MeshProxyPatch
The MeshProxyPatch
provides configuration options for low-level Envoy resources that Kong Mesh policies do not directly expose.
If you need features that aren’t available as a Kong Mesh policy, open a new issue on GitHub so they can be added to the Kong Mesh roadmap.
A MeshProxyPatch
policy can modify:
This policy uses a new policy matching algorithm. Do not combine with Proxy Template.
targetRef
support matrix
targetRef |
Allowed kinds |
---|---|
targetRef.kind |
Mesh , MeshSubset
|
To learn more about the information in this table, see the matching docs.
Configuration
Modifications
MeshProxyPatch
lets you specify modifications in appendModification
block that can add a new resource, patch an existing resource or remove an existing resource.
Each xDS resource modification consists of 3 fields:
-
operation
- operation applied to the generated config (for example:Add
,Remove
,Patch
). -
match
- some operations can be applied on matched resources (for example: remove only resource of given name, patch all outbound resources).
and one of
-
jsonPatches
- list of modifications in JSON Patch notation. -
value
- raw Envoy xDS configuration. Can be partial if operation ispatch
.
Origin
All resources generated by Kong Mesh are marked with the origin
value, so you can match specific resources.
Examples: add new filters but only on inbound listeners, set timeouts on outbound clusters.
Well known origins:
-
inbound
- resources generated for incoming traffic. -
outbound
- resources generated for outgoing traffic. -
transparent
- resources generated for transparent proxy functionality. -
prometheus
- resources generated for Prometheus to scrape when metrics on the Mesh is enabled. -
direct-access
- resources generated for Direct Access functionality. -
gateway
- resources generated for MeshGateway.
The list is not complete, as policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster
with mesh-trace
origin.
Cluster
Modifications that are applied on Clusters resources.
Available operations:
-
Add
- add a new Cluster or replace existing if the name is the same. -
Remove
- remove a Cluster. -
Patch
- patch a part of Cluster definition.
Available matchers:
-
name
- name of the Cluster. -
origin
- origin of the Cluster.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
default:
appendModifications:
- cluster:
operation: Add
value: |
name: test-cluster
connectTimeout: 5s
type: STATIC
- cluster:
operation: Patch
match: # optional: if absent, all clusters will be patched
name: test-cluster # optional: if absent, all clusters regardless of name will be patched
origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
value: | # you can specify only part of cluster definition that will be merged into existing cluster
connectTimeout: 5s
- cluster:
operation: Patch
match: # optional: if absent, all clusters will be patched
name: test-cluster # optional: if absent, all clusters regardless of name will be patched
origin: inbound # optional: if absent, all clusters regardless of its origin will be patched
jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
- op: add
path: /transportSocket/typedConfig/commonTlsContext/tlsParams # remember to always use camelCase
value:
tlsMinimumProtocolVersion: TLSv1_2
- op: add
path: /transportSocket/typedConfig/commonTlsContext/tlsParams/tlsMaximumProtocolVersion
value: TLSv1_2
- op: replace
path: /connectTimeout
value: 77s
- cluster:
operation: Remove
match: # optional: if absent, all clusters will be removed
name: test-cluster # optional: if absent, all clusters regardless of name will be removed
origin: inbound # optional: if absent, all clusters regardless of its origin will be removed
Listener
Modifications that are applied on Listeners resources.
Available operations:
-
Add
- add a new Listener or replace existing if the name is the same. -
Remove
- remove a Listener. -
Patch
- patch a part of Listener definition.
Available matchers:
-
name
- name of the Listener. -
origin
- origin of the Listener. -
tags
- tags of inbound or outbound Listeners. They matchListener.metadata.filterMetadata[io.kuma.tags]
in XDS configuration.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
default:
appendModifications:
- listener:
operation: Add
value: |
name: test-listener
address:
socketAddress:
address: 192.168.0.1
portValue: 8080
- listener:
operation: Patch
match: # optional: if absent, all listeners will be patched
name: test-listener # optional: if absent, all listeners regardless of name will be patched
origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
tags: # optional: if absent, all listeners are matched
kuma.io/service: backend
value: | # you can specify only part of listener definition that will be merged into existing listener
continueOnListenerFiltersTimeout: true
- listener:
operation: Patch
match: # optional: if absent, all listeners will be patched
name: test-listener # optional: if absent, all listeners regardless of name will be patched
origin: inbound # optional: if absent, all listeners regardless of its origin will be patched
tags: # optional: if absent, all listeners are matched
kuma.io/service: backend
jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
- op: add
path: /continueOnListenerFiltersTimeout
value: true
- listener:
operation: Remove
match: # optional: if absent, all listeners will be removed
name: test-listener # optional: if absent, all listeners regardless of name will be removed
origin: inbound # optional: if absent, all listeners regardless of its origin will be removed
Network Filter
Modifications that are applied on Network Filters that are part of Listeners resource. Modifications are applied on all Filter Chains in the Listener.
Available operations:
-
AddFirst
- add a new filter as a first filter in Filter Chain. -
AddLast
- add a new filter as a last filter in Filter Chain. -
AddAfter
- add a new filter after other filter in Filter Chain that is matched usingmatch
section. -
AddBefore
- add a new filter before other filter in Filter Chain that is matched usingmatch
section. -
Patch
- patch a matched filter in Filter Chain. -
Remove
- remove a filter in Filter Chain.
Available matchers:
-
name
- name of the Network Filter. -
listenerName
- name of the Listener. -
listenerTags
- tags of inbound or outbound Listeners. They matchListener.metadata.filterMetadata[io.kuma.tags]
in XDS configuration. -
origin
- origin of the Listener.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
default:
appendModifications:
- networkFilter:
operation: AddFirst
match: # optional: if absent, filter will be added to all listeners
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.network.local_ratelimit
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
statPrefix: rateLimit
tokenBucket:
fillInterval: 1s
- networkFilter:
operation: AddLast
match: # optional: if absent, filter will be added to all listeners
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.network.local_ratelimit
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
statPrefix: rateLimit
tokenBucket:
fillInterval: 1s
- networkFilter:
operation: AddBefore
match:
name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added before existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.network.local_ratelimit
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
statPrefix: rateLimit
tokenBucket:
fillInterval: 1s
- networkFilter:
operation: AddAfter
match:
name: envoy.filters.network.tcp_proxy # a new filter (Local RateLimit) will be added after existing (TcpProxy). If there is no TcpProxy filter, Local RateLimit won't be added.
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.network.local_ratelimit
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
statPrefix: rateLimit
tokenBucket:
fillInterval: 1s
- networkFilter:
operation: Patch
match:
name: envoy.filters.network.tcp_proxy
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
value: | # you can specify only part of filter definition that will be merged into existing filter
name: envoy.filters.network.tcp_proxy
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
idleTimeout: 10s
- networkFilter:
operation: Patch
match:
name: envoy.filters.network.tcp_proxy
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
- op: replace
path: /idleTimeout
value: 10s
- networkFilter:
operation: Remove
match: # optional: if absent, all filters from all listeners will be removed
name: envoy.filters.network.tcp_proxy # optional: if absent, all filters regardless of name will be removed
listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
HTTP Filter
Modifications that are applied on HTTP Filters that are part of Listeners resource. Modifications that Kong Mesh applies on all HTTP Connection Managers in the Listener.
HTTP Filter modifications can only be applied on services configured as HTTP.
Available operations:
-
AddFirst
- add a new filter as a first filter in HTTP Connection Manager. -
AddLast
- add a new filter as a last filter in HTTP Connection Manager. -
AddAfter
- add a new filter after other filter in HTTP Connection Manager that is matched usingmatch
section. -
AddBefore
- add a new filter before other filter in HTTP Connection Manager that is matched usingmatch
section. -
Patch
- patch a matched filter in HTTP Connection Manager. -
Remove
- remove a filter in HTTP Connection Manager.
Available matchers:
-
name
- name of the HTTP Filter. -
listenerName
- name of the Listener. -
listenerTags
- tags of inbound or outbound Listeners. They matchListener.metadata.filterMetadata[io.kuma.tags]
in XDS configuration. -
origin
- origin of the Listener.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
default:
appendModifications:
- httpFilter:
operation: AddFirst
match: # optional: if absent, filter will be added to all HTTP Connection Managers
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.http.gzip
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
memoryLevel: 9
- httpFilter:
operation: AddLast
match: # optional: if absent, filter will be added to all HTTP Connection Managers
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.http.gzip
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
memoryLevel: 9
- httpFilter:
operation: AddBefore
match:
name: envoy.filters.http.router # a new filter (Gzip) will be added before existing (Router). If there is no Router filter, Gzip won't be added.
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.http.gzip
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
memoryLevel: 9
- httpFilter:
operation: AddAfter
match:
name: envoy.filters.http.router # a new filter (Gzip) will be added after existing (Router). If there is no Router filter, Gzip won't be added.
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be added to all listeners regardless of name
listenerTags: # optional: if absent, filter will be added to all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be added to all listeners regardless of its origin
value: |
name: envoy.filters.http.gzip
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.gzip.v3.Gzip
memoryLevel: 9
- httpFilter:
operation: Patch
match:
name: envoy.filters.http.router
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
value: | # you can specify only part of filter definition that will be merged into existing filter
name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
dynamicStats: false
- httpFilter:
operation: Patch
match:
name: envoy.filters.http.router
listenerName: inbound:127.0.0.0:80 # optional: if absent, filter will be patched within all listeners regardless of name
listenerTags: # optional: if absent, filter will be patched within all listeners regardless of listener tags
kuma.io/service: backend
origin: inbound # optional: if absent, filter will be patched within all listeners regardless of its origin
jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
- op: replace
path: /dynamicStats
value: false
- httpFilter:
operation: Remove
match: # optional: if absent, all filters from all listeners will be removed
name: envoy.filters.http.gzip # optional: if absent, all filters regardless of name will be removed
listenerName: inbound:127.0.0.0:80 # optional: if absent, all filters regardless of the listener name will be removed
listenerTags: # optional: if absent, all filters regardless of the listener tags will be removed
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
VirtualHost
Modifications that are applied on VirtualHost resources.
VirtualHost modifications can only be applied on services configured as HTTP.
Available operations:
-
Add
- add a new VirtualHost. -
Remove
- remove a VirtualHost. -
Patch
- patch a part of VirtualHost definition.
Available matchers:
-
name
- name of the VirtualHost. -
origin
- origin of the VirtualHost. -
routeConfigurationName
- name of the RouteConfiguration.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshSubset
tags:
app: backend
default:
appendModifications:
- virtualHost:
operation: Add
value: |
name: backend
domains:
- "*"
routes:
- match:
prefix: /
route:
cluster: backend
- virtualHost:
operation: Patch
match: # optional: if absent, all listeners will be patched
name: backend # optional: if absent, all virtual hosts regardless of name will be patched
origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
value: | # you can specify only part of virtual host definition that will be merged into existing virtual host
retryPolicy:
retryOn: 5xx
numRetries: 3
- virtualHost:
operation: Patch
match: # optional: if absent, all listeners will be patched
name: backend # optional: if absent, all virtual hosts regardless of name will be patched
origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be patched
routeConfigurationName: outbound:backend # optional: if absent, all virtual hosts in all route configurations will be patched
jsonPatches: # optional and mutually exclusive with "value": list of modifications in JSON Patch notation
- op: add
path: /retryPolicy
value:
retryOn: 5xx
numRetries: 3
- virtualHost:
operation: Remove
match: # optional: if absent, all virtual hosts will be removed
name: test-listener # optional: if absent, all virtual hsots regardless of name will be removed
origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be removed
Merging
All modifications from appendModification
list are always merged.
For example, if there is a policy with targetRef.kind: Mesh
and second policy with targetRef.kind: MeshService
that matches a data plane proxy,
all modifications from both policies will be applied.
JSONPatch
If you use JSONPatch, remember to always use camelCase instead of snake_case in path
parameter even though you see snake_case in Envoy Config Dump.
Examples
Timeout adjustment for MeshGateway
Example how to change streamIdleTimeout
for MeshGateway
:
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshGateway
name: gateway
default:
appendModifications:
- networkFilter:
operation: Patch
match:
name: envoy.filters.network.http_connection_manager
origin: gateway # you can also specify the name of the listener
jsonPatches:
- op: replace
path: /streamIdleTimeout
value: 15s
lua filter
Here is and example of lua filter that adds the new x-header: test
header to all outgoing HTTP requests to service offers
.
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
metadata:
name: custom-template-1
namespace: kong-mesh-system
spec:
targetRef:
kind: MeshService
name: mesh-gateway_gateways_svc
default:
appendModifications:
- httpFilter:
operation: AddBefore
match:
name: envoy.filters.http.router
origin: outbound
listenerTags:
kuma.io/service: offers
value: |
name: envoy.filters.http.lua
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
function envoy_on_request(request_handle)
request_handle:headers():add("x-header", "test")
end
All policy options
Spec is the specification of the Kuma MeshProxyPatch resource.
Type: object
Properties
- default
required
- Default is a configuration specific to the group of destinationsreferenced in 'targetRef'.
- Type:
object
- Properties
- appendModifications
required
- AppendModifications is a list of modifications applied on the selected proxy.
- Type:
array
- Items
- Type:
object
- Properties
- cluster
- Cluster is a modification of Envoy's Cluster resource.
- Type:
object
- Properties
- jsonPatches
- JsonPatches specifies list of jsonpatches to apply to on Envoy's Clusterresource
- Type:
array
- Items
- JsonPatchBlock is one json patch operation block.
- Type:
object
- Properties
- from
- From is a jsonpatch from string, used by move and copy operations.
- Type:
string
- op
required
- Op is a jsonpatch operation string.
- Type:
string
- The value is restricted to the following:
- "add"
- "remove"
- "replace"
- "move"
- "copy"
- path
required
- Path is a jsonpatch path string.
- Type:
string
- value
- Value must be a valid json value used by replace and add operations.
- from
- match
- Match is a set of conditions that have to be matched for modification operation to happen.
- Type:
object
- Properties
- name
- Name of the cluster to match.
- Type:
string
- origin
- Origin is the name of the component or plugin that generated the resource.Here is the list of well-known origins:inbound - resources generated for handling incoming traffic.outbound - resources generated for handling outgoing traffic.transparent - resources generated for transparent proxy functionality.prometheus - resources generated when Prometheus metrics are enabled.direct-access - resources generated for Direct Access functionality.ingress - resources generated for Zone Ingress.egress - resources generated for Zone Egress.gateway - resources generated for MeshGateway.The list is not complete, because policy plugins can introduce new resources.For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
- Type:
string
- name
- operation
required
- Operation to execute on matched cluster.
- Type:
string
- The value is restricted to the following:
- "Add"
- "Remove"
- "Patch"
- value
- Value of xDS resource in YAML format to add or patch.
- Type:
string
- jsonPatches
- httpFilter
- HTTPFilter is a modification of Envoy HTTP Filteravailable in HTTP Connection Manager in a Listener resource.
- Type:
object
- Properties
- jsonPatches
- JsonPatches specifies list of jsonpatches to apply to on Envoy'sHTTP Filter available in HTTP Connection Manager in a Listener resource.
- Type:
array
- Items
- JsonPatchBlock is one json patch operation block.
- Type:
object
- Properties
- from
- From is a jsonpatch from string, used by move and copy operations.
- Type:
string
- op
required
- Op is a jsonpatch operation string.
- Type:
string
- The value is restricted to the following:
- "add"
- "remove"
- "replace"
- "move"
- "copy"
- path
required
- Path is a jsonpatch path string.
- Type:
string
- value
- Value must be a valid json value used by replace and add operations.
- from
- match
- Match is a set of conditions that have to be matched for modification operation to happen.
- Type:
object
- Properties
- listenerName
- Name of the listener to match.
- Type:
string
- listenerTags
- Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
- Type:
object
- This schema accepts additional properties.
- Properties
- name
- Name of the HTTP filter. For example "envoy.filters.http.localratelimit"_
- Type:
string
- origin
- Origin is the name of the component or plugin that generated the resource.Here is the list of well-known origins:inbound - resources generated for handling incoming traffic.outbound - resources generated for handling outgoing traffic.transparent - resources generated for transparent proxy functionality.prometheus - resources generated when Prometheus metrics are enabled.direct-access - resources generated for Direct Access functionality.ingress - resources generated for Zone Ingress.egress - resources generated for Zone Egress.gateway - resources generated for MeshGateway.The list is not complete, because policy plugins can introduce new resources.For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
- Type:
string
- listenerName
- operation
required
- Operation to execute on matched listener.
- Type:
string
- The value is restricted to the following:
- "Remove"
- "Patch"
- "AddFirst"
- "AddBefore"
- "AddAfter"
- "AddLast"
- value
- Value of xDS resource in YAML format to add or patch.
- Type:
string
- jsonPatches
- listener
- Listener is a modification of Envoy's Listener resource.
- Type:
object
- Properties
- jsonPatches
- JsonPatches specifies list of jsonpatches to apply to on Envoy's Listenerresource
- Type:
array
- Items
- JsonPatchBlock is one json patch operation block.
- Type:
object
- Properties
- from
- From is a jsonpatch from string, used by move and copy operations.
- Type:
string
- op
required
- Op is a jsonpatch operation string.
- Type:
string
- The value is restricted to the following:
- "add"
- "remove"
- "replace"
- "move"
- "copy"
- path
required
- Path is a jsonpatch path string.
- Type:
string
- value
- Value must be a valid json value used by replace and add operations.
- from
- match
- Match is a set of conditions that have to be matched for modification operation to happen.
- Type:
object
- Properties
- name
- Name of the listener to match.
- Type:
string
- origin
- Origin is the name of the component or plugin that generated the resource.Here is the list of well-known origins:inbound - resources generated for handling incoming traffic.outbound - resources generated for handling outgoing traffic.transparent - resources generated for transparent proxy functionality.prometheus - resources generated when Prometheus metrics are enabled.direct-access - resources generated for Direct Access functionality.ingress - resources generated for Zone Ingress.egress - resources generated for Zone Egress.gateway - resources generated for MeshGateway.The list is not complete, because policy plugins can introduce new resources.For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
- Type:
string
- tags
- Tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
- Type:
object
- This schema accepts additional properties.
- Properties
- name
- operation
required
- Operation to execute on matched listener.
- Type:
string
- The value is restricted to the following:
- "Add"
- "Remove"
- "Patch"
- value
- Value of xDS resource in YAML format to add or patch.
- Type:
string
- jsonPatches
- networkFilter
- NetworkFilter is a modification of Envoy Listener's filter.
- Type:
object
- Properties
- jsonPatches
- JsonPatches specifies list of jsonpatches to apply to on Envoy Listener'sfilter.
- Type:
array
- Items
- JsonPatchBlock is one json patch operation block.
- Type:
object
- Properties
- from
- From is a jsonpatch from string, used by move and copy operations.
- Type:
string
- op
required
- Op is a jsonpatch operation string.
- Type:
string
- The value is restricted to the following:
- "add"
- "remove"
- "replace"
- "move"
- "copy"
- path
required
- Path is a jsonpatch path string.
- Type:
string
- value
- Value must be a valid json value used by replace and add operations.
- from
- match
- Match is a set of conditions that have to be matched for modification operation to happen.
- Type:
object
- Properties
- listenerName
- Name of the listener to match.
- Type:
string
- listenerTags
- Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
- Type:
object
- This schema accepts additional properties.
- Properties
- name
- Name of the network filter. For example "envoy.filters.network.ratelimit"
- Type:
string
- origin
- Origin is the name of the component or plugin that generated the resource.Here is the list of well-known origins:inbound - resources generated for handling incoming traffic.outbound - resources generated for handling outgoing traffic.transparent - resources generated for transparent proxy functionality.prometheus - resources generated when Prometheus metrics are enabled.direct-access - resources generated for Direct Access functionality.ingress - resources generated for Zone Ingress.egress - resources generated for Zone Egress.gateway - resources generated for MeshGateway.The list is not complete, because policy plugins can introduce new resources.For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
- Type:
string
- listenerName
- operation
required
- Operation to execute on matched listener.
- Type:
string
- The value is restricted to the following:
- "Remove"
- "Patch"
- "AddFirst"
- "AddBefore"
- "AddAfter"
- "AddLast"
- value
- Value of xDS resource in YAML format to add or patch.
- Type:
string
- jsonPatches
- virtualHost
- VirtualHost is a modification of Envoy's VirtualHostreferenced in HTTP Connection Manager in a Listener resource.
- Type:
object
- Properties
- jsonPatches
- JsonPatches specifies list of jsonpatches to apply to on Envoy'sVirtualHost resource
- Type:
array
- Items
- JsonPatchBlock is one json patch operation block.
- Type:
object
- Properties
- from
- From is a jsonpatch from string, used by move and copy operations.
- Type:
string
- op
required
- Op is a jsonpatch operation string.
- Type:
string
- The value is restricted to the following:
- "add"
- "remove"
- "replace"
- "move"
- "copy"
- path
required
- Path is a jsonpatch path string.
- Type:
string
- value
- Value must be a valid json value used by replace and add operations.
- from
- match
required
- Match is a set of conditions that have to be matched for modification operation to happen.
- Type:
object
- Properties
- name
- Name of the VirtualHost to match.
- Type:
string
- origin
- Origin is the name of the component or plugin that generated the resource.Here is the list of well-known origins:inbound - resources generated for handling incoming traffic.outbound - resources generated for handling outgoing traffic.transparent - resources generated for transparent proxy functionality.prometheus - resources generated when Prometheus metrics are enabled.direct-access - resources generated for Direct Access functionality.ingress - resources generated for Zone Ingress.egress - resources generated for Zone Egress.gateway - resources generated for MeshGateway.The list is not complete, because policy plugins can introduce new resources.For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
- Type:
string
- routeConfigurationName
- Name of the RouteConfiguration resource to match.
- Type:
string
- name
- operation
required
- Operation to execute on matched listener.
- Type:
string
- The value is restricted to the following:
- "Add"
- "Remove"
- "Patch"
- value
- Value of xDS resource in YAML format to add or patch.
- Type:
string
- jsonPatches
- cluster
- appendModifications
- targetRef
- TargetRef is a reference to the resource the policy takes an effect on.The resource could be either a real store object or virtual resourcedefined inplace.
- Type:
object
- Properties
- kind
- Kind of the referenced resource
- Type:
string
- The value is restricted to the following:
- "Mesh"
- "MeshSubset"
- "MeshGateway"
- "MeshService"
- "MeshExternalService"
- "MeshMultiZoneService"
- "MeshServiceSubset"
- "MeshHTTPRoute"
- labels
- Labels are used to select group of MeshServices that match labels. Either Labels orName and Namespace can be used.
- Type:
object
- This schema accepts additional properties.
- Properties
- mesh
- Mesh is reserved for future use to identify cross mesh resources.
- Type:
string
- name
- Name of the referenced resource. Can only be used with kinds:
MeshService
,MeshServiceSubset
andMeshGatewayRoute
- Type:
string
- Name of the referenced resource. Can only be used with kinds:
- namespace
- Namespace specifies the namespace of target resource. If empty only resources in policy namespacewill be targeted.
- Type:
string
- proxyTypes
- ProxyTypes specifies the data plane types that are subject to the policy. When not specified,all data plane types are targeted by the policy.
- Type:
array
- Item Count: ≥ 1
- Items
- Type:
string
- The value is restricted to the following:
- "Sidecar"
- "Gateway"
- sectionName
- SectionName is used to target specific section of resource.For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
- Type:
string
- tags
- Tags used to select a subset of proxies by tags. Can only be used with kinds
MeshSubset
andMeshServiceSubset
- Type:
object
- This schema accepts additional properties.
- Properties
- Tags used to select a subset of proxies by tags. Can only be used with kinds
- kind
Generated with json-schema-md-doc