Control-Plane configuration

Here are all options to configure the control-plane:

  1. # Environment type. Available values are: "kubernetes" or "universal"
  2. environment: universal # ENV: KUMA_ENVIRONMENT
  3. # Mode in which Kuma CP is running. Available values are: "standalone", "global", "zone"
  4. mode: standalone # ENV: KUMA_MODE
  5. # Resource Store configuration
  6. store:
  7. # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory"
  8. type: memory # ENV: KUMA_STORE_TYPE
  9. # Kubernetes Store configuration (used when store.type=kubernetes)
  10. kubernetes:
  11. # Namespace where Control Plane is installed to.
  12. systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
  13. # Postgres Store configuration (used when store.type=postgres)
  14. postgres:
  15. # Host of the Postgres DB
  16. host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST
  17. # Port of the Postgres DB
  18. port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT
  19. # User of the Postgres DB
  20. user: kuma # ENV: KUMA_STORE_POSTGRES_USER
  21. # Password of the Postgres DB
  22. password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD
  23. # Database name of the Postgres DB
  24. dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME
  25. # Driver to use, one of: pgx, postgres
  26. driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME
  27. # Connection Timeout to the DB in seconds
  28. connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT
  29. # MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed
  30. maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME
  31. # MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection.
  32. # This helps prevent all connections from being closed at the exact same time, starving the pool.
  33. maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER
  34. # HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections.
  35. healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL
  36. # MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database
  37. minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS
  38. # MaxOpenConnections is the maximum number of open connections to the database
  39. # `0` value means number of open connections is unlimited
  40. maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS
  41. # MaxIdleConnections (applied only when driverName=postgres) is the maximum number of connections in the idle connection pool
  42. # <0 value means no idle connections and 0 means default max idle connections
  43. maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS
  44. # TLS settings
  45. tls:
  46. # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
  47. mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
  48. # Path to TLS Certificate of the client. Required when server has METHOD=cert
  49. certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
  50. # Path to TLS Key of the client. Required when server has METHOD=cert
  51. keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
  52. # Path to the root certificate. Used in verifyCa and verifyFull modes.
  53. caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH
  54. # MinReconnectInterval (applied only when driverName=postgres) controls the duration to wait before trying to
  55. # re-establish the database connection after connection loss. After each
  56. # consecutive failure this interval is doubled, until MaxReconnectInterval
  57. # is reached. Successfully completing the connection establishment procedure
  58. # resets the interval back to MinReconnectInterval.
  59. minReconnectInterval: "10s" # ENV: KUMA_STORE_POSTGRES_MIN_RECONNECT_INTERVAL
  60. # MaxReconnectInterval (applied only when driverName=postgres) controls the maximum possible duration to wait before trying
  61. # to re-establish the database connection after connection loss.
  62. maxReconnectInterval: "60s" # ENV: KUMA_STORE_POSTGRES_MAX_RECONNECT_INTERVAL
  63. # Cache for read only operations. This cache is local to the instance of the control plane.
  64. cache:
  65. # If true then cache is enabled
  66. enabled: true # ENV: KUMA_STORE_CACHE_ENABLED
  67. # Expiration time for elements in cache.
  68. expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME
  69. # Upsert (get and update) configuration
  70. upsert:
  71. # Base time for exponential backoff on upsert operations when retry is enabled
  72. conflictRetryBaseBackoff: 100ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF
  73. # Max retries on upsert (get and update) operation when retry is enabled
  74. conflictRetryMaxTimes: 5 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES
  75. # If true, skips validation of resource delete.
  76. # For example you don't have to delete all Dataplane objects before you delete a Mesh
  77. unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE
  78. # Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes
  79. bootstrapServer:
  80. # Parameters of bootstrap configuration
  81. params:
  82. # Address of Envoy Admin
  83. adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS
  84. # Port of Envoy Admin
  85. adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT
  86. # Path to access log file of Envoy Admin
  87. adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH
  88. # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane
  89. xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST
  90. # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT
  91. xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT
  92. # Connection timeout to the XDS Server
  93. xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT
  94. # Monitoring Assignment Discovery Service (MADS) server configuration
  95. monitoringAssignmentServer:
  96. # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS).
