You are browsing documentation for a version of Kuma that is not the latest release.
MeshCircuitBreaker
This policy uses new policy matching algorithm.
Do not combine with CircuitBreaker.
This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data
proxy as unhealthy if certain conditions are met. The policy will ensure that no additional traffic can reach an
unhealthy data plane proxy until it is healthy again.
Circuit breakers - unlike active MeshHealthChecks - do not send
additional traffic to our data plane proxies but they rather inspect the existing service traffic. They are also
commonly used to prevent cascading failures.
Like a real-world circuit breaker when the circuit is closed then traffic between a source and destination data
plane proxy is allowed to freely flow through it. When it is open then the traffic is interrupted.
The conditions that determine when a circuit breaker is closed or open are being configured on connection limits or
outlier detection basis. For outlier detection to open circuit breaker you can configure what we call detectors.
This policy provides 5 different types of detectors, and they are triggered on some deviations in the upstream service
behavior. All detectors could coexist on the same outbound interface.
Once one of the detectors has been triggered the corresponding data plane proxy is ejected from the set of the load
balancer for a period equal to baseEjectionTime. Every further ejection of the same data plane
proxy will further extend the baseEjectionTime multiplied by the number of ejections: for example
the fourth ejection will be lasting for a period of time of 4 * baseEjectionTime.
This policy provides passive checks.
If you want to configure active checks, please utilize the MeshHealthCheck
policy.
Data plane proxies with passive checks won’t explicitly send requests to other data plane proxies to determine if
target proxies are healthy or not.
To learn more about the information in this table, see the matching docs.
Configuration
Connection limits
maxConnections - (optional) The maximum number of connections allowed to be made to the upstream Envoy Cluster.
If not specified then equal to 1024.
maxConnectionPools - (optional) The maximum number of connection pools per Envoy Cluster that are concurrently
supported at once. Set this for Envoy Clusters which create a large number of connection pools. If not specified, the
default is unlimited.
maxPendingRequests - (optional) The maximum number of pending requests that are allowed to the upstream Envoy
Cluster. This limit is applied as a connection limit for non-HTTP traffic. If not specified then equal to 1024.
maxRetries - (optional) The maximum number of parallel retries that will be allowed to the upstream Envoy
Cluster. If not specified then equal to 3.
maxRequests - (optional) The maximum number of parallel requests that are allowed to be made to the upstream
Envoy Cluster. This limit does not apply to non-HTTP traffic. If not specified then equal to 1024.
For gRPC requests, the outlier detection will use the HTTP status mapped from the grpc-status response header.
disabled - (optional) When set to true, outlierDetection configuration won’t take any effect.
interval - (optional) The time interval between ejection analysis sweeps. This can result in both new ejections
and hosts being returned to service.
baseEjectionTime - (optional) The base time that a host is ejected for. The real time is equal to the base time
multiplied by the number of times the host has been ejected.
maxEjectionPercent - (optional) The maximum % of an upstream Envoy Clusters that can be ejected due to outlier
detection. Defaults to 10% but will eject at least one host regardless of the value.
splitExternalAndLocalErrors - (optional) Determines whether to distinguish local origin failures from external
errors. If set to true the following configuration parameters are taken into
account: detectors.localOriginFailures.consecutive.
detectors - Contains configuration for supported outlier detectors. At least one detector needs to be configured
when policy is configured for outlier detection.
healthyPanicThreshold - (optional) Allows to configure panic threshold for Envoy cluster. If not specified,
the default is 50%. To disable panic mode, set to 0%. The panic threshold is a percentage that determines when Envoy enters panic mode
due to too few healthy hosts in an upstream cluster’s priority level. If the percentage of healthy hosts falls below the threshold (for example 50%),
Envoy ignores the unhealthy status and sends traffic to all hosts in that priority level (by default). If the threshold is set to 0,
panic mode is disabled for that priority, and if all hosts are unhealthy, Envoy fails to select a host, returning a ‘503 - no healthy upstream’ error.
Detectors configuration
Configuration for supported outlier detectors. At least one detector needs to be configured when policy is configured for outlier detection.
This detection type takes into account all generated errors: locally originated and externally originated (transaction) errors.
Total failures
totalFailures.consecutive - The number of consecutive server-side error responses
(for HTTP traffic, 5xx responses; for TCP traffic, connection failures; etc.) before a consecutive total failure ejection occurs.
If an upstream host is an HTTP-server, only 5xx types of error are taken into account (see Consecutive Gateway Failure for exceptions).
Properly formatted responses, even when they carry an operational error (like index not found, access denied) are not taken into account.
Total failures (split mode)
totalFailures.consecutive - The number of consecutive server-side error responses (for HTTP traffic, 5xx responses) before a consecutive total failure ejection occurs.
Depending on mode the outlier detection can take into account gateway failures with locally originated failures (default mode) or gateway failures only (split mode).
This detection type takes into account a subset of 5xx errors, called “gateway errors” (502, 503 or 504 status code) and local origin failures, such as timeout, TCP reset etc.
Gateway failures
gatewayFailures.consecutive - The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive
gateway failure ejection occurs.
This detection type takes into account a subset of 5xx errors, called “gateway errors” (502, 503 or 504 status code).
This detector is supported only for HTTP traffic.
Gateway failures (split mode)
gatewayFailures.consecutive - The number of consecutive gateway failures (502, 503, 504 status codes) before a consecutive
gateway failure ejection occurs.
This detection takes into account only locally originated errors (timeout, reset, etc).
If Envoy repeatedly cannot connect to an upstream host or communication with the upstream host is repeatedly interrupted, it will be ejected. Various locally originated problems are detected: timeout, TCP reset, ICMP errors, etc.
This detection is not supported in the Default Mode
Success Rate based outlier detection aggregates success rate data from every host in an Envoy Cluster. Then at given intervals ejects hosts based on statistical outlier detection.
Success Rate outlier detection will not be calculated for a host if its request volume over the aggregation interval is less than the value of successRate.requestVolume
value.
Moreover, detection will not be performed for a cluster if the number of hosts with the minimum required request volume in an interval is less than the successRate.minimumHosts value.
Locally originated errors and externally originated (transaction) errors are counted and treated separately.
Success rate
successRate.minimumHosts - The number of hosts in an Envoy Cluster that must have enough request volume to detect success rate outliers. If the number of hosts is less than this setting, outlier detection via success rate statistics is not performed for any host in the Cluster.
successRate.requestVolume - The minimum number of total requests that must be collected in one interval (as defined by the interval duration configured in outlierDetection section) to include this host in success rate based outlier detection. If the volume is lower than this setting, outlier detection via success rate statistics is not performed for that host.
successRate.standardDeviationFactor - This factor is used to determine the ejection threshold for success rate outlier ejection. The ejection threshold is the difference between the mean success rate, and the product of this factor and the standard deviation of the mean success rate: mean - (standard_deviation *success_rate_standard_deviation_factor). Either int or decimal represented as string.
Failure Percentage based outlier detection functions similarly to success rate detection, in that it relies on success rate data from each host in an Envoy Cluster. However, rather than compare those values to the mean success rate of the Cluster as a whole, they are compared to a flat user-configured threshold. This threshold is configured via the failurePercentageThreshold field.
The other configuration fields for failure percentage based detection are similar to the fields for success rate detection. As with success rate detection, detection will not be performed for a host if its request volume over the aggregation interval is less than the failurePercentage.requestVolume value.
Detection also will not be performed for an Envoy Cluster if the number of hosts with the minimum required request volume in an interval is less than the failurePercentage.minimumHosts value.
Locally originated errors and externally originated (transaction) errors are counted and treated separately.
Failure percentage
failurePercentage.requestVolume - The minimum number of hosts in an Envoy Cluster in order to perform failure percentage-based ejection. If the total number of hosts in the Cluster is less than this value, failure percentage-based ejection will not be performed.
failurePercentage.minimumHosts - The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to perform failure percentage-based ejection for this host. If the volume is lower than this setting, failure percentage-based ejection will not be performed for this host.
failurePercentage.threshold - The failure percentage to use when determining failure percentage-based outlier detection. If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
