# Environment type. Available values are: "kubernetes" or "universal"
environment: universal # ENV: KUMA_ENVIRONMENT
# Mode in which Kuma CP is running. Available values are: "global", "zone", "standalone" (deprecated, use "zone")
mode: zone # ENV: KUMA_MODE
# Resource Store configuration
store:
# Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory"
type: memory # ENV: KUMA_STORE_TYPE
# Kubernetes Store configuration (used when store.type=kubernetes)
kubernetes:
# Namespace where Control Plane is installed to.
systemNamespace: kong-mesh-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
# Postgres Store configuration (used when store.type=postgres)
postgres:
# Host of the Postgres DB
host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST
# Port of the Postgres DB
port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT
# User of the Postgres DB
user: kuma # ENV: KUMA_STORE_POSTGRES_USER
# Password of the Postgres DB
password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD
# Database name of the Postgres DB
dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME
# Driver to use, one of: pgx, postgres
driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME
# Connection Timeout to the DB in seconds
connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT
# MaxConnectionIdleTime (applied only when driverName=pgx) is the duration after which an idle connection will be automatically closed by the health check.
maxConnectionIdleTime: "30m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_IDLE_TIME
# MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed
maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME
# MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection.
# This helps prevent all connections from being closed at the exact same time, starving the pool.
maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER
# HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections.
healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL
# MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database
minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS
# MaxOpenConnections is the maximum number of open connections to the database
# `0` value means number of open connections is unlimited
maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS
# MaxIdleConnections is the maximum number of connections in the idle connection pool
# <0 value means no idle connections and 0 means default max idle connections.
maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS
# MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store.
maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS
# TLS settings
tls:
# Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
# Path to TLS Certificate of the client. Required when server has METHOD=cert
certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
# Path to TLS Key of the client. Required when server has METHOD=cert
keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
# Path to the root certificate. Used in verifyCa and verifyFull modes.
caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH
# ReadReplica is a setting for a DB replica used only for read queries
readReplica:
# Host of the Postgres DB read replica. If not set, read replica is not used.
host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST
# Port of the Postgres DB read replica
port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT
# Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica.
ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO
# Cache for read only operations. This cache is local to the instance of the control plane.
cache:
# If true then cache is enabled
enabled: true # ENV: KUMA_STORE_CACHE_ENABLED
# Expiration time for elements in cache.
expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME
# Upsert (get and update) configuration
upsert:
# Base time for exponential backoff on upsert operations when retry is enabled
conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF
# Max retries on upsert (get and update) operation when retry is enabled
conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES
# Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s.
conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT
# If true, skips validation of resource delete.
# For example you don't have to delete all Dataplane objects before you delete a Mesh
unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE
# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes
bootstrapServer:
# Parameters of bootstrap configuration
params:
# Address of Envoy Admin
adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS
# Port of Envoy Admin
adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT
# Path to access log file of Envoy Admin
adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH
# Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane
xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST
# Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT
xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT
# Connection timeout to the XDS Server
xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT
# Monitoring Assignment Discovery Service (MADS) server configuration
monitoringAssignmentServer:
# Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS).
port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT
# Which MADS API versions to serve
apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS
# Interval for re-generating monitoring assignments for clients connected to the Control Plane.
assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL
# The default timeout for a single fetch-based discovery request, if not specified
defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT
# Path to TLS certificate file
tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE
# Path to TLS key file
tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES
# Envoy XDS server configuration
xdsServer:
# Interval for re-genarting configuration for Dataplanes connected to the Control Plane
dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL
# Interval for flushing status of Dataplanes connected to the Control Plane
dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL
# Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane
nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF
# A delay between proxy terminating a connection and the CP trying to deregister the proxy.
# It is used only in universal mode when you use direct lifecycle.
# Setting this setting to 0s disables the delay.
# Disabling this may cause race conditions that one instance of CP removes proxy object
# while proxy is connected to another instance of the CP.
dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY
# API Server configuration
apiServer:
# HTTP configuration of the API Server
http:
# If true then API Server will be served on HTTP
enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED
# Network interface on which HTTP API Server will be exposed
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE
# Port of the API Server
port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT
# HTTPS configuration of the API Server
https:
# If true then API Server will be served on HTTPS
enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED
# Network interface on which HTTPS API Server will be exposed
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE
# Port of the HTTPS API Server
port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT
# Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty
tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
# Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty
tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
# Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates.
tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES
# If true, then HTTPS connection will require client cert.
requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT
# Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets
auth:
# Directory of authorized client certificates (only validate in HTTPS)
clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
# Api Server Authentication configuration
authn:
# Type of authentication mechanism (available values: "adminClientCerts", "tokens")
type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE
# Localhost is authenticated as a user admin of group admin
localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
# Configuration for tokens authentication
tokens:
# If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret
bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER
# Token validator configuration
validator:
# If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys.
useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS
# List of public keys used to validate the token. Example:
# - kid: 1
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# keyFile: /keys/public.pem
publicKeys: []
# If true, then API Server will operate in read only mode (serving GET requests)
readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY
# Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp
corsAllowedDomains:
- ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS
# Can be used if you use a reverse proxy
rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL
# The path to serve the API from
basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH
# configuration specific to the GUI
gui:
# Whether to serve the gui (if mode=zone this has no effect)
enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED
# Can be used if you use a reverse proxy or want to serve the gui from a different path
rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL
# The path to serve the GUI from
basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH
# Environment-specific configuration
runtime:
# Kubernetes-specific configuration
kubernetes:
# Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
# Name of Service Account that is used to run the Control Plane
serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
# Taint controller that prevents applications from scheduling until CNI is ready.
nodeTaintController:
# If true enables the taint controller.
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
# Value of app label on CNI pod that indicates if node can be ready.
cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
# Value of CNI namespace.
cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE
# Admission WebHook Server configuration
admissionServer:
# Address the Admission WebHook Server should be listening on
address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS
# Port the Admission WebHook Server should be listening on
port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
# Directory with a TLS cert and private key for the Admission WebHook Server.
# TLS certificate file must be named `tls.crt`.
# TLS key file must be named `tls.key`.
certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir
# Injector defines configuration of a Kuma Sidecar Injector.
injector:
# if true runs kuma-cp in CNI compatible mode
cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
# list of exceptions for Kuma injection
exceptions:
# a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value.
labels:
openshift.io/build.name: "*"
openshift.io/deployer-pod-for.name: "*"
# (Deprecated, set ApplicationProbeProxyPort to 0 to disable probe proxying) VirtualProbesEnabled enables automatic converting HttpGet probes to virtual.
# Virtual probe serves on sub-path of insecure port 'virtualProbesPort',
# i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort
virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED
# (Deprecated, use ApplicationProbeProxyPort instead) VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS
virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT
# ApplicationProbeProxyPort is a port for proxying application probes, it is not secured by mTLS. By setting to 0, probe proxying will be disabled.
applicationProbeProxyPort: 9001 # ENV: KUMA_RUNTIME_KUBERNETES_APPLICATION_PROBE_PROXY_PORT
# CaCertFile is CA certificate which will be used to verify a connection to the control plane.
caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
# SidecarContainer defines configuration of the Kuma sidecar container.
sidecarContainer:
# Image name.
image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
# Redirect port for inbound traffic.
redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
# IP family mode enabled for traffic redirection, can be 'dualstack' or 'ipv4'
ipFamilyMode: dualstack # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IP_FAMILY_MODE
# Redirect port for outbound traffic.
redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
# User ID.
uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID
# Group ID.
gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI
# Drain time for listeners.
drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME
# Readiness probe.
readinessProbe:
# Number of seconds after the container has started before readiness probes are initiated.
initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS
# Number of seconds after which the probe times out.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS
# Minimum consecutive successes for the probe to be considered successful after having failed.
successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD
# Liveness probe.
livenessProbe:
# Number of seconds after the container has started before liveness probes are initiated.
initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS
# How often (in seconds) to perform the probe.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD
# Startup probe (if sidecar containers feature is enabled).
startupProbe:
# Number of seconds after the container has started before startup probes are initiated.
initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_TIMEOUT_SECONDS
# How often (in seconds) to perform the probe.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_PERIOD_SECONDS
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_FAILURE_THRESHOLD
# Compute resource requirements.
resources:
# Minimum amount of compute resources required.
requests:
# CPU, in cores. (500m = .5 cores)
cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY
# Maximum amount of compute resources allowed.
limits:
# CPU, in cores. (500m = .5 cores)
cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY
# Additional environment variables that can be placed on Kuma DP sidecar
envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS
# If true, it enables a postStart script that waits until Envoy is ready.
# With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete.
waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY
# InitContainer defines configuration of the Kuma init container
initContainer:
# Image name.
image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
# ContainerPatches is an optional list of ContainerPatch names which will be applied
# to init and sidecar containers if workload is not annotated with a patch list.
containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES
# Configuration for a traffic that is intercepted by sidecar
sidecarTraffic:
# List of inbound ports that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod.
excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS
# List of outbound ports that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod.
excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS
# List of inbound IP addresses that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ips annotation is specified on the Pod.
# IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas.
excludeInboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_IPS
# List of outbound IP addresses that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-outbound-ips annotation is specified on the Pod.
# IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas.
excludeOutboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_IPS
builtinDNS:
# Use the built-in DNS
enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
# Redirect port for DNS
port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
# Enable coredns query logging if true
logging: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING
# EBPF defines configuration for the ebpf, when transparent proxy is marked to be
# installed using ebpf instead of iptables
ebpf:
# Install transparent proxy using ebpf
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
# Name of the environmental variable which will include IP address of the pod
instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
# Path where BPF file system will be mounted for pinning ebpf programs and maps
bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
# Path of mounted cgroup2
cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
# Name of the network interface which should be used to attach to it TC programs
# when not specified, we will try to automatically determine it
tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
# Path where compiled eBPF programs are placed
programsSourcePath: /tmp/kuma-ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
# IgnoredServiceSelectorLabels defines a list ignored labels in Service selector.
# If Pod matches a Service with ignored labels, but does not match it fully, it gets Ignored inbound.
# It is useful when you change Service selector and expect traffic to be sent immediately.
# An example of this is ArgoCD's BlueGreen deployment and "rollouts-pod-template-hash" selector.
ignoredServiceSelectorLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_IGNORED_SERVICE_SELECTOR_LABELS
# nodeLabelsToCopy defines a list of node labels that should be copied to the Pod.
nodeLabelsToCopy: ["topology.kubernetes.io/zone", "topology.kubernetes.io/region", "kubernetes.io/hostname"] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_NODE_LABELS_TO_COPY
marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME
# Kubernetes's resources reconciliation concurrency configuration
controllersConcurrency:
# PodController defines maximum concurrent reconciliations of Pod resources
# Default value 10. If set to 0 kube controller-runtime default value of 1 will be used.
podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER
# Kubernetes client configuration
clientConfig:
# Qps defines maximum requests kubernetes client is allowed to make per second.
# Default value 100. If set to 0 kube-client default value of 5 will be used.
qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS
# BurstQps defines maximum burst requests kubernetes client is allowed to make per second
# Default value 100. If set to 0 kube-client default value of 10 will be used.
burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS
leaderElection:
# LeaseDuration is the duration that non-leader candidates will
# wait to force acquire leadership. This is measured against time of
# last observed ack. Default is 15 seconds.
leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION
# RenewDeadline is the duration that the acting controlplane will retry
# refreshing leadership before giving up. Default is 10 seconds.
renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE
# SkipMeshOwnerReference is a flag that allows to skip adding Mesh owner reference to resources.
# If this is set to true, deleting a Mesh will not delete resources that belong to that Mesh.
# This can be useful when resources are managed in Argo CD where creation/deletion is managed there.
skipMeshOwnerReference: false # ENV: KUMA_RUNTIME_KUBERNETES_SKIP_MESH_OWNER_REFERENCE
# If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
# The downside is that control plane requires permission to read Secrets in all namespaces.
supportGatewaySecretsInAllNamespaces: false # ENV: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES
# Universal-specific configuration
universal:
# DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE
# ZoneResourceCleanupAge defines how long ZoneIngress and ZoneEgress should be offline to be cleaned up by GC
zoneResourceCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_ZONE_RESOURCE_CLEANUP_AGE
# VIPRefreshInterval defines how often all meshes' VIPs should be recomputed
vipRefreshInterval: 500ms # ENV: KUMA_RUNTIME_UNIVERSAL_VIP_REFRESH_INTERVAL
# Default Kuma entities configuration
defaults:
# If true, it skips creating the default Mesh
skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
# If true, it skips creating the default tenant resources
skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES
# If true, it creates the default routing (TrafficPermission and TrafficRoute) resources for a new Mesh
createMeshRoutingResources: false # ENV: KUMA_DEFAULTS_CREATE_MESH_ROUTING_RESOURCES
# If true, it skips creating default hostname generators
skipHostnameGenerators: false # ENV: KUMA_DEFAULTS_SKIP_HOSTNAME_GENERATORS
# Metrics configuration
metrics:
dataplane:
# How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited
subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT
# How long data plane proxy can stay Online without active xDS connection
idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT
zone:
# How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited
subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT
# How long zone can stay Online without active KDS connection
idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT
# Compact finished metrics (do not store config and details of KDS exchange).
compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS
mesh:
# Minimum time between 2 refresh of insights
minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL
# time between triggering a full refresh of all the insights
fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL
# the size of the buffer between event creation and processing
bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE
# the number of workers that process metrics events
eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS
controlPlane:
# If true metrics show number of resources in the system should be reported
reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT
# Reports configuration
reports:
# If true then usage stats will be reported
enabled: false # ENV: KUMA_REPORTS_ENABLED
# General configuration
general:
# dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name
dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL
# TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers.
tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers.
tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES
# WorkDir defines a path to the working directory
# Kuma stores in this directory autogenerated entities like certificates.
# If empty then the working directory is $HOME/.kuma
workDir: "" # ENV: KUMA_GENERAL_WORK_DIR
# ResilientComponentBaseBackoff configures base backoff for restarting resilient components:
# KDS sync, Insight resync, PostgresEventListener, etc.
resilientComponentBaseBackoff: 5s # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_BASE_BACKOFF
# ResilientComponentMaxBackoff configures max backoff for restarting resilient component:
# KDS sync, Insight resync, PostgresEventListener, etc.
resilientComponentMaxBackoff: 1m # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_MAX_BACKOFF
# DNS Server configuration
dnsServer:
# The domain that the server will resolve the services for
domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN
# The CIDR range used to allocate
CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR
# Will create a service "<kuma.io/service>.mesh" dns entry for every service.
serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED
# The port to use along with the `<kuma.io/service>.mesh` dns entry
serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT
# Multizone mode
multizone:
global:
kds:
# Port of a gRPC server that serves Kuma Discovery Service (KDS).
grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT
# Interval for refreshing state of the world
refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
# Interval for flushing Zone Insights (stats of multi-zone communication)
zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
# TlsEnabled turns on TLS for KDS
tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
# TlsCertFile defines a path to a file with PEM-encoded TLS cert.
tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key.
tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
# In practice this means a limit on full list of one resource type.
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE
# MsgSendTimeout defines a timeout on sending a single KDS message.
# KDS stream between control planes is terminated if the control plane hits this timeout.
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT
# Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane
nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF
# Response backoff is a time Global CP waits before sending ACK/NACK.
# This is a way to slow down Zone CP from sending resources too often.
responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF
tracing:
# Defines whether tracing is enabled for all gRPC methods
# of GlobalKDSServer and KDSSyncService or completely disabled
enabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TRACING_ENABLED
zone:
# Kuma Zone name used to mark the zone dataplane resources
name: "default" # ENV: KUMA_MULTIZONE_ZONE_NAME
# GlobalAddress URL of Global Kuma CP
globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
kds:
# Interval for refreshing state of the world
refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL
# RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it.
rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
# If true, TLS connection to the server won't be verified.
tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
# In practice this means a limit on full list of one resource type.
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE
# MsgSendTimeout defines a timeout on sending a single KDS message.
# KDS stream between control planes is terminated if the control plane hits this timeout.
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT
# Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane
nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF
# Response backoff is a time Zone CP waits before sending ACK/NACK.
# This is a way to slow down Global CP from sending resources too often.
responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF
# disableOriginLabelValidation disables validation of the origin label when applying resources on Zone CP
disableOriginLabelValidation: false # ENV: KUMA_MULTIZONE_ZONE_DISABLE_ORIGIN_LABEL_VALIDATION
# IngressUpdateInterval is the interval between the CP updating the list of
# available services on ZoneIngress.
ingressUpdateInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_INGRESS_UPDATE_INTERVAL
# Diagnostics configuration
diagnostics:
# Port of Diagnostic Server for checking health and readiness of the Control Plane
serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT
# If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints
debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS
# Whether tls is enabled or not
tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES
# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.