  97. port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT
  98. # Which MADS API versions to serve
  99. apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS
  100. # Interval for re-generating monitoring assignments for clients connected to the Control Plane.
  101. assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL
  102. # The default timeout for a single fetch-based discovery request, if not specified
  103. defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT
  104. # Path to TLS certificate file
  105. tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE
  106. # Path to TLS key file
  107. tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE
  108. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  109. tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION
  110. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  111. tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION
  112. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  113. tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES
  114. # Envoy XDS server configuration
  115. xdsServer:
  116. # Interval for re-genarting configuration for Dataplanes connected to the Control Plane
  117. dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL
  118. # Interval for flushing status of Dataplanes connected to the Control Plane
  119. dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL
  120. # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane
  121. nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF
  122. # A delay between proxy terminating a connection and the CP trying to deregister the proxy.
  123. # It is used only in universal mode when you use direct lifecycle.
  124. # Setting this setting to 0s disables the delay.
  125. # Disabling this may cause race conditions that one instance of CP removes proxy object
  126. # while proxy is connected to another instance of the CP.
  127. dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY
  128. # API Server configuration
  129. apiServer:
  130. # HTTP configuration of the API Server
  131. http:
  132. # If true then API Server will be served on HTTP
  133. enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED
  134. # Network interface on which HTTP API Server will be exposed
  135. interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE
  136. # Port of the API Server
  137. port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT
  138. # HTTPS configuration of the API Server
  139. https:
  140. # If true then API Server will be served on HTTPS
  141. enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED
  142. # Network interface on which HTTPS API Server will be exposed
  143. interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE
  144. # Port of the HTTPS API Server
  145. port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT
  146. # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty
  147. tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
  148. # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty
  149. tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
  150. # Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates.
  151. tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE
  152. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  153. tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION
  154. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  155. tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION
  156. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  157. tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES
  158. # If true, then HTTPS connection will require client cert.
  159. requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT
  160. # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets
  161. auth:
  162. # Directory of authorized client certificates (only validate in HTTPS)
  163. clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
  164. # Api Server Authentication configuration
  165. authn:
  166. # Type of authentication mechanism (available values: "adminClientCerts", "tokens")
  167. type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE
  168. # Localhost is authenticated as a user admin of group admin
  169. localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
  170. # Configuration for tokens authentication
  171. tokens:
  172. # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret
  173. bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN
  174. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  175. enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER
  176. # Token validator configuration
  177. validator:
  178. # If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys.
  179. useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS
  180. # List of public keys used to validate the token. Example:
  181. # - kid: 1
  182. # key: |
  183. # -----BEGIN RSA PUBLIC KEY-----
  184. # MIIBCgKCAQEAq....
  185. # -----END RSA PUBLIC KEY-----
  186. # - kid: 2
  187. # keyFile: /keys/public.pem
  188. publicKeys: []
  189. # If true, then API Server will operate in read only mode (serving GET requests)
  190. readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY
  191. # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp
  192. corsAllowedDomains:
  193. - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS
  194. # Can be used if you use a reverse proxy
  195. rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL
  196. # The path to serve the API from
  197. basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH
  198. # configuration specific to the GUI
  199. gui:
  200. # Whether to serve the gui (if mode=zone this has no effect)
  201. enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED
  202. # Can be used if you use a reverse proxy or want to serve the gui from a different path
  203. rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL
  204. # The path to serve the GUI from
  205. basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH
  206. # Environment-specific configuration
  207. runtime:
  208. # Kubernetes-specific configuration
  209. kubernetes:
  210. # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
  211. controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
  212. # Name of Service Account that is used to run the Control Plane
  213. serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
  214. # Taint controller that prevents applications from scheduling until CNI is ready.
