
autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
739
# Enables sidecar containers in Kubernetes if supported by the Kubernetes
741
sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS
744
# Sets the envoy runtime value to limit maximum number of incoming
745
# connections to a builtin gateway data plane proxy
746
globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS
749
endpoint: "" # e.g. otel-collector:4317
750
# Configuration of the event bus which is local to one instance of CP
752
# BufferSize controls the buffer for every single event listener.
753
# If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS.
754
bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE
756
# PluginPoliciesEnabled controls which policy plugins are enabled
757
pluginPoliciesEnabled: # ENV: KUMA_PLUGIN_POLICIES_ENABLED
759
- meshcircuitbreakers
760
- meshfaultinjections
763
- meshloadbalancingstrategies
771
- meshtrafficpermissions