Careful!
You are browsing documentation for the next version of Kuma. Use this version at your own risk.
kuma-cp configuration reference
Kuma CP configuration
# Environment type. Available values are: "kubernetes" or "universal"
environment: universal # ENV: KUMA_ENVIRONMENT
# Mode in which Kuma CP is running. Available values are: "global", "zone", "standalone" (deprecated, use "zone")
mode: zone # ENV: KUMA_MODE
# Resource Store configuration
store:
# Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory"
type: memory # ENV: KUMA_STORE_TYPE
# Kubernetes Store configuration (used when store.type=kubernetes)
kubernetes:
# Namespace where Control Plane is installed to.
systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
# Postgres Store configuration (used when store.type=postgres)
postgres:
# Host of the Postgres DB
host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST
# Port of the Postgres DB
port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT
# User of the Postgres DB
user: kuma # ENV: KUMA_STORE_POSTGRES_USER
# Password of the Postgres DB
password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD
# Database name of the Postgres DB
dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME
# Driver to use, one of: pgx, postgres
driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME
# Connection Timeout to the DB in seconds
connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT
# MaxConnectionIdleTime (applied only when driverName=pgx) is the duration after which an idle connection will be automatically closed by the health check.
maxConnectionIdleTime: "30m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_IDLE_TIME
# MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed
maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME
# MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection.
# This helps prevent all connections from being closed at the exact same time, starving the pool.
maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER
# HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections.
healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL
# MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database
minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS
# MaxOpenConnections is the maximum number of open connections to the database
# `0` value means number of open connections is unlimited
maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS
# MaxIdleConnections is the maximum number of connections in the idle connection pool
# <0 value means no idle connections and 0 means default max idle connections.
maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS
# MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store.
maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS
# TLS settings
tls:
# Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
# Path to TLS Certificate of the client. Required when server has METHOD=cert
certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
# Path to TLS Key of the client. Required when server has METHOD=cert
keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
# Path to the root certificate. Used in verifyCa and verifyFull modes.
caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH
# ReadReplica is a setting for a DB replica used only for read queries
readReplica:
# Host of the Postgres DB read replica. If not set, read replica is not used.
host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST
# Port of the Postgres DB read replica
port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT
# Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica.
ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO
# Cache for read only operations. This cache is local to the instance of the control plane.
cache:
# If true then cache is enabled
enabled: true # ENV: KUMA_STORE_CACHE_ENABLED
# Expiration time for elements in cache.
expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME
# Upsert (get and update) configuration
upsert:
# Base time for exponential backoff on upsert operations when retry is enabled
conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF
# Max retries on upsert (get and update) operation when retry is enabled
conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES
# Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s.
conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT
# If true, skips validation of resource delete.
# For example you don't have to delete all Dataplane objects before you delete a Mesh
unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE
# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes
bootstrapServer:
# Parameters of bootstrap configuration
params:
# Address of Envoy Admin
adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS
# Port of Envoy Admin
adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT
# Path to access log file of Envoy Admin
adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH
# Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane
xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST
# Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT
xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT
# Connection timeout to the XDS Server
xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT
# Monitoring Assignment Discovery Service (MADS) server configuration
monitoringAssignmentServer:
# Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS).
port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT
# Which MADS API versions to serve
apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS
# Interval for re-generating monitoring assignments for clients connected to the Control Plane.
assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL
# The default timeout for a single fetch-based discovery request, if not specified
defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT
# Path to TLS certificate file
tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE
# Path to TLS key file
tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES
# Envoy XDS server configuration
xdsServer:
# Interval for re-genarting configuration for Dataplanes connected to the Control Plane
dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL
# Interval for flushing status of Dataplanes connected to the Control Plane
dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL
# Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane
nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF
# A delay between proxy terminating a connection and the CP trying to deregister the proxy.
# It is used only in universal mode when you use direct lifecycle.
# Setting this setting to 0s disables the delay.
# Disabling this may cause race conditions that one instance of CP removes proxy object
# while proxy is connected to another instance of the CP.
dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY
# API Server configuration
apiServer:
# HTTP configuration of the API Server
http:
# If true then API Server will be served on HTTP
enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED
# Network interface on which HTTP API Server will be exposed
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE
# Port of the API Server
port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT
# HTTPS configuration of the API Server
https:
# If true then API Server will be served on HTTPS
enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED
# Network interface on which HTTPS API Server will be exposed
interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE
# Port of the HTTPS API Server
port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT
# Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty
tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
# Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty
tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
# Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates.
tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES
# If true, then HTTPS connection will require client cert.
requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT
# Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets
auth:
# Directory of authorized client certificates (only validate in HTTPS)
clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
# Api Server Authentication configuration
authn:
# Type of authentication mechanism (available values: "adminClientCerts", "tokens")
type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE
# Localhost is authenticated as a user admin of group admin
localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
# Configuration for tokens authentication
tokens:
# If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret
bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER
# Token validator configuration
validator:
# If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys.
useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS
# List of public keys used to validate the token. Example:
# - kid: 1
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# keyFile: /keys/public.pem
publicKeys: []
# If true, then API Server will operate in read only mode (serving GET requests)
readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY
# Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp
corsAllowedDomains:
- ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS
# Can be used if you use a reverse proxy
rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL
# The path to serve the API from
basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH
# configuration specific to the GUI
gui:
# Whether to serve the gui (if mode=zone this has no effect)
enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED
# Can be used if you use a reverse proxy or want to serve the gui from a different path
rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL
# The path to serve the GUI from
basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH
# Environment-specific configuration
runtime:
# Kubernetes-specific configuration
kubernetes:
# Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
# Name of Service Account that is used to run the Control Plane
serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
# Taint controller that prevents applications from scheduling until CNI is ready.
nodeTaintController:
# If true enables the taint controller.
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
# Value of app label on CNI pod that indicates if node can be ready.
cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
# Value of CNI namespace.
cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE
# Admission WebHook Server configuration
admissionServer:
# Address the Admission WebHook Server should be listening on
address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS
# Port the Admission WebHook Server should be listening on
port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
# Directory with a TLS cert and private key for the Admission WebHook Server.
# TLS certificate file must be named `tls.crt`.
# TLS key file must be named `tls.key`.
certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir
# Injector defines configuration of a Kuma Sidecar Injector.
injector:
# if true runs kuma-cp in CNI compatible mode
cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
# list of exceptions for Kuma injection
exceptions:
# a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value.
labels:
openshift.io/build.name: "*"
openshift.io/deployer-pod-for.name: "*"
# (Deprecated, set ApplicationProbeProxyPort to 0 to disable probe proxying) VirtualProbesEnabled enables automatic converting HttpGet probes to virtual.
# Virtual probe serves on sub-path of insecure port 'virtualProbesPort',
# i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort
virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED
# (Deprecated, use ApplicationProbeProxyPort instead) VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS
virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT
# ApplicationProbeProxyPort is a port for proxying application probes, it is not secured by mTLS. By setting to 0, probe proxying will be disabled.
applicationProbeProxyPort: 9001 # ENV: KUMA_RUNTIME_KUBERNETES_APPLICATION_PROBE_PROXY_PORT
# CaCertFile is CA certificate which will be used to verify a connection to the control plane.
caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
# SidecarContainer defines configuration of the Kuma sidecar container.
sidecarContainer:
# Image name.
image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
# Redirect port for inbound traffic.
redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
# IP family mode enabled for traffic redirection, can be 'dualstack' or 'ipv4'
ipFamilyMode: dualstack # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IP_FAMILY_MODE
# Redirect port for outbound traffic.
redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
# User ID.
uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID
# Group ID.
gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI
# Drain time for listeners.
drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME
# Readiness probe.
readinessProbe:
# Number of seconds after the container has started before readiness probes are initiated.
initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS
# Number of seconds after which the probe times out.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS
# Minimum consecutive successes for the probe to be considered successful after having failed.
successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD
# Liveness probe.
livenessProbe:
# Number of seconds after the container has started before liveness probes are initiated.
initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS
# How often (in seconds) to perform the probe.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD
# Startup probe (if sidecar containers feature is enabled).
startupProbe:
# Number of seconds after the container has started before startup probes are initiated.
initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_INITIAL_DELAY_SECONDS
# Number of seconds after which the probe times out.
timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_TIMEOUT_SECONDS
# How often (in seconds) to perform the probe.
periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_PERIOD_SECONDS
# Minimum consecutive failures for the probe to be considered failed after having succeeded.
failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_FAILURE_THRESHOLD
# Compute resource requirements.
resources:
# Minimum amount of compute resources required.
requests:
# CPU, in cores. (500m = .5 cores)
cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY
# Maximum amount of compute resources allowed.
limits:
# CPU, in cores. (500m = .5 cores)
cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU
# Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY
# Additional environment variables that can be placed on Kuma DP sidecar
envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS
# If true, it enables a postStart script that waits until Envoy is ready.
# With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete.
waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY
# InitContainer defines configuration of the Kuma init container
initContainer:
# Image name.
image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
# ContainerPatches is an optional list of ContainerPatch names which will be applied
# to init and sidecar containers if workload is not annotated with a patch list.
containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES
# Configuration for a traffic that is intercepted by sidecar
sidecarTraffic:
# List of inbound ports that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod.
excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS
# List of outbound ports that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod.
excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS
# List of inbound IP addresses that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ips annotation is specified on the Pod.
# IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas.
excludeInboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_IPS
# List of outbound IP addresses that will be excluded from interception.
# This setting is applied on every pod unless traffic.kuma.io/exclude-outbound-ips annotation is specified on the Pod.
# IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas.
excludeOutboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_IPS
builtinDNS:
# Use the built-in DNS
enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
# Redirect port for DNS
port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
# Enable coredns query logging if true
logging: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING
# EBPF defines configuration for the ebpf, when transparent proxy is marked to be
# installed using ebpf instead of iptables
ebpf:
# Install transparent proxy using ebpf
enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
# Name of the environmental variable which will include IP address of the pod
instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
# Path where BPF file system will be mounted for pinning ebpf programs and maps
bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
# Path of mounted cgroup2
cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
# Name of the network interface which should be used to attach to it TC programs
# when not specified, we will try to automatically determine it
tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
# Path where compiled eBPF programs are placed
programsSourcePath: /tmp/kuma-ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
# IgnoredServiceSelectorLabels defines a list ignored labels in Service selector.
# If Pod matches a Service with ignored labels, but does not match it fully, it gets Ignored inbound.
# It is useful when you change Service selector and expect traffic to be sent immediately.
# An example of this is ArgoCD's BlueGreen deployment and "rollouts-pod-template-hash" selector.
ignoredServiceSelectorLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_IGNORED_SERVICE_SELECTOR_LABELS
# nodeLabelsToCopy defines a list of node labels that should be copied to the Pod.
nodeLabelsToCopy: ["topology.kubernetes.io/zone", "topology.kubernetes.io/region", "kubernetes.io/hostname"] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_NODE_LABELS_TO_COPY
marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME
# Kubernetes's resources reconciliation concurrency configuration
controllersConcurrency:
# PodController defines maximum concurrent reconciliations of Pod resources
# Default value 10. If set to 0 kube controller-runtime default value of 1 will be used.
podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER
# Kubernetes client configuration
clientConfig:
# Qps defines maximum requests kubernetes client is allowed to make per second.
# Default value 100. If set to 0 kube-client default value of 5 will be used.
qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS
# BurstQps defines maximum burst requests kubernetes client is allowed to make per second
# Default value 100. If set to 0 kube-client default value of 10 will be used.
burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS
leaderElection:
# LeaseDuration is the duration that non-leader candidates will
# wait to force acquire leadership. This is measured against time of
# last observed ack. Default is 15 seconds.
leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION
# RenewDeadline is the duration that the acting controlplane will retry
# refreshing leadership before giving up. Default is 10 seconds.
renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE
# SkipMeshOwnerReference is a flag that allows to skip adding Mesh owner reference to resources.
# If this is set to true, deleting a Mesh will not delete resources that belong to that Mesh.
# This can be useful when resources are managed in Argo CD where creation/deletion is managed there.
skipMeshOwnerReference: false # ENV: KUMA_RUNTIME_KUBERNETES_SKIP_MESH_OWNER_REFERENCE
# If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
# The downside is that control plane requires permission to read Secrets in all namespaces.
supportGatewaySecretsInAllNamespaces: false # ENV: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES
# Universal-specific configuration
universal:
# DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE
# VIPRefreshInterval defines how often all meshes' VIPs should be recomputed
vipRefreshInterval: 500ms # ENV: KUMA_RUNTIME_UNIVERSAL_VIP_REFRESH_INTERVAL
# Default Kuma entities configuration
defaults:
# If true, it skips creating the default Mesh
skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
# If true, it skips creating the default tenant resources
skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES
# If true, it creates the default routing (TrafficPermission and TrafficRoute) resources for a new Mesh
createMeshRoutingResources: false # ENV: KUMA_DEFAULTS_CREATE_MESH_ROUTING_RESOURCES
# If true, it skips creating default hostname generators
skipHostnameGenerators: false # ENV: KUMA_DEFAULTS_SKIP_HOSTNAME_GENERATORS
# Metrics configuration
metrics:
dataplane:
# How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited
subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT
# How long data plane proxy can stay Online without active xDS connection
idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT
zone:
# How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited
subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT
# How long zone can stay Online without active KDS connection
idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT
# Compact finished metrics (do not store config and details of KDS exchange).
compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS
mesh:
# Minimum time between 2 refresh of insights
minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL
# time between triggering a full refresh of all the insights
fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL
# the size of the buffer between event creation and processing
bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE
# the number of workers that process metrics events
eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS
controlPlane:
# If true metrics show number of resources in the system should be reported
reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT
# Reports configuration
reports:
# If true then usage stats will be reported
enabled: false # ENV: KUMA_REPORTS_ENABLED
# General configuration
general:
# dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name
dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL
# TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers.
tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers.
tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES
# WorkDir defines a path to the working directory
# Kuma stores in this directory autogenerated entities like certificates.
# If empty then the working directory is $HOME/.kuma
workDir: "" # ENV: KUMA_GENERAL_WORK_DIR
# ResilientComponentBaseBackoff configures base backoff for restarting resilient components:
# KDS sync, Insight resync, PostgresEventListener, etc.
resilientComponentBaseBackoff: 5s # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_BASE_BACKOFF
# ResilientComponentMaxBackoff configures max backoff for restarting resilient component:
# KDS sync, Insight resync, PostgresEventListener, etc.
resilientComponentMaxBackoff: 1m # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_MAX_BACKOFF
# DNS Server configuration
dnsServer:
# The domain that the server will resolve the services for
domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN
# The CIDR range used to allocate
CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR
# Will create a service "<kuma.io/service>.mesh" dns entry for every service.
serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED
# The port to use along with the `<kuma.io/service>.mesh` dns entry
serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT
# Multizone mode
multizone:
global:
kds:
# Port of a gRPC server that serves Kuma Discovery Service (KDS).
grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT
# Interval for refreshing state of the world
refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
# Interval for flushing Zone Insights (stats of multi-zone communication)
zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
# TlsEnabled turns on TLS for KDS
tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
# TlsCertFile defines a path to a file with PEM-encoded TLS cert.
tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key.
tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
# In practice this means a limit on full list of one resource type.
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE
# MsgSendTimeout defines a timeout on sending a single KDS message.
# KDS stream between control planes is terminated if the control plane hits this timeout.
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT
# Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane
nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF
# Response backoff is a time Global CP waits before sending ACK/NACK.
# This is a way to slow down Zone CP from sending resources too often.
responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF
tracing:
# Defines whether tracing is enabled for all gRPC methods
# of GlobalKDSServer and KDSSyncService or completely disabled
enabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TRACING_ENABLED
zone:
# Kuma Zone name used to mark the zone dataplane resources
name: "default" # ENV: KUMA_MULTIZONE_ZONE_NAME
# GlobalAddress URL of Global Kuma CP
globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
kds:
# Interval for refreshing state of the world
refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL
# RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it.
rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
# If true, TLS connection to the server won't be verified.
tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
# MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
# In practice this means a limit on full list of one resource type.
maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE
# MsgSendTimeout defines a timeout on sending a single KDS message.
# KDS stream between control planes is terminated if the control plane hits this timeout.
msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT
# Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane
nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF
# Response backoff is a time Zone CP waits before sending ACK/NACK.
# This is a way to slow down Global CP from sending resources too often.
responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF
# disableOriginLabelValidation disables validation of the origin label when applying resources on Zone CP
disableOriginLabelValidation: false # ENV: KUMA_MULTIZONE_ZONE_DISABLE_ORIGIN_LABEL_VALIDATION
# IngressUpdateInterval is the interval between the CP updating the list of
# available services on ZoneIngress.
ingressUpdateInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_INGRESS_UPDATE_INTERVAL
# Diagnostics configuration
diagnostics:
# Port of Diagnostic Server for checking health and readiness of the Control Plane
serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT
# If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints
debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS
# Whether tls is enabled or not
tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES
# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.