  215. nodeTaintController:
  216. # If true enables the taint controller.
  217. enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
  218. # Value of app label on CNI pod that indicates if node can be ready.
  219. cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
  220. # Admission WebHook Server configuration
  221. admissionServer:
  222. # Address the Admission WebHook Server should be listening on
  223. address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS
  224. # Port the Admission WebHook Server should be listening on
  225. port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
  226. # Directory with a TLS cert and private key for the Admission WebHook Server.
  227. # TLS certificate file must be named `tls.crt`.
  228. # TLS key file must be named `tls.key`.
  229. certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir
  230. # Injector defines configuration of a Kuma Sidecar Injector.
  231. injector:
  232. # if true runs kuma-cp in CNI compatible mode
  233. cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
  234. # list of exceptions for Kuma injection
  235. exceptions:
  236. # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value.
  237. labels:
  238. openshift.io/build.name: "*"
  239. openshift.io/deployer-pod-for.name: "*"
  240. # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe
  241. # serves on sub-path of insecure port 'virtualProbesPort',
  242. # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort
  243. virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED
  244. # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS
  245. virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT
  246. # CaCertFile is CA certificate which will be used to verify a connection to the control plane.
  247. caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
  248. # SidecarContainer defines configuration of the Kuma sidecar container.
  249. sidecarContainer:
  250. # Image name.
  251. image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
  252. # Redirect port for inbound traffic.
  253. redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
  254. # Redirect port for inbound traffic.
  255. redirectPortInboundV6: 15010 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6
  256. # Redirect port for outbound traffic.
  257. redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
  258. # User ID.
  259. uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID
  260. # Group ID.
  261. gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI
  262. # Drain time for listeners.
  263. drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME
  264. # Readiness probe.
  265. readinessProbe:
  266. # Number of seconds after the container has started before readiness probes are initiated.
  267. initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS
  268. # Number of seconds after which the probe times out.
  269. timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS
  270. # Number of seconds after which the probe times out.
  271. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS
  272. # Minimum consecutive successes for the probe to be considered successful after having failed.
  273. successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD
  274. # Minimum consecutive failures for the probe to be considered failed after having succeeded.
  275. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD
  276. # Liveness probe.
  277. livenessProbe:
  278. # Number of seconds after the container has started before liveness probes are initiated.
  279. initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS
  280. # Number of seconds after which the probe times out.
  281. timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS
  282. # How often (in seconds) to perform the probe.
  283. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS
  284. # Minimum consecutive failures for the probe to be considered failed after having succeeded.
  285. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD
  286. # Compute resource requirements.
  287. resources:
  288. # Minimum amount of compute resources required.
  289. requests:
  290. # CPU, in cores. (500m = .5 cores)
  291. cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU
  292. # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
  293. memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY
  294. # Maximum amount of compute resources allowed.
  295. limits:
  296. # CPU, in cores. (500m = .5 cores)
  297. cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU
  298. # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
  299. memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY
  300. # Additional environment variables that can be placed on Kuma DP sidecar
  301. envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS
  302. # InitContainer defines configuration of the Kuma init container
  303. initContainer:
  304. # Image name.
  305. image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
  306. # ContainerPatches is an optional list of ContainerPatch names which will be applied
  307. # to init and sidecar containers if workload is not annotated with a patch list.
  308. containerPatches: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES
  309. # Configuration for a traffic that is intercepted by sidecar
  310. sidecarTraffic:
  311. # List of inbound ports that will be excluded from interception.
  312. # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod.
  313. excludeInboundPorts: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS
  314. # List of outbound ports that will be excluded from interception.
  315. # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod.