dpServer:
# Port of the DP Server
port: 5678 # ENV: KUMA_DP_SERVER_PORT
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES
# ReadHeaderTimeout defines the amount of time DP server will be allowed
# to read request headers. The connection's read deadline is reset
# after reading the headers and the Handler can decide what is considered
# too slow for the body. If ReadHeaderTimeout is zero there is no timeout.
# The timeout is configurable as in rare cases, when Kuma CP was restarting,
# 1s which is explicitly set in other servers was insufficient and DPs
# were failing to reconnect (we observed this in Projected Service Account
# Tokens e2e tests, which started flaking a lot after introducing explicit
# 1s timeout)
readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT
# Authn defines an authentication configuration for the DP Server
authn:
# Configuration for data plane proxy authentication.
dpProxy:
# Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
type: ""
# Configuration of dpToken authentication method
dpToken:
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true
# DP Token validator configuration.
validator:
# If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys.
useSecrets: true
# List of public keys used to validate the token. Example:
# - kid: 1
# mesh: default
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# mesh: demo
# keyFile: /keys/public.pem
publicKeys: []
# Configuration for zone proxy authentication.
zoneProxy:
# Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none".
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal.
type: ""
# Configuration for zoneToken authentication method.
zoneToken:
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true
# Zone Token validator configuration.
validator:
# If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys.
useSecrets: true
# List of public keys used to validate the token. Example:
# - kid: 1
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# keyFile: /keys/public.pem
publicKeys: []
# If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart.
enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
# Hds defines a Health Discovery Service configuration
hds:
# Enabled if true then Envoy will actively check application's ports, but only on Universal.
# On Kubernetes this feature disabled for now regardless the flag value
enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED
# Interval for Envoy to send statuses for HealthChecks
interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL
# RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane
refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL
# Check defines a HealthCheck configuration
checkDefaults:
# Timeout is a time to wait for a health check response. If the timeout is reached the
# health check attempt will be considered a failure
timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT
# Interval between health checks
interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL
# NoTrafficInterval is a special health check interval that is used when a cluster has
# never had traffic routed to it
noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL
# HealthyThreshold is a number of healthy health checks required before a host is marked healthy
healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD
# UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy
unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD
# Intercommunication CP configuration
interCp:
# Catalog configuration. Catalog keeps a record of all live CP instances in the zone.
catalog:
# Indicates an address on which other control planes can communicate with this CP.
# If empty then it's autoconfigured by taking the first IP of the nonloopback network interface.
instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
# Interval on which CP will send heartbeat to a leader.
heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL
# Interval on which CP will write all instances to a catalog.
writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL
# Intercommunication CP server configuration
server:
# Port of the inter-cp server
port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES
# Access Control configuration
access:
# Type of access strategy (available values: "static", "rbac")
type: rbac
# Configuration of static access strategy
static:
# AdminResources defines an access to admin resources (Secret/GlobalSecret)
adminResources:
# List of users that are allowed to access admin resources
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS
# List of groups that are allowed to access admin resources
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS
# GenerateDPToken defines an access to generating dataplane token
generateDpToken:
# List of users that are allowed to generate dataplane token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS
# List of groups that are allowed to generate dataplane token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS
# GenerateUserToken defines an access to generating user token
generateUserToken:
# List of users that are allowed to generate user token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS
# List of groups that are allowed to generate user token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS
# GenerateZoneToken defines an access to generating zone token
generateZoneToken:
# List of users that are allowed to generate zone token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS
# List of groups that are allowed to generate zone token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS
viewConfigDump:
# List of users that are allowed to get envoy config dump
users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS
# List of groups that are allowed to get envoy config dump
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS
viewStats:
# List of users that are allowed to get envoy stats
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS
# List of groups that are allowed to get envoy stats
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS
viewClusters:
# List of users that are allowed to get envoy clusters
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS
# List of groups that are allowed to get envoy clusters
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS
controlPlaneMetadata:
# List of users that are allowed to get control plane metadata
users: [] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_USERS
# List of groups that are allowed to get control plane metadata
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_GROUPS
# Configuration of experimental features of Kuma
experimental:
# If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap
# This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config
kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS
# Tag first virtual outbound model is compressed version of default Virtual Outbound model
# It is recommended to use tag first model for deployments with more than 2k services
# You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled
# you need to first disable this flag and redeploy cp, after config is rewritten to default
# format you can downgrade your cp
useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL
# List of prefixes that will be used to filter out tags by keys from ingress' available services section.
# This can trim the size of the ZoneIngress object significantly.
# The drawback is that you cannot use filtered out tags for traffic routing.
# If empty, no filter is applied.
ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS
# KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config.
kdsEventBasedWatchdog:
# If true, then experimental event based watchdog to generate KDS snapshot is used.
enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED
# How often we flush changes when experimental event based watchdog is used.
flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL
# How often we schedule full KDS resync when experimental event based watchdog is used.
fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL
# If true, then initial full resync is going to be delayed by 0 to FullResyncInterval.
delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC
# If true then control plane computes reachable services automatically based on MeshTrafficPermission.
# Lack of MeshTrafficPermission is treated as Deny the traffic.
autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
# Enables sidecar containers in Kubernetes if supported by the Kubernetes
# environment.
sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS
proxy:
gateway:
# Sets the envoy runtime value to limit maximum number of incoming
# connections to a builtin gateway data plane proxy
globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS
tracing:
openTelemetry:
endpoint: "" # e.g. otel-collector:4317
# Configuration of the event bus which is local to one instance of CP
eventBus:
# BufferSize controls the buffer for every single event listener.
# If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS.
bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE
policies:
# PluginPoliciesEnabled controls which policy plugins are enabled
pluginPoliciesEnabled: # ENV: KUMA_PLUGIN_POLICIES_ENABLED
- meshaccesslogs
- meshcircuitbreakers
- meshfaultinjections
- meshglobalratelimits
- meshhealthchecks
- meshhttproutes
- meshloadbalancingstrategies
- meshmetrics
- meshopas
- meshpassthroughs
- meshproxypatches
- meshratelimits
- meshretries
- meshtcproutes
- meshtimeouts
- meshtlses
- meshtraces
- meshtrafficpermissions
coreResources:
status:
# How often we compute status of MeshMultiZoneService
meshMultiZoneServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_MULTI_ZONE_SERVICE_INTERVAL
# How often we compute status of MeshService
meshServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_SERVICE_INTERVAL
enabled: # ENV: KUMA_CORE_RESOURCES_ENABLED
- hostnamegenerators
- meshexternalservices
- meshmultizoneservices
- meshservices
# IP address management configuration
ipam:
# MeshService address management
meshService:
# CIDR for MeshService IPs
cidr: 241.0.0.0/8 # ENV: KUMA_IPAM_MESH_SERVICE_CIDR
meshExternalService:
# CIDR for MeshExternalService IPs
cidr: 242.0.0.0/8 # ENV: KUMA_IPAM_MESH_EXTERNAL_SERVICE_CIDR
meshMultiZoneService:
# CIDR for MeshMultiZoneService IPs
cidr: 243.0.0.0/8 # ENV: KUMA_IPAM_MESH_MULTI_ZONE_SERVICE_CIDR
# Interval on which Kuma will allocate new IPs for MeshServices and MeshExternalServices
allocationInterval: 5s # ENV: KUMA_IPAM_ALLOCATION_INTERVAL
# Contains a list of CIDRs which are considered internal and trusted, Envoy attaches internal only headers to requests from these clients when forwarding HTTP requests
knownInternalCIDRs: # ENV: KUMA_IPAM_KNOWN_INTERNAL_CIDRS
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
- fc00::/7
- fd00::/8
- 127.0.0.1/32
- ::1/128
meshService:
# How often we check whether MeshServices need to be generated from Dataplanes
generationInterval: 2s # ENV: KUMA_MESH_SERVICE_GENERATION_INTERVAL
# How long we wait before deleting a MeshService if all Dataplanes are gone
deletionGracePeriod: 1h # ENV: KUMA_MESH_SERVICE_DELETION_GRACE_PERIOD
kmesh:
# License of Kong Mesh
license:
# Inline string of the Kong Mesh license
# inline: "" # ENV: KMESH_LICENSE_INLINE
# Path to a file with the Kong Mesh license
path: "" # ENV: KMESH_LICENSE_PATH
opa:
# Interval for re-generating OPA configuration for Dataplanes connected to the Control Plane
configurationRefreshInterval: 1s # ENV: KMESH_OPA_CONFIGURATION_REFRESH_INTERVAL
# Backoff that is executed when Control Plane is sending the response that was previously rejected by OPA
nackBackoff: 5s # ENV: KMESH_OPA_CONFIGURATION_NACK_BACKOFF
multizone:
global:
kds:
auth:
# The way how Global Control Plane authenticates the Zone Control Planes. Available values ("none", "cpToken")
type: none # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE
zone:
kds:
auth:
# Control Plane Token provided as a string
cpTokenInline: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE
# Control Plane Token provided as a file
cpTokenPath: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH
konnect:
cpId: "" # KMESH_MULTIZONE_ZONE_KONNECT_CP_ID
access:
static:
generateCpToken:
# List of users that are allowed to generate control plane token
users: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_USERS
# List of groups that are allowed to generate control plane token
groups: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_GROUPS
rbac:
# LogActions defines actions that will be logged when RBAC is resolved. Allowed values: "allowed", "denied"
logActions: ["allowed", "denied"] # ENV: KMESH_ACCESS_RBAC_LOG_ACTIONS
# DefaultAdminRoleGroups defines a list of groups to be added to the default admin role
defaultAdminRoleGroups: ["mesh-system:authenticated", "mesh-system:unauthenticated"] # ENV: KMESH_ACCESS_RBAC_DEFAULT_ADMIN_ROLE_GROUPS
# DefaultAdminRoleUsers defines a list of users to be added to the default list of admins.
defaultAdminRoleUsers: [] # ENV: KMESH_ACCESS_RBAC_DEFAULT_ADMIN_ROLE_USERS
# SkipAdminRoleCreation set whether skip creating the default admin role
skipAdminRoleCreation: false # ENV: KMESH_ACCESS_RBAC_SKIP_ADMIN_ROLE_CREATION
# Configuration for recording all the actions in the system.
audit:
# Types that are skipped by default when `types` list in AccessAudit resource is empty
skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"]
# List of backends for auditing. If empty, no audit is recorded.
backends: []
# - # type of logging backend. Available values: "file"
# type: file
# # Settings of a file backend used when the type is set to "file"
# file:
# # Path to the file that will be filled with logs
# path: /tmp/access.logs
# rotation:
# # If true, rotation is enabled.
# # Example: if we set path to /tmp/kuma.log then after the file is rotated we will have /tmp/kuma-2021-06-07T09-15-18.265.log
# enabled: true
# # Maximum number of the old log files to retain
# maxRetainedFiles: 10
# # Maximum size in megabytes of a log file before it gets rotated
# maxSizeMb: 100
# # Maximum number of days to retain old log files based on the timestamp encoded in their filename
# maxAgeDays: 30
globalRateLimit:
# Interval for re-generating global rate limit configuration for ratelimit service connected to the Control Plane
configurationRefreshInterval: 1s # ENV: KMESH_GLOBAL_RATE_LIMIT_CONFIGURATION_REFRESH_INTERVAL
# Service account name of rate limit service which will be used in
# authentication process of communication between rate limit service and
# control plane.
# The value can take two forms:
# - "system:serviceaccount:[namespace]:[service_account_name]" (example:
# system:serviceaccount:kong-mesh-system:default)
# - "[service_account_name]" - in this form, the namespace of the service
# account will be implicitly assumed as the same as control plane's system
# namespace (example: default)
serviceAccountName: system:serviceaccount:kong-mesh-system:default # ENV: KMESH_GLOBAL_RATE_LIMIT_CONFIGURATION_SERVICE_ACCOUNT_NAME
ca:
vault:
# Interval for checking whether any referenced Vault tokens have changed.
# A value of 0 disables the check.
# This check is necessary to detect updates to a Vault token stored in a secret.
# Keep this interval shorter than the value of the Vault token's TTL.
# The default is 30s, which works well for tokens with a TTL longer than 60s.
# If the token TTL is shorter than 60s, you may need to decrease this value.
# When only tokens with `inline` or `inlineString` are set, you can disable this.
tokenChangeCheckInterval: 30s # ENV: KMESH_CA_VAULT_TOKEN_CHANGE_CHECK_INTERVAL
awsIAM:
# AuthorizedAccountIDs is a list of accounts that are authorized
# to authenticate with this CP. This is optional if
# RolesToAssumeForAccounts is set.
authorizedAccountIds: []
# RolesToAssumeForAccounts is a map of AWS account IDs to role names
# that the CP should use to verify dataplane identity in cross-account
# setups.
rolesToAssumeForAccounts: {}
limits:
# Default limits configuration
default:
# Maximum number of Dataplane resources that a user can create. Set to 0 to disable the limit.
dataplanes: 0 # ENV: KMESH_LIMITS_DEFAULT_DATAPLANES
# Maximum number of policy resources that a user can create. Set to 0 to disable the limit.
policies: 0 # ENV: KMESH_LIMITS_DEFAULT_POLICIES
# Maximum number of Zone control plane resources that a user can create. Set to 0 to disable the limit.
zones: 0 # ENV: KMESH_LIMITS_DEFAULT_ZONES
kuma-cp configuration reference
Uses:
Kong Mesh
Related Documentation
Kuma CP configuration
Helm values.yaml
kuma:
nameOverride: kong-mesh
# The default registry and tag to use for all Kuma images
global:
image:
registry: "docker.io/kong"
tag:
controlPlane:
secrets: # {Env: "KMESH_LICENSE_INLINE", Secret: "kong-mesh-license", Key: "license"}
image:
repository: "kuma-cp"
webhooks:
validator:
additionalRules: |
- apiGroups:
- kuma.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- opapolicies
- accessaudits
- accessroles
- accessrolebindings
ownerReference:
additionalRules: |
- apiGroups:
- kuma.io
apiVersions:
- v1alpha1
operations:
- CREATE
resources:
- opapolicies
konnect:
# -- Control Plane Id of the control-plane in Mesh Konnect
cpId: ""
defaults:
adminRoleGroups:
- mesh-system:authenticated
- mesh-system:unauthenticated
- system:authenticated
- system:unauthenticated
plugins:
policies:
meshglobalratelimits: true
meshopas: true
ratelimit:
# -- Whether Ratelimit Service should be deployed
enabled: false
# -- Ratelimit service docker image
image:
# -- Ratelimit Service ImagePullPolicy
pullPolicy: IfNotPresent
# -- Ratelimit Service image registry
registry: "envoyproxy"
# -- Ratelimit Service image repository
repository: "ratelimit"
# -- Ratelimit Service image tag
tag: "542a6047"
# -- Log level of ratelimit service. Available values are: "INFO", "DEBUG"
logLevel: INFO
# -- Whether debug port should be exposed
exposeDebugPort: false
redis:
# -- Redis address. Need to be specified for ratelimit service to start
address:
# -- Redis port. Need to be specified for ratelimit service to start
port:
# -- Additional environment variables that will be passed to the ratelimit service
envVars: {}
service:
# -- Service type of the Ratelimit Service
type: ClusterIP
# -- Additional annotations to put on the Ratelimit service
annotations: { }
# -- Port on which Ratelimit Service is exposed
port: 10003
# -- Port on which service is exposed on Node for service of type NodePort
nodePort:
# -- Additional pod annotations (deprecated favor `podAnnotations`)
annotations: { }
# -- Additional pod annotations
podAnnotations: { }
# -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables,
# where `Env` is the name of the env variable,
# `Secret` is the name of the Secret,
# and `Key` is the key of the Secret value to use
secrets: # {Env: "REDIS_AUTH", Secret: "ratelimit-redis-auth", Key: "redis-pass"}
# someSecret:
# Secret: some-secret
# Key: secret_key
# Env: SOME_SECRET
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 1
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2beta, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2beta, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# -- Number of replicas of the Ratelimit Service. Ignored when autoscaling is enabled
replicas: 1
# -- Optionally override the resource spec
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 512Mi
# -- Labels to add to resources in addition to default labels
extraLabels: { }
# -- Security context at the pod level for ratelimit service
podSecurityContext:
runAsNonRoot: true
runAsUser: 5678
runAsGroup: 5678
# -- Security context at the container level for ratelimit service
containerSecurityContext:
readOnlyRootFilesystem: true
# -- This configuration is global and accessible in the Kong Mesh and Kuma chart which is included as submodule
global:
ratelimit:
serverTls:
# -- Whether Ratelimit Service should use TLS for protecting communication with DPP
enabled: false
# -- Secret that contains tls.crt, tls.key and ca.crt for protecting
# Ratelimit service with DPP communication. Should be specified if you don't
# want to use autogenerated one
secretName: ""
# -- Base64 encoded CA certificate (the same as in global.ratelimit.serverTls.secret#ca.crt)
caBundle: ""