dpServer:
# Port of the DP Server
port: 5678 # ENV: KUMA_DP_SERVER_PORT
# TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE
# TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES
# ReadHeaderTimeout defines the amount of time DP server will be allowed
# to read request headers. The connection's read deadline is reset
# after reading the headers and the Handler can decide what is considered
# too slow for the body. If ReadHeaderTimeout is zero there is no timeout.
# The timeout is configurable as in rare cases, when Kuma CP was restarting,
# 1s which is explicitly set in other servers was insufficient and DPs
# were failing to reconnect (we observed this in Projected Service Account
# Tokens e2e tests, which started flaking a lot after introducing explicit
# 1s timeout)
readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT
# Authn defines an authentication configuration for the DP Server
authn:
# Configuration for data plane proxy authentication.
dpProxy:
# Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
type: ""
# Configuration of dpToken authentication method
dpToken:
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true
# DP Token validator configuration.
validator:
# If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys.
useSecrets: true
# List of public keys used to validate the token. Example:
# - kid: 1
# mesh: default
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# mesh: demo
# keyFile: /keys/public.pem
publicKeys: []
# Configuration for zone proxy authentication.
zoneProxy:
# Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none".
# If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal.
type: ""
# Configuration for zoneToken authentication method.
zoneToken:
# If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
enableIssuer: true
# Zone Token validator configuration.
validator:
# If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys.
useSecrets: true
# List of public keys used to validate the token. Example:
# - kid: 1
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# MIIBCgKCAQEAq....
# -----END RSA PUBLIC KEY-----
# - kid: 2
# keyFile: /keys/public.pem
publicKeys: []
# If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart.
enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
# Hds defines a Health Discovery Service configuration
hds:
# Enabled if true then Envoy will actively check application's ports, but only on Universal.
# On Kubernetes this feature disabled for now regardless the flag value
enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED
# Interval for Envoy to send statuses for HealthChecks
interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL
# RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane
refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL
# Check defines a HealthCheck configuration
checkDefaults:
# Timeout is a time to wait for a health check response. If the timeout is reached the
# health check attempt will be considered a failure
timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT
# Interval between health checks
interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL
# NoTrafficInterval is a special health check interval that is used when a cluster has
# never had traffic routed to it
noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL
# HealthyThreshold is a number of healthy health checks required before a host is marked healthy
healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD
# UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy
unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD
# Intercommunication CP configuration
interCp:
# Catalog configuration. Catalog keeps a record of all live CP instances in the zone.
catalog:
# Indicates an address on which other control planes can communicate with this CP.
# If empty then it's autoconfigured by taking the first IP of the nonloopback network interface.
instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
# Interval on which CP will send heartbeat to a leader.
heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL
# Interval on which CP will write all instances to a catalog.
writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL
# Intercommunication CP server configuration
server:
# Port of the inter-cp server
port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT
# TlsMinVersion the minimum version of TLS
tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION
# TlsMaxVersion the maximum version of TLS
tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION
# TlsCipherSuites the list of cipher suites
tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES
# Access Control configuration
access:
# Type of access strategy (available values: "static")
type: static
# Configuration of static access strategy
static:
# AdminResources defines an access to admin resources (Secret/GlobalSecret)
adminResources:
# List of users that are allowed to access admin resources
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS
# List of groups that are allowed to access admin resources
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS
# GenerateDPToken defines an access to generating dataplane token
generateDpToken:
# List of users that are allowed to generate dataplane token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS
# List of groups that are allowed to generate dataplane token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS
# GenerateUserToken defines an access to generating user token
generateUserToken:
# List of users that are allowed to generate user token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS
# List of groups that are allowed to generate user token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS
# GenerateZoneToken defines an access to generating zone token
generateZoneToken:
# List of users that are allowed to generate zone token
users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS
# List of groups that are allowed to generate zone token
groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS
viewConfigDump:
# List of users that are allowed to get envoy config dump
users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS
# List of groups that are allowed to get envoy config dump
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS
viewStats:
# List of users that are allowed to get envoy stats
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS
# List of groups that are allowed to get envoy stats
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS
viewClusters:
# List of users that are allowed to get envoy clusters
users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS
# List of groups that are allowed to get envoy clusters
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS
controlPlaneMetadata:
# List of users that are allowed to get control plane metadata
users: [] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_USERS
# List of groups that are allowed to get control plane metadata
groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_GROUPS
# Configuration of experimental features of Kuma
experimental:
# If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap
# This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config
kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS
# Tag first virtual outbound model is compressed version of default Virtual Outbound model
# It is recommended to use tag first model for deployments with more than 2k services
# You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled
# you need to first disable this flag and redeploy cp, after config is rewritten to default
# format you can downgrade your cp
useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL
# List of prefixes that will be used to filter out tags by keys from ingress' available services section.
# This can trim the size of the ZoneIngress object significantly.
# The drawback is that you cannot use filtered out tags for traffic routing.
# If empty, no filter is applied.
ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS
# KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config.
kdsEventBasedWatchdog:
# If true, then experimental event based watchdog to generate KDS snapshot is used.
enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED
# How often we flush changes when experimental event based watchdog is used.
flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL
# How often we schedule full KDS resync when experimental event based watchdog is used.
fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL
# If true, then initial full resync is going to be delayed by 0 to FullResyncInterval.
delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC
# If true then control plane computes reachable services automatically based on MeshTrafficPermission.
# Lack of MeshTrafficPermission is treated as Deny the traffic.
autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
# Enables sidecar containers in Kubernetes if supported by the Kubernetes
# environment.
sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS
proxy:
gateway:
# Sets the envoy runtime value to limit maximum number of incoming
# connections to a builtin gateway data plane proxy
globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS
tracing:
openTelemetry:
endpoint: "" # e.g. otel-collector:4317
# Configuration of the event bus which is local to one instance of CP
eventBus:
# BufferSize controls the buffer for every single event listener.
# If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS.
bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE
policies:
# PluginPoliciesEnabled controls which policy plugins are enabled
pluginPoliciesEnabled: # ENV: KUMA_PLUGIN_POLICIES_ENABLED
- meshaccesslogs
- meshcircuitbreakers
- meshfaultinjections
- meshhealthchecks
- meshhttproutes
- meshloadbalancingstrategies
- meshmetrics
- meshpassthroughs
- meshproxypatches
- meshratelimits
- meshretries
- meshtcproutes
- meshtimeouts
- meshtlses
- meshtraces
- meshtrafficpermissions
coreResources:
status:
# How often we compute status of MeshMultiZoneService
meshMultiZoneServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_MULTI_ZONE_SERVICE_INTERVAL
# How often we compute status of MeshService
meshServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_SERVICE_INTERVAL
enabled: # ENV: KUMA_CORE_RESOURCES_ENABLED
- hostnamegenerators
- meshexternalservices
- meshmultizoneservices
- meshservices
# IP address management configuration
ipam:
# MeshService address management
meshService:
# CIDR for MeshService IPs
cidr: 241.0.0.0/8 # ENV: KUMA_IPAM_MESH_SERVICE_CIDR
meshExternalService:
# CIDR for MeshExternalService IPs
cidr: 242.0.0.0/8 # ENV: KUMA_IPAM_MESH_EXTERNAL_SERVICE_CIDR
meshMultiZoneService:
# CIDR for MeshMultiZoneService IPs
cidr: 243.0.0.0/8 # ENV: KUMA_IPAM_MESH_MULTI_ZONE_SERVICE_CIDR
# Interval on which Kuma will allocate new IPs for MeshServices and MeshExternalServices
allocationInterval: 5s # ENV: KUMA_IPAM_ALLOCATION_INTERVAL
meshService:
# How often we check whether MeshServices need to be generated from Dataplanes
generationInterval: 2s # ENV: KUMA_MESH_SERVICE_GENERATION_INTERVAL
# How long we wait before deleting a MeshService if all Dataplanes are gone
deletionGracePeriod: 1h # ENV: KUMA_MESH_SERVICE_DELETION_GRACE_PERIOD
Helm values.yaml
global:
image:
# -- Default registry for all Kuma Images
registry: "docker.io/kumahq"
# -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion
tag:
# -- Add `imagePullSecrets` to all the service accounts used for Kuma components
imagePullSecrets: []
# -- Whether to patch the target namespace with the system label
patchSystemNamespace: true
installCrdsOnUpgrade:
# -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma)
enabled: true
# -- The `imagePullSecrets` to attach to the Service Account running CRD installation.
# This field will be deprecated in a future release, please use .global.imagePullSecrets
imagePullSecrets: []
# -- Whether to disable all helm hooks
noHelmHooks: false
# -- Whether to restart control-plane by calculating a new checksum for the secret
restartOnSecretChange: true
controlPlane:
# -- Environment that control plane is run in, useful when running universal global control plane on k8s
environment: "kubernetes"
# -- Labels to add to resources in addition to default labels
extraLabels: {}
# -- Kuma CP log level: one of off,info,debug
logLevel: "info"
# -- Kuma CP log output path: Defaults to /dev/stdout
logOutputPath: ""
# -- Kuma CP modes: one of zone,global
mode: "zone"
# -- (string) Kuma CP zone, if running multizone
zone:
# -- Only used in `zone` mode
kdsGlobalAddress: ""
# -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled
replicas: 1
# -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available.
minReadySeconds: 0
# -- Annotations applied only to the `Deployment` resource
deploymentAnnotations: {}
# -- Annotations applied only to the `Pod` resource
podAnnotations: {}
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# -- Node selector for the Kuma Control Plane pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Kuma Control Plane pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Control Plane pods.
# This is rendered as a template, so you can reference other helm variables or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- '{{ include "kuma.name" . }}-control-plane'
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Control Plane pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Failure policy of the mutating webhook implemented by the Kuma Injector component
injectorFailurePolicy: Fail
service:
apiServer:
http:
# -- Port on which Http api server Service is exposed on Node for service of type NodePort
nodePort: 30681
https:
# -- Port on which Https api server Service is exposed on Node for service of type NodePort
nodePort: 30682
# -- Whether to create a service resource.
enabled: true
# -- (string) Optionally override of the Kuma Control Plane Service's name
name:
# -- Service type of the Kuma Control Plane
type: ClusterIP
# -- Annotations to put on the Kuma Control Plane
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "5680"
# Kuma API and GUI ingress settings. Useful if you want to expose the
# API and GUI of Kuma outside the k8s cluster.
ingress:
# -- Install K8s Ingress resource that exposes GUI and API
enabled: false
# -- IngressClass defines which controller will implement the resource
ingressClassName:
# -- Ingress hostname
hostname:
# -- Map of ingress annotations.
annotations: {}
# -- Ingress path.
path: /
# -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port
servicePort: 5681
globalZoneSyncService:
# -- Whether to create a k8s service for the global zone sync
# service. It will only be created when enabled and deploying the global
# control plane.
enabled: true
# -- Service type of the Global-zone sync
type: LoadBalancer
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Optionally specify allowed source ranges that can access the load balancer
loadBalancerSourceRanges: []
# -- Additional annotations to put on the Global Zone Sync Service
annotations: { }
# -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort
nodePort: 30685
# -- Port on which Global Zone Sync Service is exposed
port: 5685
# -- Protocol of the Global Zone Sync service port
protocol: grpc
defaults:
# -- Whether to skip creating the default Mesh
skipMeshCreation: false
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
# -- Optionally override the resource spec
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
memory: 256Mi
# -- Pod lifecycle settings (useful for adding a preStop hook, when
# using AWS ALB or NLB)
lifecycle: {}
# -- Number of seconds to wait before force killing the pod. Make sure to
# update this if you add a preStop hook.
terminationGracePeriodSeconds: 30
# TLS for various servers
tls:
general:
# -- Secret that contains tls.crt, tls.key [and ca.crt when no
# controlPlane.tls.general.caSecretName specified] for protecting
# Kuma in-cluster communication
secretName: ""
# -- Secret that contains ca.crt that was used to sign cert for protecting
# Kuma in-cluster communication (ca.crt present in this secret
# have precedence over the one provided in the controlPlane.tls.general.secretName)
caSecretName: ""
# -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt)
caBundle: ""
apiServer:
# -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS
secretName: ""
# -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS
clientCertsSecretName: ""
# - if not creating the global control plane, then do nothing
# - if secretName is empty and create is false, then do nothing
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
# - if secretName is empty and create is true, then create a secret with a default name and use it
# - if secretName is non-empty and create is true, then create the secret using the provided name
kdsGlobalServer:
# -- Name of the K8s TLS Secret resource. If you set this and don't set
# create=true, you have to create the secret manually.
secretName: ""
# -- Whether to create the TLS secret in helm.
create: false
# -- The TLS certificate to offer.
cert: ""
# -- The TLS key to use.
key: ""
# - if not creating the zonal control plane, then do nothing
# - if secretName is empty and create is false, then do nothing
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
# - if secretName is empty and create is true, then create a secret with a default name and use it
# - if secretName is non-empty and create is true, then create the secret using the provided name
kdsZoneClient:
# -- Name of the K8s Secret resource that contains ca.crt which was
# used to sign the certificate of KDS Global Server. If you set this
# and don't set create=true, you have to create the secret manually.
secretName: ""
# -- Whether to create the TLS secret in helm.
create: false
# -- CA bundle that was used to sign the certificate of KDS Global Server.
cert: ""
# -- If true, TLS cert of the server is not verified.
skipVerify: false
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
image:
# -- Kuma CP ImagePullPolicy
pullPolicy: IfNotPresent
# -- Kuma CP image repository
repository: "kuma-cp"
# -- Kuma CP Image tag. When not specified, the value is copied from global.tag
tag:
# -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables,
# where `Env` is the name of the env variable,
# `Secret` is the name of the Secret,
# and `Key` is the key of the Secret value to use
secrets:
# someSecret:
# Secret: some-secret
# Key: secret_key
# Env: SOME_SECRET
# -- Additional environment variables that will be passed to the control plane
envVars: { }
# -- Additional environment variables that will be passed to the control plane. Can be used with Kubernetes downward API
envVarEntries:
# - name: MY_NODE_NAME
# valueFrom:
# fieldRef:
# fieldPath: spec.nodeName
# -- Additional config maps to mount into the control plane, with optional inline values
extraConfigMaps: [ ]
# - name: extra-config
# mountPath: /etc/extra-config
# readOnly: true
# values:
# extra-config-key: |
# extra-config-value
# -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane,
# where `Env` is the name of the env variable,
# `Secret` is the name of the Secret,
# and `Key` is the key of the Secret value to use
extraSecrets:
# extraConfig:
# name: extra-config
# mountPath: /etc/extra-config
# readOnly: true
webhooks:
validator:
# -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma.
additionalRules: ""
ownerReference:
# -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma.
additionalRules: ""
# -- Specifies if the deployment should be started in hostNetwork mode.
hostNetwork: false
# -- Define a new server port for the admission controller. Recommended to set in combination with
# hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS).
admissionServerPort: 5443
# -- Security context at the pod level for control plane.
podSecurityContext:
runAsNonRoot: true
# -- Security context at the container level for control plane.
containerSecurityContext:
readOnlyRootFilesystem: true
# -- If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
# The downside is that control plane requires permission to read Secrets in all namespaces.
supportGatewaySecretsInAllNamespaces: false
# -- DNS configuration for the control-plane pod.
# This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
dns:
# -- Defines how DNS resolution is configured for that Pod.
policy: ""
# -- Optional dns configuration, required when policy is 'None'
config:
# -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified.
nameservers: []
# -- A list of DNS search domains for hostname lookup in the Pod.
searches: []
cni:
# -- Install Kuma with CNI instead of proxy init container
enabled: false
# -- Install CNI in chained mode
chained: false
# -- Set the CNI install directory
netDir: /etc/cni/multus/net.d
# -- Set the CNI bin directory
binDir: /var/lib/cni/bin
# -- Set the CNI configuration name
confName: kuma-cni.conf
# -- CNI log level: one of off,info,debug
logLevel: info
# -- Node Selector for the CNI pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the CNI pods
tolerations: []
# -- Additional pod annotations
podAnnotations: { }
# -- Set the CNI namespace
namespace: kube-system
image:
# -- CNI image repository
repository: "kuma-cni"
# -- CNI image tag - defaults to .Chart.AppVersion
tag:
# -- CNI image pull policy
imagePullPolicy: IfNotPresent
# -- it's only useful in tests to trigger a possible race condition
delayStartupSeconds: 0
# -- use new CNI (experimental)
experimental:
imageEbpf:
# -- CNI experimental eBPF image registry
registry: "docker.io/kumahq"
# -- CNI experimental eBPF image repository
repository: "merbridge"
# -- CNI experimental eBPF image tag
tag: "0.8.5"
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 100Mi
# -- Security context at the pod level for cni
podSecurityContext: {}
# -- Security context at the container level for cni
containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
dataPlane:
# -- If true, then turn on CoreDNS query logging
dnsLogging: false
image:
# -- The Kuma DP image repository
repository: "kuma-dp"
# -- Kuma DP ImagePullPolicy
pullPolicy: IfNotPresent
# -- Kuma DP Image Tag. When not specified, the value is copied from global.tag
tag:
initImage:
# -- The Kuma DP init image repository
repository: "kuma-init"
# -- Kuma DP init image tag When not specified, the value is copied from global.tag
tag:
ingress:
# -- If true, it deploys Ingress for cross cluster communication
enabled: false
# -- Labels to add to resources, in addition to default labels
extraLabels: {}
# -- Time for which old listener will still be active as draining
drainTime: 30s
# -- Number of replicas of the Ingress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for ingress (available values: off|info|debug)
logLevel: info
# -- Define the resources to allocate to mesh ingress
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 512Mi
# -- Pod lifecycle settings (useful for adding a preStop hook, when
# using AWS ALB or NLB)
lifecycle: {}
# -- Number of seconds to wait before force killing the pod. Make sure to
# update this if you add a preStop hook.
terminationGracePeriodSeconds: 40
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
service:
# -- Whether to create a Service resource.
enabled: true
# -- Service type of the Ingress
type: LoadBalancer
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Additional annotations to put on the Ingress service
annotations: { }
# -- Port on which Ingress is exposed
port: 10001
# -- Port on which service is exposed on Node for service of type NodePort
nodePort:
# -- Additional pod annotations (deprecated favor `podAnnotations`)
annotations: { }
# -- Additional pod annotations
podAnnotations: { }
# -- Node Selector for the Ingress pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Ingress pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Ingress pods
# This is rendered as a template, so you can reference other helm variables
# or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- kuma-ingress
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Mesh Ingress pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Security context at the pod level for ingress
podSecurityContext:
runAsNonRoot: true
runAsUser: 5678
runAsGroup: 5678
# -- Security context at the container level for ingress
containerSecurityContext:
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
# -- DNS configuration for the ingress pod.
# This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
dns:
# -- Defines how DNS resolution is configured for that Pod.
policy: ""
# -- Optional dns configuration, required when policy is 'None'
config:
# -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified.
nameservers: []
# -- A list of DNS search domains for hostname lookup in the Pod.
searches: []
egress:
# -- If true, it deploys Egress for cross cluster communication
enabled: false
# -- Labels to add to resources, in addition to the default labels.
extraLabels: {}
# -- Time for which old listener will still be active as draining
drainTime: 30s
# -- Number of replicas of the Egress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for egress (available values: off|info|debug)
logLevel: info
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 512Mi
service:
# -- Whether to create the service object
enabled: true
# -- Service type of the Egress
type: ClusterIP
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Additional annotations to put on the Egress service
annotations: { }
# -- Port on which Egress is exposed
port: 10002
# -- Port on which service is exposed on Node for service of type NodePort
nodePort:
# -- Additional pod annotations (deprecated favor `podAnnotations`)
annotations: { }
# -- Additional pod annotations
podAnnotations: { }
# -- Node Selector for the Egress pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Egress pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Egress pods.
# This is rendered as a template, so you can reference other helm variables or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- kuma-egress
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Egress pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Security context at the pod level for egress
podSecurityContext:
runAsNonRoot: true
runAsUser: 5678
runAsGroup: 5678
# -- Security context at the container level for egress
containerSecurityContext:
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
# -- DNS configuration for the egress pod.
# This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
dns:
# -- Defines how DNS resolution is configured for that Pod.
policy: ""
# -- Optional dns configuration, required when policy is 'None'
config:
# -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified.
nameservers: []
# -- A list of DNS search domains for hostname lookup in the Pod.
searches: []
kumactl:
image:
# -- The kumactl image repository
repository: kumactl
# -- The kumactl image tag. When not specified, the value is copied from global.tag
tag:
kubectl:
image:
# -- The kubectl image registry
registry: docker.io
# -- The kubectl image repository
repository: bitnami/kubectl
# -- The kubectl image tag
tag: "1.31.4"
hooks:
# -- Node selector for the HELM hooks
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the HELM hooks
tolerations: []
# -- Security context at the pod level for crd/webhook/ns
podSecurityContext:
runAsNonRoot: true
# -- Security context at the container level for crd/webhook/ns
containerSecurityContext:
readOnlyRootFilesystem: true
# -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs
# Changing below values will potentially break ebpf cleanup completely,
# so be cautious when doing so.
ebpfCleanup:
# -- Security context at the pod level for crd/webhook/cleanup-ebpf
podSecurityContext:
runAsNonRoot: false
# -- Security context at the container level for crd/webhook/cleanup-ebpf
containerSecurityContext:
readOnlyRootFilesystem: false
transparentProxy:
configMap:
# -- If true, enables the use of a ConfigMap to manage transparent proxy configuration
# instead of directly configuring it within the Kuma system
enabled: false
# -- The name of the ConfigMap used to store the transparent proxy configuration
name: kuma-transparent-proxy-config
config:
# -- The username or UID of the user that will run kuma-dp. If not provided, the system will
# use the default UID ("5678") or the default username ("kuma-dp")
kumaDPUser: "5678"
# -- The IP family mode used for configuring traffic redirection in the transparent proxy
# Supports "dualstack" (for both IPv4 and IPv6) and "ipv4" modes
ipFamilyMode: dualstack
redirect:
dns:
# -- Enables DNS redirection in the transparent proxy
enabled: true
# -- Redirect all DNS queries
captureAll: true
# -- The port on which the DNS server listens
port: 15053
# -- Path to the system's resolv.conf file
resolvConfigPath: /etc/resolv.conf
# -- Disables conntrack zone splitting, which can prevent potential DNS issues
skipConntrackZoneSplit: false
inbound:
# -- Enables inbound traffic redirection
enabled: true
# -- Port used for redirecting inbound traffic
port: 15006
# -- List of ports to exclude from inbound traffic redirection
excludePorts: []
# -- List of IP addresses to exclude from inbound traffic redirection for specific ports
excludePortsForIPs: []
# -- List of UIDs to exclude from inbound traffic redirection for specific ports
excludePortsForUIDs: []
# -- List of ports to include in inbound traffic redirection
includePorts: []
# -- Inserts the redirection rule at the beginning of the chain instead of appending it
insertRedirectInsteadOfAppend: false
outbound:
# -- Enables outbound traffic redirection
enabled: true
# -- Port used for redirecting outbound traffic
port: 15001
# -- List of ports to exclude from outbound traffic redirection
excludePorts: []
# -- List of IP addresses to exclude from outbound traffic redirection for specific ports
excludePortsForIPs: []
# -- List of UIDs to exclude from outbound traffic redirection for specific ports
excludePortsForUIDs: []
# -- List of ports to include in outbound traffic redirection
includePorts: []
# -- Inserts the redirection rule at the beginning of the chain instead of appending it
insertRedirectInsteadOfAppend: false
vnet:
# -- Specifies virtual networks using the format interfaceName:CIDR
# Allows matching traffic on specific network interfaces
# Examples:
# - "docker0:172.17.0.0/16"
# - "br+:172.18.0.0/16" (matches any interface starting with "br")
# - "iface:::1/64" (for IPv6)
networks: []
ebpf:
# -- Enables eBPF support for handling traffic redirection in the transparent proxy
enabled: false
# -- The path of the BPF filesystem
bpffsPath: /run/kuma/bpf
# -- The path of cgroup2
cgroupPath: /sys/fs/cgroup
# -- The name of the environment variable containing the IP address of the instance (pod/vm)
# where transparent proxy will be installed
instanceIPEnvVarName: ""
# -- Path where compiled eBPF programs and other necessary files for eBPF mode can be found
programsSourcePath: /tmp/kuma-ebpf
# -- The network interface for TC eBPF programs to bind to. If not provided, it will be
# automatically determined
tcAttachIface: ""
retry:
# -- The maximum number of retry attempts for operations
maxRetries: 4
# -- The time duration to wait between retry attempts
sleepBetweenRetries: 2s
iptablesExecutables:
# -- Custom path for the iptables executable (IPv4)
iptables: ""
# -- Custom path for the iptables-save executable (IPv4)
iptables-save: ""
# -- Custom path for the iptables-restore executable (IPv4)
iptables-restore: ""
# -- Custom path for the ip6tables executable (IPv6)
ip6tables: ""
# -- Custom path for the ip6tables-save executable (IPv6)
ip6tables-save: ""
# -- Custom path for the ip6tables-restore executable (IPv6)
ip6tables-restore: ""
log:
# -- Enables logging of iptables rules for diagnostics and monitoring
enabled: false
comments:
# -- Disables comments in the generated iptables rules
disabled: false
# -- Time in seconds to wait for acquiring the xtables lock before failing
# Value 0 means wait indefinitely
wait: 5
# -- Time interval between retries to acquire the xtables lock in seconds
waitInterval: 0
# -- Drops invalid packets to avoid connection resets in high-throughput scenarios
dropInvalidPackets: false
# -- Enables firewalld support to store iptables rules
storeFirewalld: false
# -- Enables verbose mode with longer argument/flag names and additional comments
verbose: false
experimental:
# Configuration for the experimental ebpf mode for transparent proxy
ebpf:
# -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
enabled: false
# -- Name of the environmental variable which will contain the IP address of a pod
instanceIPEnvVarName: INSTANCE_IP
# -- Path where BPF file system should be mounted
bpffsPath: /sys/fs/bpf
# -- Host's cgroup2 path
cgroupPath: /sys/fs/cgroup
# -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty
tcAttachIface: ""
# -- Path where compiled eBPF programs which will be installed can be found
programsSourcePath: /tmp/kuma-ebpf
# -- If true, enable native Kubernetes sidecars. This requires at least
# Kubernetes v1.29
sidecarContainers: false
# Postgres' settings for universal control plane on k8s
postgres:
# -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets"
# with the Env value "KUMA_STORE_POSTGRES_PASSWORD".
# Example:
# controlPlane:
# secrets:
# - Secret: postgres-postgresql
# Key: postgresql-password
# Env: KUMA_STORE_POSTGRES_PASSWORD
port: "5432"
# TLS settings
tls:
# -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
# -- Whether to disable SNI the postgres `sslsni` option.
disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
# -- Secret name that contains the ca.crt
caSecretName:
# -- Secret name that contains the client tls.crt, tls.key
secretName:
# @ignored for helm-docs
plugins:
resources:
hostnamegenerators: true
meshexternalservices: true
meshmultizoneservices: true
meshservices: true
policies:
meshaccesslogs: true
meshcircuitbreakers: true
meshfaultinjections: true
meshhealthchecks: true
meshhttproutes: true
meshloadbalancingstrategies: true
meshmetrics: true
meshpassthroughs: true
meshproxypatches: true
meshratelimits: true
meshretries: true
meshtcproutes: true
meshtimeouts: true
meshtlses: true
meshtraces: true
meshtrafficpermissions: true