  316. excludeOutboundPorts: [ ] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS
  317. builtinDNS:
  318. # Use the built-in DNS
  319. enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
  320. # Redirect port for DNS
  321. port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
  322. transparentProxyV1: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_V1
  323. # EBPF defines configuration for the ebpf, when transparent proxy is marked to be
  324. # installed using ebpf instead of iptables
  325. ebpf:
  326. # Install transparent proxy using ebpf
  327. enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
  328. # Name of the environmental variable which will include IP address of the pod
  329. instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
  330. # Path where BPF file system will be mounted for pinning ebpf programs and maps
  331. bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
  332. # Path of mounted cgroup2
  333. cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
  334. # Name of the network interface which should be used to attach to it TC programs
  335. # when not specified, we will try to automatically determine it
  336. tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
  337. # Path where compiled eBPF programs are placed
  338. programsSourcePath: /kuma/ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
  339. marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME
  340. # Universal-specific configuration
  341. universal:
  342. # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
  343. dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE
  344. # Default Kuma entities configuration
  345. defaults:
  346. # If true, it skips creating the default Mesh
  347. skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
  348. # Metrics configuration
  349. metrics:
  350. dataplane:
  351. # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited
  352. subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT
  353. # How long data plane proxy can stay Online without active xDS connection
  354. idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT
  355. zone:
  356. # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited
  357. subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT
  358. # How long zone can stay Online without active KDS connection
  359. idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT
  360. mesh:
  361. # Min time that should pass between MeshInsight resync
  362. minResyncTimeout: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_TIMEOUT
  363. # Max time that MeshInsight could spend without resync
  364. maxResyncTimeout: 20s # ENV: KUMA_METRICS_MESH_MAX_RESYNC_TIMEOUT
  365. # Reports configuration
  366. reports:
  367. # If true then usage stats will be reported
  368. enabled: false # ENV: KUMA_REPORTS_ENABLED
  369. # General configuration
  370. general:
  371. # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name
  372. dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL
  373. # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers.
  374. tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE
  375. # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers.
  376. tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE
  377. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  378. tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION
  379. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  380. tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION
  381. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  382. tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES
  383. # WorkDir defines a path to the working directory
  384. # Kuma stores in this directory autogenerated entities like certificates.
  385. # If empty then the working directory is $HOME/.kuma
  386. workDir: "" # ENV: KUMA_GENERAL_WORK_DIR
  387. # DNS Server configuration
  388. dnsServer:
  389. # The domain that the server will resolve the services for
  390. domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN
  391. # The CIDR range used to allocate
  392. CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR
  393. # Will create a service "<kuma.io/service>.mesh" dns entry for every service.
  394. serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED
  395. # The port to use along with the `<kuma.io/service>.mesh` dns entry
  396. serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT
  397. # Multizone mode
  398. multizone:
  399. global:
  400. kds:
  401. # Port of a gRPC server that serves Kuma Discovery Service (KDS).
  402. grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT
  403. # Interval for refreshing state of the world
  404. refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
  405. # Interval for flushing Zone Insights (stats of multi-zone communication)
  406. zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
  407. # TlsEnabled turns on TLS for KDS
  408. tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
  409. # TlsCertFile defines a path to a file with PEM-encoded TLS cert.
  410. tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
  411. # TlsKeyFile defines a path to a file with PEM-encoded TLS key.
  412. tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
  413. # TlsMinVersion the minimum version of TLS
  414. tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION
  415. # TlsMaxVersion the maximum version of TLS
  416. tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION
  417. # TlsCipherSuites the list of cipher suites
  418. tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES
  419. # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
  420. # In practice this means a limit on full list of one resource type.
  421. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE
  422. # MsgSendTimeout defines a timeout on sending a single KDS message.
  423. # KDS stream between control planes is terminated if the control plane hits this timeout.
