Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.1.x (latest)
  • 2.0.x
  • 1.9.x
  • 1.8.x
  • 1.7.x
  • 1.6.x
  • 1.5.x
  • 1.4.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • Introduction to Kong Mesh
    • What is Service Mesh?
    • How Kong Mesh works
    • Deployments
    • Version support policy
    • Stability
    • Release notes
    • Installation Options
    • Kubernetes
    • Helm
    • OpenShift
    • Docker
    • Amazon ECS
    • Amazon Linux
    • Red Hat
    • CentOS
    • Debian
    • Ubuntu
    • macOS
    • Windows
    • Explore Kong Mesh with the Kubernetes demo app
    • Explore Kong Mesh with the Universal demo app
    • Standalone deployment
    • Multi-zone deployment
    • License
    • Overview
    • Data plane proxy
    • Data plane on Kubernetes
    • Data plane on Universal
    • Gateway
    • Zone Ingress
    • Zone Egress
    • CLI
    • GUI
    • Observability
    • Inspect API
    • Kubernetes Gateway API
    • Networking
    • Service Discovery
    • DNS
    • Kong Mesh CNI
    • Transparent Proxying
    • IPv6 support
    • Non-mesh traffic
    • Secure access across Kong Mesh components
    • Secrets
    • Kong Mesh API Access Control
    • API server authentication
    • Data plane proxy authentication
    • Zone proxy authentication
    • Data plane proxy membership
    • Dataplane Health
    • Fine-tuning
    • Control Plane Configuration
    • Upgrades
    • Requirements
    • Introduction
    • General notes about Kong Mesh policies
    • Applying Policies
    • How Kong Mesh chooses the right policy to apply
    • Understanding TargetRef policies
    • Protocol support in Kong Mesh
    • Mesh
    • Mutual TLS
    • Traffic Permissions
    • Traffic Route
    • Traffic Metrics
    • Traffic Trace
    • Traffic Log
    • Locality-aware Load Balancing
    • Fault Injection
    • Health Check
    • Circuit Breaker
    • Proxy Template
    • External Service
    • Retry
    • Timeout
    • Rate Limit
    • Virtual Outbound
    • MeshGateway
    • MeshGatewayRoute
    • Service Health Probes
    • MeshAccessLog (Beta)
    • MeshCircuitBreaker (Beta)
    • MeshFaultInjection (Beta)
    • MeshHealthCheck (Beta)
    • MeshHTTPRoute (Beta)
    • MeshProxyPatch (Beta)
    • MeshRateLimit (Beta)
    • MeshRetry (Beta)
    • MeshTimeout (Beta)
    • MeshTrace (Beta)
    • MeshTrafficPermission (Beta)
    • Overview
    • HashiCorp Vault CA
    • Amazon ACM Private CA
    • cert-manager Private CA
    • OPA policy support
    • MeshOPA (beta)
    • Multi-zone authentication
    • FIPS support
    • Certificate Authority rotation
    • Role-Based Access Control
    • UBI Images
    • Windows Support
    • Auditing
    • HTTP API
    • Annotations and labels in Kubernetes mode
    • Kong Mesh data collection
      • Mesh
      • CircuitBreaker
      • ExternalService
      • FaultInjection
      • HealthCheck
      • MeshGateway
      • MeshGatewayRoute
      • ProxyTemplate
      • RateLimit
      • Retry
      • Timeout
      • TrafficLog
      • TrafficPermission
      • TrafficRoute
      • TrafficTrace
      • VirtualOutbound
      • Dataplane
      • ZoneEgress
      • ZoneIngress
      • kuma-cp
      • kuma-dp
      • kumactl
    • Kuma-cp configuration reference
    • Open source License
    • Contribute to Mesh

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Usage
  • Configuration
  • Default general-purpose Timeout policy
  • Matching
  • Builtin Gateway support
  • Inbound timeouts
  • Non-mesh traffic
Kong Mesh
2.1.x (latest)
  • Home
  • Kong Mesh
  • Policies
  • Timeout

Timeout

Timeout is an outbound policy. Dataplanes whose configuration is modified are in the sources matcher.

This policy enables Kong Mesh to set timeouts on the outbound connections depending on the protocol.

Usage

Specify the proxy to configure with the sources selector, and the outbound connections from the proxy with the destinations selector.

The policy lets you configure timeouts for HTTP, GRPC, and TCP protocols. More about Protocol support in Kong Mesh.

Configuration

Timeouts applied when communicating with services of any protocol:

Field: connectTimeout
Description: time to establish a connection
Default value: 10s
Envoy conf: Cluster

Timeouts applied when communicating with TCP services:

Field: tcp.idleTimeout
Description: period in which there are no bytes sent or received on either the upstream or downstream connection
Default value: disabled
Envoy conf: TCPProxy

Timeouts applied when communicating with HTTP, HTTP2 or GRPC services:

Field: http.requestTimeout
Description: is a span between the point at which the entire downstream request (i.e. end-of-stream) has been processed and when the upstream response has been completely processed
Default value: disabled
Envoy conf: Route

Field: http.idleTimeout
Description: time at which a downstream or upstream connection will be terminated if there are no active streams
Default value: disabled
Envoy conf: HTTPConnectionManager and Cluster

Field: http.streamIdleTimeout
Description: amount of time that the connection manager will allow a stream to exist with no upstream or downstream activity
Default value: disabled
Envoy conf: HTTPConnectionManager

Field: http.maxStreamDuration
Description: maximum time that a stream’s lifetime will span
Default value: disabled
Envoy conf: Cluster

Default general-purpose Timeout policy

By default, Kong Mesh creates the following Timeout policy:

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: Timeout
mesh: default
metadata:
  name: timeout-all-default
spec:
  sources:
    - match:
        kuma.io/service: '*'
  destinations:
    - match:
        kuma.io/service: '*'
  conf:
    connectTimeout: 5s # all protocols
    tcp: # tcp, kafka
      idleTimeout: 1h 
    http: # http, http2, grpc
      requestTimeout: 15s 
      idleTimeout: 1h
      streamIdleTimeout: 30m
      maxStreamDuration: 0s
type: Timeout
mesh: default
name: timeout-all-default
sources:
  - match:
      kuma.io/service: '*'
destinations:
  - match:
      kuma.io/service: '*'
conf:
  connectTimeout: 5s # all protocols
  tcp: # tcp, kafka
    idleTimeout: 1h
  http: # http, http2, grpc
    requestTimeout: 15s
    idleTimeout: 1h
    streamIdleTimeout: 30m
    maxStreamDuration: 0s

Default timeout policy works fine in most cases. But if your application is using GRPC streaming make sure to set http.requestTimeout to 0s.

Matching

Timeout is an Outbound Connection Policy. The only supported value for destinations.match is kuma.io/service.

Builtin Gateway support

Timeouts are connection policies and are supported by configuring the timeout parameters on the target Envoy cluster. Request timeouts are configured on the Envoy routes and may select a different Timeout policy when a route backend forwards to more than one distinct service.

Mesh configures an idle timeout on the HTTPConnectionManager, but doesn’t consistently use the Timeout policy values for this, so the semantica are ambiguous. There’s no policy that configures the idle timeout for downstream connections to the Gateway.

Inbound timeouts

Currently, there is no policy to set inbound timeouts. Timeouts on the inbound side have constant values:

connectTimeout: 10s 
tcp:
  idleTimeout: 2h
http:
  requestTimeout: 0s
  idleTimeout: 2h
  streamIdleTimeout: 1h
  maxStreamDuration: 0s

If you still need to change inbound timeouts you can use a ProxyTemplate:

Kubernetes
Universal
apiVersion: kuma.io/v1alpha1
kind: ProxyTemplate
mesh: default
metadata:
  name: custom-template-1
spec:
  selectors:
    - match:
        kuma.io/service: '*'
  conf:
    imports:
      - default-proxy 
    modifications:
      - networkFilter:
          operation: patch
          match:
            name: envoy.filters.network.http_connection_manager
            origin: inbound 
          value: |
            name: envoy.filters.network.http_connection_manager
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              streamIdleTimeout: 0s # disable http.streamIdleTimeout 
              common_http_protocol_options: 
                idle_timeout: 0s # disable http.idleTimeout
type: ProxyTemplate
mesh: default
name: custom-template-1
selectors:
  - match:
      kuma.io/service: "*"
conf:
  imports:
    - default-proxy 
  modifications:
    - networkFilter:
        operation: patch
        match:
          name: envoy.filters.network.http_connection_manager
          origin: inbound 
        value: |
          name: envoy.filters.network.http_connection_manager
          typedConfig:
            '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
            streamIdleTimeout: 0s # disable http.streamIdleTimeout 
            common_http_protocol_options: 
              idle_timeout: 0s # disable http.idleTimeout

It’s not recommended disabling streamIdleTimeouts and idleTimeout since it has a high likelihood of yielding connection leaks.

Non-mesh traffic

When passthrough mode is activated any non-mesh traffic is passing Envoy without applying the Timeout policies. Read more about Non-mesh traffic.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023