This is the multi-page printable view of this section. Click here to print.
Policy API Reference
1 - Policy v1alpha1 API Reference
Packages:
policy.flomesh.io/v1alpha1
Package v1alpha1 is the v1alpha1 version of the API.
AccessCert
AccessCert is the type used to represent an AccessCert policy.
Field | Description | ||||
---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||
spec AccessCertSpec | (Optional) Spec is the Access Cert specification
| ||||
status AccessCertStatus | (Optional) Status is the status of the AccessCert configuration. |
AccessCertSpec
(Appears on:AccessCert)
AccessCertSpec is the type used to represent the AccessCert policy specification.
Field | Description |
---|---|
subjectAltNames []string | SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate. |
secret Kubernetes core/v1.SecretReference | Secret defines the secret in which the certificate is stored. |
AccessCertStatus
(Appears on:AccessCert)
AccessCertStatus is the type used to represent the status of an AccessCert resource.
Field | Description |
---|---|
currentStatus string | (Optional) CurrentStatus defines the current status of an AccessCert resource. |
reason string | (Optional) Reason defines the reason for the current status of an AccessCert resource. |
AccessControl
AccessControl is the type used to represent an AccessControl policy. An AccessControl policy authorizes one or more backends to accept ingress traffic from one or more sources.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||||
spec AccessControlSpec | (Optional) Spec is the Ingress backend policy specification
| ||||||
status AccessControlStatus | (Optional) Status is the status of the AccessControl configuration. |
AccessControlBackendSpec
(Appears on:AccessControlSpec)
AccessControlBackendSpec is the type used to represent a Backend specified in the AccessControl policy specification.
Field | Description |
---|---|
name string | Name defines the name of the backend. |
port PortSpec | Port defines the specification for the backend’s port. |
tls TLSSpec | (Optional) TLS defines the specification for the backend’s TLS configuration. |
AccessControlSourceSpec
(Appears on:AccessControlSpec)
AccessControlSourceSpec is the type used to represent the Source in the list of Sources specified in an AccessControl policy specification.
Field | Description |
---|---|
kind string | Kind defines the kind for the source in the AccessControl policy. Must be one of: Service, AuthenticatedPrincipal, IPRange |
name string | Name defines the name of the source for the given Kind. |
namespace string | (Optional) Namespace defines the namespace for the given source. |
AccessControlSpec
(Appears on:AccessControl)
AccessControlSpec is the type used to represent the AccessControl policy specification.
Field | Description |
---|---|
backends []AccessControlBackendSpec | (Optional) Backends defines the list of backends the AccessControl policy applies to. |
sources []AccessControlSourceSpec | Sources defines the list of sources the AccessControl policy applies to. |
matches []Kubernetes core/v1.TypedLocalObjectReference | (Optional) Matches defines the list of object references the AccessControl policy should match on. |
AccessControlStatus
(Appears on:AccessControl)
AccessControlStatus is the type used to represent the status of an AccessControl resource.
Field | Description |
---|---|
currentStatus string | (Optional) CurrentStatus defines the current status of an AccessControl resource. |
reason string | (Optional) Reason defines the reason for the current status of an AccessControl resource. |
BackendSpec
(Appears on:IngressBackendSpec)
BackendSpec is the type used to represent a Backend specified in the IngressBackend policy specification.
Field | Description |
---|---|
name string | Name defines the name of the backend. |
port PortSpec | Port defines the specification for the backend’s port. |
tls TLSSpec | (Optional) TLS defines the specification for the backend’s TLS configuration. |
ConnectionSettingsSpec
(Appears on:UpstreamTrafficSettingSpec)
ConnectionSettingsSpec defines the connection settings for an upstream host.
Field | Description |
---|---|
tcp TCPConnectionSettings | (Optional) TCP specifies the TCP level connection settings. Applies to both TCP and HTTP connections. |
http HTTPConnectionSettings | (Optional) HTTP specifies the HTTP level connection settings. |
Egress
Egress is the type used to represent an Egress traffic policy. An Egress policy allows applications to access endpoints external to the service mesh or cluster based on the specified rules in the policy.
Field | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||||||||
spec EgressSpec | (Optional) Spec is the Egress policy specification
|
EgressBindingSubject
(Appears on:EgressPolicyGatewayRule)
EgressBindingSubject is a Kubernetes objects which should be allowed egress
Field | Description |
---|---|
name string | |
namespace string |
EgressGateway
EgressGateway is the type used to represent an Egress Gateway policy.
Field | Description | ||
---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||
spec EgressGatewaySpec | (Optional) Spec is the EgressGateway policy specification
|
EgressGatewaySpec
(Appears on:EgressGateway)
EgressGatewaySpec is the type used to represent the Egress Gateway specification.
Field | Description |
---|---|
global []GatewayBindingSubject | (Optional) GlobalEgressGateways defines the list of Global egress gateway. |
EgressPolicyGatewayRule
EgressPolicyGatewayRule is the type used to represent the rule of Egress Gateway specification based egress policies.
Field | Description |
---|---|
egressPolicies []EgressBindingSubject | |
egressGateways []GatewayBindingSubject |
EgressSourceCertSpec
(Appears on:EgressSourceMTLSSpec)
EgressSourceCertSpec is the type to represent the certificate specification for an egress source.
Field | Description |
---|---|
sn int | SerialNumber defines the serial number of the certificate. |
subjectAltNames []string | SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate. |
expiration string | Expiration defines the expiration of the certificate. |
secret Kubernetes core/v1.SecretReference | Secret defines the secret in which the certificate is stored. |
EgressSourceMTLSSpec
(Appears on:EgressSourceSpec)
EgressSourceMTLSSpec is the type to represent the mTLS specification for an egress source.
Field | Description |
---|---|
issuer string | |
cert EgressSourceCertSpec |
EgressSourceSpec
(Appears on:EgressSpec)
EgressSourceSpec is the type used to represent the Source in the list of Sources specified in an Egress policy specification.
Field | Description |
---|---|
kind string | Kind defines the kind for the source in the Egress policy, ex. ServiceAccount. |
name string | Name defines the name of the source for the given Kind. |
namespace string | Namespace defines the namespace for the given source. |
mtls EgressSourceMTLSSpec | (Optional) MTLS defines the certificate specification for the egress source. |
EgressSpec
(Appears on:Egress)
EgressSpec is the type used to represent the Egress policy specification.
Field | Description |
---|---|
sources []EgressSourceSpec | Sources defines the list of sources the Egress policy applies to. |
hosts []string | (Optional) Hosts defines the list of external hosts the Egress policy will allow access to.
|
ipAddresses []string | (Optional) IPAddresses defines the list of external IP address ranges the Egress policy applies to. The destination IP address of the traffic is matched against the list of IPAddresses specified as a CIDR range. |
ports []PortSpec | Ports defines the list of ports the Egress policy is applies to. The destination port of the traffic is matched against the list of Ports specified. |
matches []Kubernetes core/v1.TypedLocalObjectReference | (Optional) Matches defines the list of object references the Egress policy should match on. |
GatewayBindingSubject
(Appears on:EgressGatewaySpec, EgressPolicyGatewayRule)
GatewayBindingSubject is a Kubernetes objects which should be allowed forward to
Field | Description |
---|---|
service string | |
namespace string | |
weight int |
HTTPCircuitBreaking
(Appears on:HTTPConnectionSettings)
HTTPCircuitBreaking defines the HTTP Circuit Breaking settings for an upstream host.
Field | Description |
---|---|
statTimeWindow Kubernetes meta/v1.Duration | StatTimeWindow specifies statistical time period of circuit breaking |
minRequestAmount uint32 | MinRequestAmount specifies minimum number of requests (in an active statistic time span) that can trigger circuit breaking. |
degradedTimeWindow Kubernetes meta/v1.Duration | DegradedTimeWindow specifies recovery timeout (in seconds) when circuit breaker opens. |
slowTimeThreshold Kubernetes meta/v1.Duration | SlowTimeThreshold specifies the time threshold of slow request |
slowAmountThreshold uint32 | SlowAmountThreshold specifies the amount threshold of slow request |
slowRatioThreshold float32 | SlowRatioThreshold specifies the ratio threshold of slow request |
errorAmountThreshold uint32 | ErrorAmountThreshold specifies the amount threshold of error request |
errorRatioThreshold float32 | ErrorRatioThreshold specifies the ratio threshold of error request |
degradedStatusCode int32 | DegradedStatusCode specifies the degraded http status code of circuit breaking |
degradedResponseContent string | DegradedResponseContent specifies the degraded http response content of circuit breaking |
HTTPConnectionSettings
(Appears on:ConnectionSettingsSpec)
HTTPConnectionSettings defines the HTTP connection settings for an upstream host.
Field | Description |
---|---|
maxRequests uint32 | (Optional) MaxRequests specifies the maximum number of parallel requests allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified. |
maxRequestsPerConnection uint32 | (Optional) MaxRequestsPerConnection specifies the maximum number of requests per connection allowed to the upstream host. Defaults to unlimited if not specified. |
maxPendingRequests uint32 | (Optional) MaxPendingRequests specifies the maximum number of pending HTTP
requests allowed to the upstream host. For HTTP/2 connections,
if |
maxRetries uint32 | (Optional) MaxRetries specifies the maximum number of parallel retries allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified. |
circuitBreaking HTTPCircuitBreaking | CircuitBreaking specifies the HTTP connection circuit breaking setting. |
HTTPHeaderValue
(Appears on:HTTPLocalRateLimitSpec)
HTTPHeaderValue defines an HTTP header name/value pair
Field | Description |
---|---|
name string | Name defines the name of the HTTP header. |
value string | Value defines the value of the header corresponding to the name key. |
HTTPLocalRateLimitSpec
(Appears on:HTTPPerRouteRateLimitSpec, LocalRateLimitSpec)
HTTPLocalRateLimitSpec defines the local rate limiting specification for the upstream host at the HTTP level.
Field | Description |
---|---|
requests uint32 | Requests defines the number of requests allowed per unit of time before rate limiting occurs. |
unit string | Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”. |
burst uint32 | (Optional) Burst defines the number of requests above the baseline rate that are allowed in a short period of time. |
responseStatusCode uint32 | (Optional) ResponseStatusCode defines the HTTP status code to use for responses to rate limited requests. Code must be in the 400-599 (inclusive) error range. If not specified, a default of 429 (Too Many Requests) is used. |
responseHeadersToAdd []HTTPHeaderValue | (Optional) ResponseHeadersToAdd defines the list of HTTP headers that should be added to each response for requests that have been rate limited. |
HTTPPerRouteRateLimitSpec
(Appears on:HTTPRouteSpec)
HTTPPerRouteRateLimitSpec defines the rate limiting specification per HTTP route.
Field | Description |
---|---|
local HTTPLocalRateLimitSpec | Local defines the local rate limiting specification applied per HTTP route. |
HTTPRouteSpec
(Appears on:UpstreamTrafficSettingSpec)
HTTPRouteSpec defines the settings corresponding to an HTTP route
Field | Description |
---|---|
path string | Path defines the HTTP path. |
rateLimit HTTPPerRouteRateLimitSpec | RateLimit defines the HTTP rate limiting specification for the specified HTTP route. |
IngressBackend
IngressBackend is the type used to represent an Ingress backend policy. An Ingress backend policy authorizes one or more backends to accept ingress traffic from one or more sources.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||||
spec IngressBackendSpec | (Optional) Spec is the Ingress backend policy specification
| ||||||
status IngressBackendStatus | (Optional) Status is the status of the IngressBackend configuration. |
IngressBackendSpec
(Appears on:IngressBackend)
IngressBackendSpec is the type used to represent the IngressBackend policy specification.
Field | Description |
---|---|
backends []BackendSpec | Backends defines the list of backends the IngressBackend policy applies to. |
sources []IngressSourceSpec | Sources defines the list of sources the IngressBackend policy applies to. |
matches []Kubernetes core/v1.TypedLocalObjectReference | (Optional) Matches defines the list of object references the IngressBackend policy should match on. |
IngressBackendStatus
(Appears on:IngressBackend)
IngressBackendStatus is the type used to represent the status of an IngressBackend resource.
Field | Description |
---|---|
currentStatus string | (Optional) CurrentStatus defines the current status of an IngressBackend resource. |
reason string | (Optional) Reason defines the reason for the current status of an IngressBackend resource. |
IngressSourceSpec
(Appears on:IngressBackendSpec)
IngressSourceSpec is the type used to represent the Source in the list of Sources specified in an IngressBackend policy specification.
Field | Description |
---|---|
kind string | Kind defines the kind for the source in the IngressBackend policy. Must be one of: Service, AuthenticatedPrincipal, IPRange |
name string | Name defines the name of the source for the given Kind. |
namespace string | (Optional) Namespace defines the namespace for the given source. |
LocalRateLimitSpec
(Appears on:RateLimitSpec)
LocalRateLimitSpec defines the local rate limiting specification for the upstream host.
Field | Description |
---|---|
tcp TCPLocalRateLimitSpec | (Optional) TCP defines the local rate limiting specification at the network level. This is a token bucket rate limiter where each connection consumes a single token. If the token is available, the connection will be allowed. If no tokens are available, the connection will be immediately closed. |
http HTTPLocalRateLimitSpec | HTTP defines the local rate limiting specification for HTTP traffic. This is a token bucket rate limiter where each request consumes a single token. If the token is available, the request will be allowed. If no tokens are available, the request will receive the configured rate limit status. |
PortSpec
(Appears on:AccessControlBackendSpec, BackendSpec, EgressSpec)
PortSpec is the type used to represent the Port in the list of Ports specified in an Egress policy specification.
Field | Description |
---|---|
number int | Number defines the port number. |
protocol string | Protocol defines the protocol served by the port. |
RateLimitSpec
(Appears on:UpstreamTrafficSettingSpec)
RateLimitSpec defines the rate limiting specification for the upstream host.
Field | Description |
---|---|
local LocalRateLimitSpec | (Optional) Local specified the local rate limiting specification for the upstream host. Local rate limiting is enforced directly by the upstream host without any involvement of a global rate limiting service. This is applied as a token bucket rate limiter. |
Retry
Retry is the type used to represent a Retry policy. A Retry policy authorizes retries to failed attempts for outbound traffic from one service source to one or more destination services.
Field | Description | ||||||
---|---|---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||||
spec RetrySpec | (Optional) Spec is the Retry policy specification
|
RetryPolicySpec
(Appears on:RetrySpec)
RetryPolicySpec is the type used to represent the retry policy specified in the Retry policy specification.
Field | Description |
---|---|
retryOn string | RetryOn defines the policies to retry on, delimited by comma. |
perTryTimeout Kubernetes meta/v1.Duration | (Optional) PerTryTimeout defines the time allowed for a retry before it’s considered a failed attempt. |
numRetries uint32 | (Optional) NumRetries defines the max number of retries to attempt. |
retryBackoffBaseInterval Kubernetes meta/v1.Duration | (Optional) RetryBackoffBaseInterval defines the base interval for exponential retry backoff. |
RetrySpec
(Appears on:Retry)
RetrySpec is the type used to represent the Retry policy specification.
Field | Description |
---|---|
source RetrySrcDstSpec | Source defines the source the Retry policy applies to. |
destinations []RetrySrcDstSpec | Destinations defines the list of destinations the Retry policy applies to. |
retryPolicy RetryPolicySpec | RetryPolicy defines the retry policy the Retry policy applies. |
RetrySrcDstSpec
(Appears on:RetrySpec)
RetrySrcDstSpec is the type used to represent the Destination in the list of Destinations and the Source specified in the Retry policy specification.
Field | Description |
---|---|
kind string | Kind defines the kind for the Src/Dst in the Retry policy. |
name string | Name defines the name of the Src/Dst for the given Kind. |
namespace string | Namespace defines the namespace for the given Src/Dst. |
TCPConnectionSettings
(Appears on:ConnectionSettingsSpec)
TCPConnectionSettings defines the TCP connection settings for an upstream host.
Field | Description |
---|---|
maxConnections uint32 | (Optional) MaxConnections specifies the maximum number of TCP connections allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified. |
connectTimeout Kubernetes meta/v1.Duration | (Optional) ConnectTimeout specifies the TCP connection timeout. Defaults to 5s if not specified. |
TCPLocalRateLimitSpec
(Appears on:LocalRateLimitSpec)
TCPLocalRateLimitSpec defines the local rate limiting specification for the upstream host at the TCP level.
Field | Description |
---|---|
connections uint32 | Connections defines the number of connections allowed per unit of time before rate limiting occurs. |
unit string | Unit defines the period of time within which connections over the limit will be rate limited. Valid values are “second”, “minute” and “hour”. |
burst uint32 | (Optional) Burst defines the number of connections above the baseline rate that are allowed in a short period of time. |
TLSSpec
(Appears on:AccessControlBackendSpec, BackendSpec)
TLSSpec is the type used to represent the backend’s TLS configuration.
Field | Description |
---|---|
skipClientCertValidation bool | SkipClientCertValidation defines whether the backend should skip validating the certificate presented by the client. |
sniHosts []string | (Optional) SNIHosts defines the SNI hostnames that the backend allows the client to connect to. |
UpstreamTrafficSetting
UpstreamTrafficSetting defines the settings applicable to traffic destined to an upstream host.
Field | Description | ||||||||
---|---|---|---|---|---|---|---|---|---|
metadata Kubernetes meta/v1.ObjectMeta | (Optional) Object’s metadata Refer to the Kubernetes API documentation for the fields of themetadata field. | ||||||||
spec UpstreamTrafficSettingSpec | (Optional) Spec is the UpstreamTrafficSetting policy specification
| ||||||||
status UpstreamTrafficSettingStatus | (Optional) Status is the status of the UpstreamTrafficSetting resource. |
UpstreamTrafficSettingSpec
(Appears on:UpstreamTrafficSetting)
UpstreamTrafficSettingSpec defines the upstream traffic setting specification.
Field | Description |
---|---|
host string | Host the upstream traffic is directed to. Must either be an FQDN corresponding to the upstream service or the name of the upstream service. If only the service name is specified, the FQDN is derived from the service name and the namespace of the UpstreamTrafficSetting rule. |
connectionSettings ConnectionSettingsSpec | (Optional) ConnectionSettings specifies the connection settings for traffic directed to the upstream host. |
rateLimit RateLimitSpec | (Optional) RateLimit specifies the rate limit settings for the traffic directed to the upstream host. If HTTP rate limiting is specified, the rate limiting is applied at the VirtualHost level applicable to all routes within the VirtualHost. |
httpRoutes []HTTPRouteSpec | (Optional) HTTPRoutes defines the list of HTTP routes settings for the upstream host. Settings are applied at a per route level. |
UpstreamTrafficSettingStatus
(Appears on:UpstreamTrafficSetting)
UpstreamTrafficSettingStatus defines the status of an UpstreamTrafficSetting resource.
Field | Description |
---|---|
currentStatus string | (Optional) CurrentStatus defines the current status of an UpstreamTrafficSetting resource. |
reason string | (Optional) Reason defines the reason for the current status of an UpstreamTrafficSetting resource. |
Generated with gen-crd-api-reference-docs
on git commit 8abe9ab
.