  424. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT
  425. # Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane
  426. nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF
  427. zone:
  428. # Kuma Zone name used to mark the zone dataplane resources
  429. name: "" # ENV: KUMA_MULTIZONE_ZONE_NAME
  430. # GlobalAddress URL of Global Kuma CP
  431. globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
  432. kds:
  433. # Interval for refreshing state of the world
  434. refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL
  435. # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it.
  436. rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
  437. # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
  438. # In practice this means a limit on full list of one resource type.
  439. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE
  440. # MsgSendTimeout defines a timeout on sending a single KDS message.
  441. # KDS stream between control planes is terminated if the control plane hits this timeout.
  442. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT
  443. # Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane
  444. nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF
  445. # Diagnostics configuration
  446. diagnostics:
  447. # Port of Diagnostic Server for checking health and readiness of the Control Plane
  448. serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT
  449. # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints
  450. debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS
  451. # Whether tls is enabled or not
  452. tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED
  453. # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
  454. tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE
  455. # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
  456. tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE
  457. # TlsMinVersion the minimum version of TLS
  458. tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION
  459. # TlsMaxVersion the maximum version of TLS
  460. tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION
  461. # TlsCipherSuites the list of cipher suites
  462. tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES
  463. # Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.
  464. dpServer:
  465. # Port of the DP Server
  466. port: 5678 # ENV: KUMA_DP_SERVER_PORT
  467. # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
  468. tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE
  469. # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
  470. tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE
  471. # TlsMinVersion the minimum version of TLS
  472. tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION
  473. # TlsMaxVersion the maximum version of TLS
  474. tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION
  475. # TlsCipherSuites the list of cipher suites
  476. tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES
  477. # ReadHeaderTimeout defines the amount of time DP server will be allowed
  478. # to read request headers. The connection's read deadline is reset
  479. # after reading the headers and the Handler can decide what is considered
  480. # too slow for the body. If ReadHeaderTimeout is zero there is no timeout.
  481. # The timeout is configurable as in rare cases, when Kuma CP was restarting,
  482. # 1s which is explicitly set in other servers was insufficient and DPs
  483. # were failing to reconnect (we observed this in Projected Service Account
  484. # Tokens e2e tests, which started flaking a lot after introducing explicit
  485. # 1s timeout)
  486. readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT
  487. # Auth defines an authentication configuration for the DP Server
  488. # DEPRECATED: use "authn" section.
  489. auth:
  490. # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
  491. # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
  492. type: "" # ENV: KUMA_DP_SERVER_AUTH_TYPE
  493. # Authn defines an authentication configuration for the DP Server
  494. authn:
  495. # Configuration for data plane proxy authentication.
  496. dpProxy:
  497. # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
  498. # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
  499. type: ""
  500. # Configuration of dpToken authentication method
  501. dpToken:
  502. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  503. enableIssuer: true
  504. # DP Token validator configuration.
  505. validator:
  506. # If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys.
  507. useSecrets: true
  508. # List of public keys used to validate the token. Example:
  509. # - kid: 1
  510. # mesh: default
  511. # key: |
  512. # -----BEGIN RSA PUBLIC KEY-----
  513. # MIIBCgKCAQEAq....
  514. # -----END RSA PUBLIC KEY-----
  515. # - kid: 2
  516. # mesh: demo
  517. # keyFile: /keys/public.pem
  518. publicKeys: []
  519. # Configuration for zone proxy authentication.
  520. zoneProxy:
  521. # Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none".
  522. # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal.
  523. type: ""
  524. # Configuration for zoneToken authentication method.
  525. zoneToken:
  526. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  527. enableIssuer: true
  528. # Zone Token validator configuration.
  529. validator:
  530. # If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys.
  531. useSecrets: true
  532. # List of public keys used to validate the token. Example:
  533. # - kid: 1
  534. # key: |
  535. # -----BEGIN RSA PUBLIC KEY-----
  536. # MIIBCgKCAQEAq....
  537. # -----END RSA PUBLIC KEY-----
  538. # - kid: 2
  539. # keyFile: /keys/public.pem
  540. publicKeys: []
  541. # If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart.
  542. enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
  543. # Hds defines a Health Discovery Service configuration
  544. hds:
  545. # Enabled if true then Envoy will actively check application's ports, but only on Universal.
  546. # On Kubernetes this feature disabled for now regardless the flag value
  547. enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED
  548. # Interval for Envoy to send statuses for HealthChecks
  549. interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL
  550. # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane
  551. refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL
  552. # Check defines a HealthCheck configuration
  553. checkDefaults:
  554. # Timeout is a time to wait for a health check response. If the timeout is reached the
  555. # health check attempt will be considered a failure
  556. timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT
  557. # Interval between health checks
  558. interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL
  559. # NoTrafficInterval is a special health check interval that is used when a cluster has
  560. # never had traffic routed to it
  561. noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL
  562. # HealthyThreshold is a number of healthy health checks required before a host is marked healthy
  563. healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD
  564. # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy
  565. unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD
  566. # Intercommunication CP configuration
  567. interCp:
  568. # Catalog configuration. Catalog keeps a record of all live CP instances in the zone.
  569. catalog:
  570. # Indicates an address on which other control planes can communicate with this CP.
  571. # If empty then it's autoconfigured by taking the first IP of the nonloopback network interface.
  572. instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
  573. # Interval on which CP will send heartbeat to a leader.
  574. heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL
  575. # Interval on which CP will write all instances to a catalog.
  576. writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL
  577. # Intercommunication CP server configuration
  578. server:
  579. # Port of the inter-cp server
  580. port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT
  581. # TlsMinVersion the minimum version of TLS
  582. tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION
  583. # TlsMaxVersion the maximum version of TLS
  584. tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION
  585. # TlsCipherSuites the list of cipher suites
  586. tlsCipherSuites: [ ] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES
  587. # Access Control configuration
  588. access:
  589. # Type of access strategy (available values: "static")
  590. type: static
  591. # Configuration of static access strategy
  592. static:
  593. # AdminResources defines an access to admin resources (Secret/GlobalSecret)
  594. adminResources:
  595. # List of users that are allowed to access admin resources
  596. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS
  597. # List of groups that are allowed to access admin resources
  598. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS
  599. # GenerateDPToken defines an access to generating dataplane token
  600. generateDpToken:
  601. # List of users that are allowed to generate dataplane token
  602. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS
  603. # List of groups that are allowed to generate dataplane token
  604. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS
  605. # GenerateUserToken defines an access to generating user token
  606. generateUserToken:
  607. # List of users that are allowed to generate user token
  608. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS
  609. # List of groups that are allowed to generate user token
  610. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS
  611. # GenerateZoneToken defines an access to generating zone token
  612. generateZoneToken:
  613. # List of users that are allowed to generate zone token
  614. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS
  615. # List of groups that are allowed to generate zone token
  616. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS
  617. viewConfigDump:
  618. # List of users that are allowed to get envoy config dump
  619. users: [ ] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS
  620. # List of groups that are allowed to get envoy config dump
  621. groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS
  622. viewStats:
  623. # List of users that are allowed to get envoy stats
  624. users: [ ] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS
  625. # List of groups that are allowed to get envoy stats
  626. groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS
  627. viewClusters:
  628. # List of users that are allowed to get envoy clusters
  629. users: [ ] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS
  630. # List of groups that are allowed to get envoy clusters
  631. groups: ["mesh-system:unauthenticated","mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS
  632. # Configuration of experimental features of Kuma
  633. experimental:
  634. # If true, experimental Gateway API is enabled
  635. gatewayAPI: false # ENV: KUMA_EXPERIMENTAL_GATEWAY_API
  636. # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap
  637. # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config
  638. kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS
  639. proxy:
  640. gateway:
  641. # Sets the envoy runtime value to limit maximum number of incoming
  642. # connections to a builtin gateway data plane proxy
  643. globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS