diff --git a/app/_mesh_policies/external-services/index.md b/app/_mesh_policies/external-services/index.md
index 6b6e50bcd9..d376d7924d 100644
--- a/app/_mesh_policies/external-services/index.md
+++ b/app/_mesh_policies/external-services/index.md
@@ -14,18 +14,18 @@ icon: policy.svg
{:.warning}
> This policy is deprecated. Use [`MeshExternalService`](/mesh/meshexternalservice/) instead.
-This policy allows services running inside the mesh to consume services that are not part of the mesh. The `ExternalService` resource allows you to declare specific external resources by name within the mesh, instead of implementing the default [passthrough mode](/docs/{{ page.release }}/networking/non-mesh-traffic#outgoing). Passthrough mode allows access to any non-mesh host by specifying its domain name or IP address, without the ability to apply any traffic policies. The `ExternalService` resource enables the same observability, security, and traffic manipulation for external traffic as for services entirely inside the mesh
+This policy allows services running inside the mesh to consume services that are not part of the mesh. The `ExternalService` resource allows you to declare specific external resources by name within the mesh, instead of implementing the default passthrough mode. Passthrough mode allows access to any non-mesh host by specifying its domain name or IP address, without the ability to apply any traffic policies. The `ExternalService` resource enables the same observability, security, and traffic manipulation for external traffic as for services entirely inside the mesh
-When you enable this policy, you should also [disable passthrough mode](/docs/{{ page.release }}/networking/non-mesh-traffic#outgoing) for the mesh and enable the [data plane proxy builtin DNS](/docs/{{ page.release }}/networking/dns) name resolution.
+When you enable this policy, you should also disable passthrough mode for the mesh and enable the [data plane proxy built-in DNS](/mesh/dns/) name resolution.
## Usage
-Simple configuration of external service requires `name` of the resource, `kuma.io/service: service-name`, and `address`. By default, a protocol used for communication is `TCP`. It's possible to change that by configuring `kuma.io/protocol` tag. Apart from that, it's possible to define TLS configuration used for communication with external services. More information about configuration options can be found [here](#available-policy-fields).
+Simple configuration of external service requires `name` of the resource, `kuma.io/service: service-name`, and `address`. By default, a protocol used for communication is `TCP`. It's possible to change that by configuring `kuma.io/protocol` tag. Apart from that, it's possible to define TLS configuration used for communication with external services. For more information, see [available policy fields](#available-policy-fields).
Below is an example of simple HTTPS external service:
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: ExternalService
@@ -52,9 +52,9 @@ spec:
Then apply the configuration with `kubectl apply -f [..]`.
-{% endtab %}
+{% endnavtab %}
-{% tab Universal %}
+{% navtab "Universal" %}
```yaml
type: ExternalService
mesh: default
@@ -76,9 +76,9 @@ networking:
secret: clientKey
```
-Then apply the configuration with `kumactl apply -f [..]` or with the [HTTP API](/docs/{{ page.release }}/reference/http-api).
+Then apply the configuration with `kumactl apply -f [..]` or with the HTTP API.
-Universal mode is best combined with [transparent proxy](/docs/{{ page.release }}/production/dp-config/transparent-proxying/). For backward compatibility only, you can consume an external service from within the mesh by filling the proper `outbound` section of the relevant data plane resource:
+Universal mode is best combined with [transparent proxy](/mesh/transparent-proxying/). For backward compatibility only, you can consume an external service from within the mesh by filling the proper `outbound` section of the relevant data plane resource:
```yaml
type: Dataplane
@@ -98,15 +98,15 @@ networking:
Then `httpbin.org` is accessible at `127.0.0.1:10000`.
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
-### Accessing the External Service
+### Accessing the external service
-Consuming the defined service from within the mesh for both Kubernetes and Universal deployments (assuming [transparent proxy](/docs/{{ page.release }}/production/dp-config/transparent-proxying/)) can be done:
+Consuming the defined service from within the mesh for both Kubernetes and Universal deployments (assuming [transparent proxy](/mesh/transparent-proxying/)) can be done:
* With the `.mesh` naming of the service `curl httpbin.mesh`. With this approach, specify port 80.
-* With the real name and port, in this case `curl httpbin.org:443`. This approach works only with [the data plane proxy builtin DNS](/docs/{{ page.release }}/networking/dns) name resolution.
+* With the real name and port, in this case `curl httpbin.org:443`. This approach works only with [the data plane proxy builtin DNS](/mesh/dns/) name resolution.
It's possible to define TLS origination and validation at 2 different layers:
* Envoy is responsible for originating and verifying TLS.
@@ -128,7 +128,7 @@ The first approach has an advantage that we can apply HTTP based policies, becau
* `address` the address of the external service. It has to be a valid IP address or a domain name, and must include a port.
* `tls` is the section to configure the TLS originator when consuming the external service:
* `enabled` turns on and off the TLS origination.
- * `allowRenegotiation` turns on and off TLS renegotiation. It's not recommended enabling this for [security reasons](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto).
+ * `allowRenegotiation` turns on and off TLS renegotiation. We don't recommend enabling this for [security reasons](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto).
However, some servers require this setting to fetch client certificate after TLS handshake. TLS renegotiation is not available in TLS v1.3.
* `serverName` overrides the default Server Name Indication. Set this value to empty string to disable SNI.
* `caCert` the CA certificate for the external service TLS verification.
@@ -137,10 +137,10 @@ The first approach has an advantage that we can apply HTTP based policies, becau
As with other services, avoid duplicating service names under `kuma.io/service` with already existing ones. A good practice is to derive the tag value from the domain name or IP of the actual external service.
-### External Services and Locality Aware Load Balancing
+### External services and locality-aware load balancing
There are might be scenarios when a particular external service should be accessible only from the particular zone.
-In order to make it work we should use `kuma.io/zone` tag for external service. When this tag is set and {% if_version lte:2.5.x %}[locality-aware load balancing](/docs/{{ page.release }}/policies/locality-aware){% endif_version %}{% if_version gte:2.6.x %}[locality-aware load balancing](/docs/{{ page.release }}/policies/meshloadbalancingstrategy){% endif_version %} is enabled
+To make it work we should use `kuma.io/zone` tag for external service. When this tag is set and [locality-aware load balancing](/mesh/policies/meshloadbalancingstrategy/) is enabled
then the traffic from the zone will be redirected only to external services associated with the zone using `kuma.io/zone` tag.
Example:
@@ -167,16 +167,15 @@ networking:
address: zone-2.httpbin.org:80
```
-In this example, when {% if_version lte:2.5.x %}[locality-aware load balancing](/docs/{{ page.release }}/policies/locality-aware){% endif_version %}{% if_version gte:2.6.x %}[locality-aware load balancing](/docs/{{ page.release }}/policies/meshloadbalancingstrategy){% endif_version %} is enabled, if the service in the `zone-1` is trying to set connection with
+In this example, when [locality-aware load balancing](/mesh/policies/meshloadbalancingstrategy/) is enabled, if the service in the `zone-1` is trying to set connection with
`httpbin.mesh` it will be redirected to `zone-1.httpbin.org:80`. Whereas the same request from the `zone-2` will be redirected to `zone-2.httpbin.org:80`.
{:.warning}
-> If `ZoneEgress` is enabled, there is a limitation that prevents the behavior described above from working. The control-plane replaces the external service's address in the remote zone with the IP address of `ZoneEgress`. This causes a problem because Envoy does not support a cluster that use both DNS and IP addresses as endpoints definition.
+> If `ZoneEgress` is enabled, there is a limitation that prevents the behavior described above from working. The control plane replaces the external service's address in the remote zone with the IP address of `ZoneEgress`. This causes a problem because Envoy does not support a cluster that use both DNS and IP addresses as endpoints definition.
-
-## Builtin Gateway support
+## Built-in Gateway support
{{site.mesh_product_name}} Gateway fully supports external services.
Note that mesh Dataplanes can be configured with the same `kuma.io/service` tag as an external service resource.
In this scenario, {{site.mesh_product_name}} Gateway will prefer the ExternalService and not route any traffic to the Dataplanes.
-Note that before gateway becomes generally available this behaviour will change to be the same as for any other dataplanes.
+Note that before the gateway becomes generally available, this behavior matches that of any other dataplanes.
diff --git a/app/_mesh_policies/meshaccesslog/index.md b/app/_mesh_policies/meshaccesslog/index.md
index bdfb59f8f9..e6f14bc3a3 100644
--- a/app/_mesh_policies/meshaccesslog/index.md
+++ b/app/_mesh_policies/meshaccesslog/index.md
@@ -15,98 +15,75 @@ related_resources:
url: /mesh/meshopentelemetrybackend/
---
+{:.info}
+> This guide assumes you have already configured your observability tools to work with {{site.mesh_product_name}}.
+> If you haven't, see the [observability docs](/mesh/observability/).
+## `targetRef` support matrix
-{% tip %}
-This guide assumes you have already configured your observability tools to work with Kuma.
-If you haven't, see the [observability docs](/docs/{{ page.release }}/explore/observability).
-{% endtip %}
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
-## `targetRef` support matrix
-{% if_version gte:2.4.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version gte:2.4.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-{% if_version lte:2.5.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | ----------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.6.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------------------ |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with `tags` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% endtab %}
-
-{% if_version gte:2.6.x %}
-{% tab Delegated Gateway %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% endtab %}
-{% endif_version %}
-
-{% endtabs %}
-{% endif_version %}
-
-{% if_version lte:2.3.x %}
-
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ✅ | ✅ |
-| `MeshSubset` | ✅ | ❌ | ❌ |
-| `MeshService` | ✅ | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
## Configuration
### Format
-Kuma gives you full control over the format of the access logs.
+{{site.mesh_product_name}} gives you full control over the format of the access logs.
The shape of a single log record is defined by a template string that uses [command operators](https://www.envoyproxy.io/docs/envoy/v1.22.0/configuration/observability/access_log/usage#command-operators) to extract and format data about a `TCP` connection or an `HTTP` request.
@@ -118,19 +95,32 @@ For example:
`%START_TIME%` and `%KUMA_SOURCE_SERVICE%` are examples of available _command operators_.
-All _command operators_ [defined by Envoy](https://www.envoyproxy.io/docs/envoy/v1.22.0/configuration/observability/access_log/usage#command-operators) are supported, along with additional _command operators_ defined by Kuma:
-
-| Command Operator | Description |
-|--------------------------------------|------------------------------------------------------------------|
-| `%KUMA_MESH%` | Name of the mesh in which traffic is flowing. |
-| `%KUMA_SOURCE_SERVICE%` | Name of a `service` that is the `source` of traffic. |
-| `%KUMA_DESTINATION_SERVICE%` | Name of a `service` that is the `destination` of traffic. |
-| `%KUMA_SOURCE_ADDRESS_WITHOUT_PORT%` | Address of a `Dataplane` that is the `source` of traffic. |
-| `%KUMA_TRAFFIC_DIRECTION%` | Direction of the traffic, `INBOUND`, `OUTBOUND`, or `UNSPECIFIED`. |
+All _command operators_ [defined by Envoy](https://www.envoyproxy.io/docs/envoy/v1.22.0/configuration/observability/access_log/usage#command-operators) are supported, along with additional _command operators_ defined by {{site.mesh_product_name}}:
+
+
+{% table %}
+columns:
+ - title: Command Operator
+ key: command_operator
+ - title: Description
+ key: description
+rows:
+ - command_operator: "`%KUMA_MESH%`"
+ description: Name of the mesh in which traffic is flowing.
+ - command_operator: "`%KUMA_SOURCE_SERVICE%`"
+ description: "Name of a `service` that is the `source` of traffic."
+ - command_operator: "`%KUMA_DESTINATION_SERVICE%`"
+ description: "Name of a `service` that is the `destination` of traffic."
+ - command_operator: "`%KUMA_SOURCE_ADDRESS_WITHOUT_PORT%`"
+ description: "Address of a `Dataplane` that is the `source` of traffic."
+ - command_operator: "`%KUMA_TRAFFIC_DIRECTION%`"
+ description: "Direction of the traffic, `INBOUND`, `OUTBOUND`, or `UNSPECIFIED`."
+{% endtable %}
+
All additional access log _command operators_ are valid to use with both `TCP` and `HTTP` traffic.
-Internally, Kuma [determines traffic protocol](/docs/{{ page.release }}/policies/protocol-support-in-kuma) based on the value of `kuma.io/protocol` tag on the `inbound` interface of a `destination` `Dataplane`.
+Internally, {{site.mesh_product_name}} determines traffic protocol based on the value of `kuma.io/protocol` tag on the `inbound` interface of a `destination` `Dataplane`.
There are two types of `format`, `plain` and `json`.
@@ -138,7 +128,7 @@ Plain accepts a string with _command operators_ and produces a string output.
JSON accepts a list of key-value pairs that produces a valid JSON object.
-It is up to the user to decide which format type to use.
+The user decides which format type to use.
Some system will automatically parse JSON logs and allow you to filter and query based on available keys.
If a _command operator_ is specific to `HTTP` traffic, such as `%REQ(X?Y):Z%` or `%RESP(X?Y):Z%`, in the case of TCP traffic it will be replaced by a symbol "`-`" for `plain` and a `null` value for `json`.
@@ -161,19 +151,11 @@ The default format string for `HTTP` traffic is:
Example configuration:
-{% if_version lte:2.2.x %}
-```yaml
-format:
- plain: '[%START_TIME%] %BYTES_RECEIVED%'
-```
-{% endif_version %}
-{% if_version gte:2.3.x %}
```yaml
format:
type: Plain
plain: '[%START_TIME%] %BYTES_RECEIVED%'
```
-{% endif_version %}
Example output:
@@ -185,17 +167,6 @@ Example output:
Example configuration:
-{% if_version lte:2.2.x %}
-```yaml
-format:
- json:
- - key: "start_time"
- value: "%START_TIME%"
- - key: "bytes_received"
- value: "%BYTES_RECEIVED%"
-```
-{% endif_version %}
-{% if_version gte:2.3.x %}
```yaml
format:
type: Json
@@ -205,7 +176,6 @@ format:
- key: "bytes_received"
value: "%BYTES_RECEIVED%"
```
-{% endif_version %}
Example output:
@@ -219,33 +189,6 @@ Example output:
{% details %}
summary: "TCP configuration with default fields:"
content: |
- {% if_version lte:2.2.x %}
- ```yaml
- format:
- json:
- - key: "start_time"
- value: "%START_TIME%"
- - key: "response_flags"
- value: "%RESPONSE_FLAGS%"
- - key: "kuma_mesh"
- value: "%KUMA_MESH%"
- - key: "kuma_source_address_without_port"
- value: "%KUMA_SOURCE_ADDRESS_WITHOUT_PORT%"
- - key: "kuma_source_service"
- value: "%KUMA_SOURCE_SERVICE%"
- - key: "upstream_host"
- value: "%UPSTREAM_HOST%"
- - key: "kuma_destination_service"
- value: "%KUMA_DESTINATION_SERVICE%"
- - key: "duration_ms"
- value: "%DURATION%"
- - key: "bytes_sent"
- value: "%BYTES_SENT%"
- - key: "bytes_received"
- value: "%BYTES_RECEIVED%"
- ```
- {% endif_version %}
- {% if_version gte:2.3.x %}
```yaml
format:
type: Json
@@ -271,57 +214,11 @@ content: |
- key: "bytes_received"
value: "%BYTES_RECEIVED%"
```
- {% endif_version %}
{% enddetails %}
{% details %}
summary: "HTTP configuration with default fields:"
content: |
- {% if_version lte:2.2.x %}
- ```yaml
- format:
- json:
- - key: "start_time"
- value: "%START_TIME%"
- - key: "kuma_mesh"
- value: "%KUMA_MESH%"
- - key: 'method'
- value: '"%REQ(:METHOD)%'
- - key: "path"
- value: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
- - key: 'protocol'
- value: '%PROTOCOL%'
- - key: "response_code"
- value: "%RESPONSE_CODE%"
- - key: "response_flags"
- value: "%RESPONSE_FLAGS%"
- - key: "bytes_received"
- value: "%BYTES_RECEIVED%"
- - key: "bytes_sent"
- value: "%BYTES_SENT%"
- - key: "duration_ms"
- value: "%DURATION%"
- - key: "upstream_service_time"
- value: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
- - key: 'x_forwarded_for'
- value: '"%REQ(X-FORWARDED-FOR)%"'
- - key: 'user_agent'
- value: '"%REQ(USER-AGENT)%"'
- - key: 'request_id'
- value: '"%REQ(X-REQUEST-ID)%"'
- - key: 'authority'
- value: '"%REQ(:AUTHORITY)%"'
- - key: "kuma_source_service"
- value: "%KUMA_SOURCE_SERVICE%"
- - key: "kuma_destination_service"
- value: "%KUMA_DESTINATION_SERVICE%"
- - key: "kuma_source_address_without_port"
- value: "%KUMA_SOURCE_ADDRESS_WITHOUT_PORT%"
- - key: "upstream_host"
- value: "%UPSTREAM_HOST%"
- ```
- {% endif_version %}
- {% if_version gte:2.3.x %}
```yaml
format:
type: Json
@@ -365,10 +262,8 @@ content: |
- key: "upstream_host"
value: "%UPSTREAM_HOST%"
```
- {% endif_version %}
{% enddetails %}
-
### Backends
A backend determines where the logs end up.
@@ -378,42 +273,24 @@ A backend determines where the logs end up.
A TCP backend streams logs to a server via TCP protocol.
You can configure a TCP backend with an address:
-{% if_version lte:2.2.x %}
-```yaml
-backends:
- - tcp:
- address: 127.0.0.1:5000
-```
-{% endif_version %}
-{% if_version gte:2.3.x %}
```yaml
backends:
- type: Tcp
tcp:
address: 127.0.0.1:5000
```
-{% endif_version %}
#### File
A file backend streams logs to a text file.
You can configure a file backend with a path:
-{% if_version lte:2.2.x %}
-```yaml
-backends:
- - file:
- path: /dev/stdout
-```
-{% endif_version %}
-{% if_version gte:2.3.x %}
```yaml
backends:
- type: File
file:
path: /dev/stdout
```
-{% endif_version %}
#### OpenTelemetry
@@ -421,23 +298,6 @@ An OpenTelemetry (OTEL) backend sends data to an OpenTelemetry server.
You can configure an OpenTelemetry backend with an endpoint, [attributes](https://opentelemetry.io/docs/specs/otel/logs/data-model/#field-attributes) (which contain additional information about the log) and [body](https://opentelemetry.io/docs/specs/otel/logs/data-model/#field-body) (can be a string message, including multi-line, or it can be a structured data).
Attributes and endpoints can use placeholders described in the [format section](#format).
-{% if_version eq:2.2.x %}
-```yaml
-backends:
- - openTelemetry:
- endpoint: otel-collector:4317
- body:
- kvlistValue:
- values:
- - key: "mesh"
- value:
- stringValue: "%KUMA_MESH%"
- attributes:
- - key: "start_time"
- value: "%START_TIME%"
-```
-{% endif_version %}
-{% if_version gte:2.3.x %}
```yaml
backends:
- type: OpenTelemetry
@@ -453,7 +313,6 @@ backends:
- key: "start_time"
value: "%START_TIME%"
```
-{% endif_version %}
### Body
Body is of type [any](https://opentelemetry.io/docs/specs/otel/logs/data-model/#type-any) (defined [here](https://github.com/open-telemetry/opentelemetry-proto/blob/342e1d4c3a1fe43312823ffb53bd38327f263059/opentelemetry/proto/common/v1/common.proto#L28-L40))
@@ -498,4 +357,4 @@ body:
- key: "mesh"
value:
stringValue: "%KUMA_MESH%"
-```
\ No newline at end of file
+```
diff --git a/app/_mesh_policies/meshcircuitbreaker/index.md b/app/_mesh_policies/meshcircuitbreaker/index.md
index fb2b4544b2..250b8a3ea4 100644
--- a/app/_mesh_policies/meshcircuitbreaker/index.md
+++ b/app/_mesh_policies/meshcircuitbreaker/index.md
@@ -9,19 +9,17 @@ type: policy
icon: meshcircuitbreaker.png
---
-This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data
-proxy as unhealthy if certain conditions are met. The policy will ensure that no additional traffic can reach an
+This policy looks for errors in the live traffic being exchanged between our data plane proxies. It marks a data plane
+proxy as unhealthy if certain conditions are met. The policy ensures that no additional traffic can reach an
unhealthy data plane proxy until it is healthy again.
Circuit breakers - unlike active [MeshHealthChecks](/mesh/policies/meshhealthcheck/) - do not send
additional traffic to our data plane proxies but they rather inspect the existing service traffic. They are also
commonly used to prevent cascading failures.
-
Like a real-world circuit breaker when the circuit is **closed** then traffic between a source and destination data
plane proxy is allowed to freely flow through it. When it is **open** then the traffic is interrupted.
-
The conditions that determine when a circuit breaker is closed or open are being configured on connection limits or
outlier detection basis. For outlier detection to open circuit breaker you can configure what we call _detectors_.
This policy provides 5 different types of detectors, and they are triggered on some deviations in the upstream service
@@ -29,145 +27,72 @@ behavior. All detectors could coexist on the same outbound interface.
Once one of the detectors has been triggered the corresponding data plane proxy is ejected from the set of the load
balancer for a period equal to [baseEjectionTime](#outlier-detection). Every further ejection of the same data plane
-proxy will further extend the [baseEjectionTime](#outlier-detection) multiplied by the number of ejections: for example
-the fourth ejection will be lasting for a period of time of `4 * baseEjectionTime`.
+proxy extends the [baseEjectionTime](#outlier-detection) multiplied by the number of ejections: for example
+the fourth ejection lasts for a period of `4 * baseEjectionTime`.
This policy provides **passive** checks.
-If you want to configure **active** checks, please use the [MeshHealthCheck](/docs/{{ page.release }}/policies/meshhealthcheck)
+If you want to configure **active** checks, please use the [MeshHealthCheck](/mesh/policies/meshhealthcheck/)
policy.
Data plane proxies with **passive** checks won't explicitly send requests to other data plane proxies to determine if
target proxies are healthy or not.
-
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% navtabs "support matrix" %}
+{% navtabs "support-matrix" %}
{% navtab "Sidecar" %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
{% endnavtab %}
-
-{% navtab "Builtin Gateway" %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
{% endnavtab %}
{% navtab "Delegated Gateway" %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
{% endnavtab %}
{% endnavtabs %}
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ✅ | ✅ |
-| `MeshSubset` | ✅ | ❌ | ❌ |
-| `MeshService` | ✅ | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-
-## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ✅ | ✅ |
-| `MeshSubset` | ✅ | ❌ | ❌ |
-| `MeshService` | ✅ | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
## Configuration
@@ -187,11 +112,10 @@ To learn more about the information in this table, see the [matching docs](/docs
### Outlier detection
-Outlier detection can be configured for [HTTP, TCP or gRPC](/docs/{{ page.release }}/policies/protocol-support-in-kuma) traffic.
+Outlier detection can be configured for HTTP, TCP or gRPC traffic.
-{% warning %}
-For **gRPC** requests, the outlier detection will use the HTTP status mapped from the `grpc-status` response header.
-{% endwarning %}
+{:.warning}
+> For **gRPC** requests, the outlier detection will use the HTTP status mapped from the `grpc-status` response header.
- **`disabled`** - (optional) When set to true, `outlierDetection` configuration won't take any effect.
- **`interval`** - (optional) The time interval between ejection analysis sweeps. This can result in both new ejections
@@ -205,27 +129,23 @@ For **gRPC** requests, the outlier detection will use the HTTP status mapped fro
account: `detectors.localOriginFailures.consecutive`.
- **`detectors`** - Contains configuration for supported outlier detectors. At least one detector needs to be configured
when policy is configured for outlier detection.
-{% if_version gte:2.10.x %}
-- **`healthyPanicThreshold`** - (optional) Allows to configure panic threshold for Envoy cluster. If not specified,
+- {% new_in 2.10 %} **`healthyPanicThreshold`** - (optional) Allows to configure panic threshold for Envoy cluster. If not specified,
the default is 50%. To disable panic mode, set to 0%.
-{% endif_version %}
-
#### Detectors configuration
Configuration for supported outlier detectors. At least one detector needs to be configured when policy is configured for outlier detection.
-{% tabs %}
-{% tab detectors Total Failures %}
+{% navtabs "detectors" %}
+{% navtab "Total Failures" %}
Depending on mode the outlier detection can take into account all or externally originated (transaction) errors only.
-{% tabs %}
-{% tab totalFailures_modes Default Mode %}
+{% navtabs "totalFailures-modes" %}
+{% navtab "Default Mode" %}
-{% tip %}
-Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
-{% endtip %}
+{:.info}
+> Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
This detection type takes into account all generated errors: **locally originated** and **externally originated** (transaction) errors.
@@ -253,23 +173,21 @@ spec:
consecutive: 10
```
-{% endtab %}
+{% endnavtab %}
-{% tab totalFailures_modes Split Mode %}
+{% navtab "Split Mode" %}
-{% tip %}
-Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
-{% endtip %}
+{:.info}
+> Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
This detection type takes into account only externally originated (transaction) errors, ignoring locally originated ones.
-[**HTTP**](/docs/{{ page.release }}/policies/protocol-support-in-kuma)
+**HTTP**
If an upstream host is an HTTP-server, only 5xx types of error are taken into account (see Consecutive Gateway Failure for exceptions).
-{% warning %}
-Properly formatted responses, even when they carry an operational error (like index not found, access denied) are not taken into account.
-{% endwarning %}
+{:.warning}
+> Properly formatted responses, even when they carry an operational error (like index not found, access denied) are not taken into account.
**Configuration**
@@ -295,22 +213,21 @@ spec:
consecutive: 10
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
-{% endtab %}
-{% tab detectors Gateway Failures %}
+{% endnavtab %}
+{% navtab "Gateway Failures" %}
Depending on mode the outlier detection can take into account gateway failures with locally originated failures (default mode) or gateway failures only (split mode).
-{% tabs %}
-{% tab gatewayFailures_modes Default Mode %}
+{% navtabs "gatewayFailures-modes" %}
+{% navtab "Default Mode" %}
-{% tip %}
-Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
-{% endtip %}
+{:.info}
+> Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
-This detection type takes into account a subset of **5xx** errors, called "gateway errors" (**502**, **503** or **504** status code) and local origin failures, such as **timeout**, **TCP reset** etc.
+This detection type takes into account a subset of **5xx** errors, called "gateway errors" (**502**, **503** or **504** status code) and local origin failures, such as **timeout**, **TCP reset** and so on
**Configuration**
@@ -336,19 +253,17 @@ spec:
consecutive: 10
```
-{% endtab %}
+{% endnavtab %}
-{% tab gatewayFailures_modes Split Mode %}
+{% navtab "Split Mode" %}
-{% tip %}
-Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
-{% endtip %}
+{:.info}
+> Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
This detection type takes into account a subset of **5xx** errors, called "gateway errors" (**502**, **503** or **504** status code).
-{% warning %}
-This detector is supported only for HTTP traffic.
-{% endwarning %}
+{:.warning}
+> This detector is supported only for HTTP traffic.
**Configuration**
@@ -375,26 +290,24 @@ spec:
consecutive: 10
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
-{% endtab %}
-{% tab detectors Locally Originated Failures %}
+{% endnavtab %}
+{% navtab "Locally Originated Failures" %}
-{% warning %}
-This detection is supported only in Split Mode
-{% endwarning %}
+{:.warning}
+> This detection is supported only in Split Mode
This detection takes into account only locally originated errors (timeout, reset, etc).
-If Envoy repeatedly cannot connect to an upstream host or communication with the upstream host is repeatedly interrupted, it will be ejected. Various locally originated problems are detected: timeout, TCP reset, ICMP errors, etc.
+If Envoy repeatedly cannot connect to an upstream host or communication with the upstream host is repeatedly interrupted, it will be ejected. Various locally originated problems are detected: timeout, TCP reset, ICMP errors, and so on
-{% tabs %}
-{% tab localOriginFailures_modes Split Mode %}
+{% navtabs "localOriginFailures-modes" %}
+{% navtab "Split Mode" %}
-{% tip %}
-Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
-{% endtip %}
+{:.info}
+> Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
**Configuration**
@@ -419,44 +332,42 @@ spec:
localOriginFailures:
consecutive: 10
```
-{% endtab %}
-{% tab localOriginFailures_modes Default Mode %}
+{% endnavtab %}
+{% navtab "Default Mode" %}
This detection is not supported in the Default Mode
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
-{% endtab %}
-{% tab detectors Success Rate %}
+{% endnavtab %}
+{% navtab "Success Rate" %}
Success Rate based outlier detection aggregates success rate data from every host in an Envoy Cluster. Then at given intervals ejects hosts based on statistical outlier detection.
-Success Rate outlier detection will not be calculated for a host if its request volume over the aggregation interval is less than the value of `successRate.requestVolume`
+Success Rate outlier detection is not calculated for a host if its request volume over the aggregation interval is less than the value of `successRate.requestVolume`
value.
-Moreover, detection will not be performed for a cluster if the number of hosts with the minimum required request volume in an interval is less than the `successRate.minimumHosts` value.
+Moreover, detection is not performed for a cluster if the number of hosts with the minimum required request volume in an interval is less than the `successRate.minimumHosts` value.
-{% tabs %}
-{% tab successRate_modes Default Mode %}
+{% navtabs "successRate-modes" %}
+{% navtab "Default Mode" %}
-{% tip %}
-Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
-{% endtip %}
+{:.info}
+> Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
This detection type takes into account all types of errors: locally and externally originated.
-{% endtab %}
-{% tab successRate_modes Split Mode %}
+{% endnavtab %}
+{% navtab "Split Mode" %}
-{% tip %}
-Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
-{% endtip %}
+{:.info}
+> Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
Locally originated errors and externally originated (transaction) errors are counted and treated separately.
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
**Configuration**
@@ -486,41 +397,39 @@ spec:
standardDeviationFactor: "1.9"
```
-{% endtab %}
-{% tab detectors Failure Percentage %}
+{% endnavtab %}
+{% navtab "Failure Percentage" %}
Failure Percentage based outlier detection functions similarly to success rate detection, in that it relies on success rate data from each host in an Envoy Cluster. However, rather than compare those values to the mean success rate of the Cluster as a whole, they are compared to a flat user-configured threshold. This threshold is configured via the [`failurePercentageThreshold`](#outlier-detection) field.
The other configuration fields for failure percentage based detection are similar to the fields for success rate detection. As with success rate detection, detection will not be performed for a host if its request volume over the aggregation interval is less than the `failurePercentage.requestVolume` value.
-Detection also will not be performed for an Envoy Cluster if the number of hosts with the minimum required request volume in an interval is less than the `failurePercentage.minimumHosts` value.
+Detection is also not performed for an Envoy Cluster if the number of hosts with the minimum required request volume in an interval is less than the `failurePercentage.minimumHosts` value.
-{% tabs %}
-{% tab failurePercentage_modes Default Mode %}
+{% navtabs "failurePercentage-modes" %}
+{% navtab "Default Mode" %}
-{% tip %}
-Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
-{% endtip %}
+{:.info}
+> Default mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is not set or equal `false`
This detection type takes into account all types of errors: locally and externally originated.
-{% endtab %}
-{% tab failurePercentage_modes Split Mode %}
+{% endnavtab %}
+{% navtab "Split Mode" %}
-{% tip %}
-Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
-{% endtip %}
+{:.info}
+> Split Mode is when [`splitExternalAndLocalErrors`](#outlier-detection) is equal `true`
Locally originated errors and externally originated (transaction) errors are counted and treated separately.
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
**Configuration**
-- **`failurePercentage.requestVolume`** - The minimum number of hosts in an Envoy Cluster in order to perform failure percentage-based ejection. If the total number of hosts in the Cluster is less than this value, failure percentage-based ejection will not be performed.
-- **`failurePercentage.minimumHosts`** - The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to perform failure percentage-based ejection for this host. If the volume is lower than this setting, failure percentage-based ejection will not be performed for this host.
-- **`failurePercentage.threshold`** - The failure percentage to use when determining failure percentage-based outlier detection. If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+- **`failurePercentage.requestVolume`** - The minimum number of hosts in an Envoy Cluster to perform failure percentage-based ejection. If the total number of hosts in the Cluster is less than this value, failure percentage-based ejection is not performed.
+- **`failurePercentage.minimumHosts`** - The minimum number of total requests that must be collected in one interval (as defined by the interval duration above) to perform failure percentage-based ejection for this host. If the volume is lower than this setting, failure percentage-based ejection is not performed for this host.
+- **`failurePercentage.threshold`** - The failure percentage to use when determining failure percentage-based outlier detection. If the failure percentage of a given host is greater than or equal to this value, it is ejected.
**Example**
@@ -544,8 +453,8 @@ spec:
threshold: 85
```
-{% endtab %}
+{% endnavtab %}
-{% endtabs %}
+{% endnavtabs %}
diff --git a/app/_mesh_policies/meshfaultinjection/index.md b/app/_mesh_policies/meshfaultinjection/index.md
index 48cc0e3913..5ac47ee4eb 100644
--- a/app/_mesh_policies/meshfaultinjection/index.md
+++ b/app/_mesh_policies/meshfaultinjection/index.md
@@ -9,93 +9,59 @@ type: policy
icon: meshfaultinjection.png
---
-
-{% warning %}
-This policy uses a new policy matching algorithm.
-Do **not** combine with the now deprecated [FaultInjection](/docs/{{ page.release }}/policies/fault-injection).
-{% endwarning %}
+{:.warning}
+> This policy uses a new policy matching algorithm.
+> Do **not** combine with the now deprecated FaultInjection policy.
## `targetRef` support matrix
-{% if_version gte:2.7.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-
-`MeshFaultInjection` isn't supported on delegated gateways.
-
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-
-{% if_version eq:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`, `MeshServiceSubset`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
`MeshFaultInjection` isn't supported on delegated gateways.
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ❌ | ✅ |
-| `MeshSubset` | ✅ | ❌ | ✅ |
-| `MeshService` | ✅ | ❌ | ✅ |
-| `MeshServiceSubset` | ✅ | ❌ | ✅ |
+{% endnavtab %}
+{% endnavtabs %}
-{% endif_version %}
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
## Configuration
-`MeshFaultInjection` allows configuring a list of HTTP faults. They execute in the same order as they were defined.
+`MeshFaultInjection` lets you configure a list of HTTP faults. They execute in the same order as they were defined.
```yaml
default:
@@ -135,14 +101,14 @@ That means that for 70% of requests, it returns 500 and for 50% of the 30% that
Abort defines a configuration of not delivering requests to destination service and replacing the responses from destination data plane by
predefined status code.
-- `httpStatus` - HTTP status code which will be returned to source side, has to be in [100 - 599] range
+- `httpStatus` - HTTP status code returned to the source side, in the [100 - 599] range
- `percentage` - a percentage of requests on which abort will be injected, has to be in [0.0 - 100.0] range. If the value is a double number, put it in quotes.
### Delay
Delay defines a configuration of delaying a response from a destination.
-- `value` - the duration during which the response will be delayed
+- `value` - the duration during which the response is delayed
- `percentage` - a percentage of requests on which abort will be injected, has to be in [0.0 - 100.0] range. If the value is a double number, put it in quotes.
### ResponseBandwidth limit
diff --git a/app/_mesh_policies/meshglobalratelimit/index.md b/app/_mesh_policies/meshglobalratelimit/index.md
index 5e394a08e5..c0cf4de08c 100644
--- a/app/_mesh_policies/meshglobalratelimit/index.md
+++ b/app/_mesh_policies/meshglobalratelimit/index.md
@@ -62,12 +62,12 @@ limits, deny response is returned.
Besides the basic service configuration that is provided on startup, the ratelimit service needs a limits configuration. Limits configuration
is loaded dynamically from the control plane. Ratelimit service uses xDS protocol for this, which is the same protocol that the data plane proxy
-uses for communicating with the control plane. The control plane will periodically compute any new limits configuration and send it to ratelimit service.
+uses for communicating with the control plane. The control plane periodically computes any new limits configuration and sends it to the ratelimit service.
### Rate limiting algorithm
The ratelimit service uses a fixed window algorithm. It allocates a new counter for each time unit. Let's assume that we have configured limits to
-10 requests per minute. At the beginning of each minute, ratelimit service will create a new counter.
+10 requests per minute. At the beginning of each minute, ratelimit service creates a new counter.
@@ -95,8 +95,8 @@ When it comes to multi-zone deployments, you should deploy the ratelimit service
> Figure 3: Diagram of multi-zone ratelimit setup with Redis per zone.
-The first option is to deploy Redis in every zone. In this setup, limits will be applied per zone. Since each zone will have its own counters cache,
-requests will be faster, and it will be easier to distribute your system geographically.
+The first option is to deploy Redis in every zone. In this setup, limits apply per zone. Since each zone has its own counters cache,
+requests are faster, and it will be easier to distribute your system geographically.
@@ -114,36 +114,41 @@ TODO: document how to generate and use zone token on universal.-->
## TargetRef support matrix
-{% if_version gte:2.7.x %}
-{% tabs %}
-{% tab Sidecar %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway` |
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | Top level | To | From |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ❌ | ✅ |
-| MeshSubset | ❌ | ❌ | ❌ |
-| MeshService | ✅ | ❌ | ❌ |
-| MeshServiceSubset | ❌ | ❌ | ❌ |
-| MeshGatewayRoute | ❌ | ❌ | ❌ |
-
-{% endif_version %}
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`, `MeshService`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
## Configuration
@@ -348,11 +353,11 @@ spec:
### Combining MeshRateLimit with MeshGlobalRateLimit
You can combine MeshRateLimit and MeshGlobalRateLimit policies. By doing this, you can specify a local limit that is more strict than the global rate limit.
-When the local rate limit is reached, the data plane proxy will stop sending requests to ratelimit service.
+When the local rate limit is reached, the data plane proxy stops sending requests to the ratelimit service.
This could lower network traffic between the data plane proxy and the ratelimit service. Also, it can protect your ratelimit service from a DDoS "attack" by your services.
Moreover, this could be used to more evenly distribute traffic to the ratelimit service and mitigate the problem of depleting whole limit at the beginning of the counter window.
-This is described in the [previous section](/mesh/policies/meshglobalratelimit/#rate-limiting-algorithm).
+This is described in the previous section.
{% navtabs "meshglobalratelimit-example" %}
{% navtab "Kubernetes" %}
@@ -362,7 +367,7 @@ apiVersion: kuma.io/v1alpha1
kind: MeshRateLimit
metadata:
name: demo-local-rate-limit
- namespace: kuma-system
+ namespace: kong-mesh-system
spec:
targetRef:
kind: MeshService
@@ -441,8 +446,6 @@ spec:
{{site.mesh_product_name}} is using the Envoy Rate Limit service reference implementation. You can read the [source code and documentation](https://github.com/envoyproxy/ratelimit) from the Envoy Proxy GitHub repository.
-
-
## Ratelimit service
{{site.mesh_product_name}} is using the Envoy Rate Limit service reference implementation. You can read the [source code and documentation](https://github.com/envoyproxy/ratelimit) from the Envoy Proxy GitHub repository.
@@ -469,7 +472,7 @@ The descriptor key will always be `kuma.io/service`, and the descriptor value wi
Therefore, we can deduct that this configuration will apply to `demo-app_kuma-demo_svc_5000` service in the `default`
mesh. For the second part of the configuration, we have information about the request limit and unit to which
this limit will be applied. Shadow mode specifies if request should be limited after reaching the configured limit. If `shadow_mode` is set
-to `true`, the ratelimit service will not deny requests to your service, it will only update the ratelimit service metrics.
+to `true`, the ratelimit service does not deny requests to your service, it only updates the ratelimit service metrics.
### Performance improvements
@@ -486,7 +489,7 @@ You should refer to [ratelimit service documentation](https://github.com/envoypr
### Example
-The following example shows how to deploy and test a sample `MeshGlobalRateLimit` policy on Kubernetes, using the kuma-demo application.
+The following example shows how to deploy and test a sample `MeshGlobalRateLimit` policy on Kubernetes, using the kong-mesh-demo application.
1. First, we need to deploy Redis in our Kubernetes cluster:
@@ -560,7 +563,7 @@ The following example shows how to deploy and test a sample `MeshGlobalRateLimit
2. We are all set up. Now you can try making few requests to the external IP of your gateway and you will see an error after reaching limits. You can find the IP with command:
```bash
- kubectl -n kuma-demo get service demo-app-gateway
+ kubectl -n kong-mesh-demo get service demo-app-gateway
```
You can configure more with this demo, such as changing limits or trying out other examples from this documentation.
diff --git a/app/_mesh_policies/meshhealthcheck/index.md b/app/_mesh_policies/meshhealthcheck/index.md
index 1012284b55..60662e135f 100644
--- a/app/_mesh_policies/meshhealthcheck/index.md
+++ b/app/_mesh_policies/meshhealthcheck/index.md
@@ -9,12 +9,9 @@ type: policy
icon: meshhealthcheck.png
---
-
-
-{% warning %}
-This policy uses new policy matching algorithm.
-Do **not** combine with the deprecated HealthCheck policy.
-{% endwarning %}
+{:.warning}
+> This policy uses new policy matching algorithm.
+> Do **not** combine with the deprecated HealthCheck policy.
This policy enables {{site.mesh_product_name}} to keep track of the health of every data plane proxy,
with the goal of minimizing the number of failed requests in case a data plane proxy is temporarily unhealthy.
@@ -27,72 +24,67 @@ When an unhealthy proxy returns to a healthy state,
This policy provides **active** checks.
If you want to configure **passive** checks,
-please use the [MeshCircuitBreaker](/docs/{{ page.release }}/policies/meshcircuitbreaker) policy.
+please use the [MeshCircuitBreaker](/mesh/policies/meshcircuitbreaker/) policy.
Data plane proxies with **active** checks will explicitly send requests to other data plane proxies to determine if target proxies are healthy or not.
This mode generates extra traffic to other proxies and services as described in the policy configuration.
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ✅ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
@@ -100,11 +92,10 @@ The `MeshHealthCheck` policy supports both L4/TCP and L7/HTTP/gRPC checks.
### Protocol selection
-The health check protocol is selected by picking the most [specific protocol](/docs/{{ page.release }}/policies/protocol-support-in-kuma)
+The health check protocol is selected by picking the most specific protocol
and falls back to more general protocol when specified protocol has `disabled=true` in policy definition.
See [protocol fallback example](#protocol-fallback).
-
## Common configuration
- **`interval`** - (optional) interval between consecutive health checks, if not specified then equal to `1m`
@@ -117,14 +108,12 @@ See [protocol fallback example](#protocol-fallback).
- **`intervalJitterPercent`** - (optional) if specified, during every interval Envoy will add `intervalJitter` *
`intervalJitterPercent` / 100 to the wait time. If `intervalJitter` and
`intervalJitterPercent` are both set, both of them will be used to increase the wait time.
-{% if_version lte:2.9.x %}
-- **`healthyPanicThreshold`** - (optional) allows to configure panic threshold for Envoy clusters. If not specified,
- the default is 50%. To disable panic mode, set to 0%.
-{% endif_version %}
-{% if_version gte:2.10.x %}
- **`healthyPanicThreshold`** - (optional) allows to configure panic threshold for Envoy clusters. If not specified,
- the default is 50%. To disable panic mode, set to 0%. ⚠️This is deprecated from version 2.10.x and has been moved to [MeshCircuitBreaker](/docs/{{ page.release }}/policies/meshcircuitbreaker).⚠️
-{% endif_version %}
+ the default is 50%. To disable panic mode, set to 0%.
+
+ {:.warning}
+ > This is deprecated from version 2.10.x and has been moved to [MeshCircuitBreaker](/mesh/policies/meshcircuitbreaker/).
+
- **`failTrafficOnPanic`** - (optional) if set to true, Envoy will not consider any hosts when the cluster is in
'panic mode'. Instead, the cluster will fail all requests as if all hosts are unhealthy.
This can help avoid potentially overwhelming a failing service.
@@ -176,13 +165,13 @@ HTTP health checks are executed using HTTP2
- when checking the response, “fuzzy” matching is performed such that
each block must be found, and in the order specified, but not
necessarily contiguous;
- - if **`receive`** section won't be provided or will be empty, checks
- will be performed as "connect only" and will be marked as successful
- when TCP connection will be successfully established.
+ - if the **`receive`** section is not provided or is empty, checks
+ are performed as "connect only" and are marked as successful
+ when a TCP connection is established.
### gRPC
- **`disabled`** - (optional) - if true gRPC health check is disabled
- **`serviceName`** - (optional) - service name parameter which will be sent to gRPC service
- **`authority`** - (optional) - value of the :authority header in the gRPC health check request,
- by default name of the cluster this health check is associated with
\ No newline at end of file
+ by default name of the cluster this health check is associated with
diff --git a/app/_mesh_policies/meshhttproute/index.md b/app/_mesh_policies/meshhttproute/index.md
index 0c3d9804d5..db2e775bd7 100644
--- a/app/_mesh_policies/meshhttproute/index.md
+++ b/app/_mesh_policies/meshhttproute/index.md
@@ -9,72 +9,66 @@ type: policy
icon: meshhttproute.png
---
-
The `MeshHTTPRoute` policy allows altering and redirecting HTTP requests
depending on where the request is coming from and where it's going to.
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ❌ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-If you don't understand this table you should read [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
@@ -92,14 +86,13 @@ spec:
backendRefs: [...]
```
-{% tip %}
-Remember to tag your `Service` ports with `appProtocol: http` to use
-them in a `MeshHTTPRoute`!
-{% endtip %}
+{:.info}
+> Remember to tag your `Service` ports with `appProtocol: http` to use
+> them in a `MeshHTTPRoute`!
### Gateways
-In order to route HTTP traffic for a MeshGateway, you need to target the
+To route HTTP traffic for a MeshGateway, you need to target the
MeshGateway in `spec.targetRef` and set `spec.to[].targetRef.kind: Mesh`.
### Interactions with `MeshTCPRoute`
@@ -110,17 +103,17 @@ MeshGateway in `spec.targetRef` and set `spec.to[].targetRef.kind: Mesh`.
`MeshHTTPRoute` takes priority over [`TrafficRoute`](../traffic-route) when a proxy is targeted by both policies.
-All legacy policies like `Retry`, `TrafficLog`, `Timeout` etc. only match on routes defined by `TrafficRoute`.
-All new recommended policies like `MeshRetry`, `MeshAccessLog`, `MeshTimeout` etc. match on routes defined by `MeshHTTPRoute` and `TrafficRoute`.
+All legacy policies like `Retry`, `TrafficLog`, `Timeout` and so on only match on routes defined by `TrafficRoute`.
+All new recommended policies like `MeshRetry`, `MeshAccessLog`, `MeshTimeout` and so on match on routes defined by `MeshHTTPRoute` and `TrafficRoute`.
-If you don't use legacy policies, it's recommended to remove any existing `TrafficRoute`.
-Otherwise, it's recommended to migrate to new policies and then removing `TrafficRoute`.
+If you don't use legacy policies, we recommend removing any existing `TrafficRoute`.
+Otherwise, we recommend migrating to new policies and then removing `TrafficRoute`.
## Merging
When several `MeshHTTPRoute` policies target the same data plane proxy they're merged.
Similar to the new policies the merging order is determined by
-[the top level targetRef](/docs/{{ page.release }}/policies/introduction).
+[the top level targetRef](/mesh/policies-introduction/).
The difference is in `spec.to[].rules`.
{{site.mesh_product_name}} treats `rules` as a key-value map
where `matches` is a key and `default` is a value. For example MeshHTTPRoute policies:
@@ -180,7 +173,7 @@ rules:
### Matches
- **`path`** - (optional) - HTTP path to match the request on
- - **`type`** - one of `Exact`, {% if_version gte:2.3.x %}`PathPrefix`{% endif_version %}{% if_version lte:2.2.x %}`Prefix`{% endif_version %}, `RegularExpression`
+ - **`type`** - one of `Exact`, `PathPrefix`, `RegularExpression`
- **`value`** - actual value that's going to be matched depending on the `type`
- **`method`** - (optional) - HTTP2 method, available values are
`CONNECT`, `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, `PUT`, `TRACE`
@@ -231,7 +224,7 @@ rules:
### Backends
-- **`kind`** - one of `MeshService`, `MeshServiceSubset`{% if_version gte:2.9.x %}, `MeshExtenalService`{% endif_version %}
+- **`kind`** - one of `MeshService`, `MeshServiceSubset`, `MeshExternalService`
- **`name`** - service name
- **`tags`** - service tags, must be specified if the `kind` is `MeshServiceSubset`
- **`weight`** - when a request matches the route, the choice of an upstream cluster
diff --git a/app/_mesh_policies/meshidentity/index.md b/app/_mesh_policies/meshidentity/index.md
index c3e8274779..542c308dc0 100644
--- a/app/_mesh_policies/meshidentity/index.md
+++ b/app/_mesh_policies/meshidentity/index.md
@@ -125,6 +125,7 @@ The policy whose name comes first in alphabetical order takes precedence.
The following table contains examples of the selector field with different scopes:
+
{% table %}
columns:
- title: Description
@@ -156,6 +157,7 @@ rows:
selector: {}
```
{% endtable %}
+
### SPIFFE ID
@@ -241,7 +243,6 @@ spec:
{% endraw %}
-
### Provider
The `provider` field defines how identity certificates are issued.
diff --git a/app/_mesh_policies/meshloadbalancingstrategy/index.md b/app/_mesh_policies/meshloadbalancingstrategy/index.md
index 57623ae24d..2d009c811e 100644
--- a/app/_mesh_policies/meshloadbalancingstrategy/index.md
+++ b/app/_mesh_policies/meshloadbalancingstrategy/index.md
@@ -10,88 +10,73 @@ icon: policy.svg
---
This policy enables {{site.mesh_product_name}} to configure the load balancing strategy for traffic between services in the mesh.
-When using this policy, the [localityAwareLoadBalancing](/docs/{{ page.release }}/policies/locality-aware) flag is ignored.
+When using this policy, the `localityAwareLoadBalancing` flag is ignored.
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshMultiZoneService` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshMultiZoneService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`|
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ✅ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshMultiZoneService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
-## Configuration
-
-{% if_version lte:2.4.x %}
-### LocalityAwareness
-Locality-aware load balancing is enabled by default unlike its predecessor [localityAwareLoadBalancing](/docs/{{ page.release }}/policies/locality-aware).
-- **`disabled`** – (optional) allows to disable locality-aware load balancing. When disabled requests are distributed
-across all endpoints regardless of locality.
+## Configuration
-{% endif_version %}
-{% if_version gte:2.5.x %}
### LocalityAwareness
Locality-aware load balancing provides robust and straightforward method for balancing traffic within and across zones. This not only allows you to route traffic across zones when the local zone service is unhealthy but also enables you to define traffic prioritization within the local zone and set cross-zone fallback priorities.
-#### Default behaviour
-Locality-aware load balancing is enabled by default, unlike its predecessor [localityAwareLoadBalancing](/docs/{{ page.release }}/policies/locality-aware). Requests are distributed across all endpoints within the local zone first unless there are not enough healthy endpoints.
+#### Default behavior
+Locality-aware load balancing is enabled by default, unlike its predecessor `localityAwareLoadBalancing`. Requests are distributed across all endpoints within the local zone first unless there are not enough healthy endpoints.
#### Disabling locality aware routing
If you do so, all endpoints regardless of their zone will be treated equally. To do this do:
@@ -101,10 +86,9 @@ localityAwareness:
disabled: true
```
-#### Configuring LocalityAware Load Balancing for traffic within the same zone
-{% warning %}
-If `crossZone` and/or `localZone` is defined, they take precedence over `disabled` and apply more specific configuration.
-{% endwarning %}
+#### Configuring LocalityAware load balancing for traffic within the same zone
+{:.warning}
+> If `crossZone` and/or `localZone` is defined, they take precedence over `disabled` and apply more specific configuration.
Local zone routing allows you to define traffic routing rules within a local zone, prioritizing data planes based on tags and their associated weights. This enables you to allocate specific traffic percentages to data planes with particular tags within the local zone. If there are no healthy endpoints within the highest priority group, the next priority group takes precedence. Locality awareness within the local zone relies on tags within inbounds, so it's crucial to ensure that the tags used in the policy are defined for the service (Dataplane object on Universal, PodTemplate labels on Kubernetes).
@@ -113,13 +97,12 @@ Local zone routing allows you to define traffic routing rules within a local zon
- **`key`** - defines tag for which affinity is configured. The tag needs to be configured on the inbound of the service. In case of Kubernetes, pod needs to have a label. On Universal user needs to define it on the inbound of the service. If the tag is absent this entry is skipped.
- **`weight`** - (optional) weight of the tag used for load balancing. The bigger the weight the higher number of requests is routed to dataplanes with specific tag. By default we will adjust them so that 90% traffic goes to first tag, 9% to next, and 1% to third and so on.
-#### Configuring LocalityAware Load Balancing for traffic across zones
-{% warning %}
-Remember that cross-zone traffic requires [mTLS to be enabled](/docs/{{ page.release }}/policies/mutual-tls).
-{% endwarning %}
+#### Configuring LocalityAware load balancing for traffic across zones
+{:.warning}
+> Remember that cross-zone traffic requires [mTLS to be enabled](/mesh/policies/mutual-tls/).
Advanced locality-aware load balancing provides a powerful means of defining how your service should behave when there is no instances of your service available or they are in a degraded state in your local zone. With this feature, you have the flexibility to configure the fallback behavior of your service, specifying the order in which it should attempt fallback options and defining different behaviors for instances located in various zones.
-- **`crossZone`** - (optional) allows to define behaviour when there is no healthy instances of the service. When not defined, cross zone traffic is disabled.
+- **`crossZone`** - (optional) allows to define behavior when there is no healthy instances of the service. When not defined, cross zone traffic is disabled.
- **`failover`** - defines a list of load balancing rules in order of priority. If a zone is not specified explicitly by name or implicitly using the type `Any`/`AnyExcept` it is excluded from receiving traffic. By default, the last rule is always `None` which means, that there is no traffic to other zones after specified rules.
- **`from`** - (optional) defines the list of zones to which the rule applies. If not specified, rule is applied to all zones.
- **`zones`** - list of zone names.
@@ -130,18 +113,15 @@ Advanced locality-aware load balancing provides a powerful means of defining how
- **`AnyExcept`** - traffic will be load balanced to every available zone except those specified in zones list.
- **`None`** - traffic will not be load balanced to any zone.
- **`zones`** - list of zone names
- - **`failoverThreshold.percentage`** - (optional) defines the percentage of live destination data plane proxies below which load balancing to the next priority starts. .e.g: If you have this set to 70 and you have 10 data plane proxies it will start load balancing to the next priority when the number of healthy destinations falls under 7. The value to be in (0.0 - 100.0] range (Default 50). If the value is a double number, put it in quotes.
+ - **`failoverThreshold.percentage`** - (optional) defines the percentage of live destination data plane proxies below which load balancing to the next priority starts. For example, If you have this set to 70 and you have 10 data plane proxies it will start load balancing to the next priority when the number of healthy destinations falls under 7. The value to be in (0.0 - 100.0] range (Default 50). If the value is a double number, put it in quotes.
#### Zone Egress support
Using Zone Egress Proxy in multi-zone deployment poses certain limitations for this feature. When configuring `MeshLoadbalancingStrategy` with Zone Egress you can only use `Mesh` as a top level targetRef. This is because we don't differentiate requests that come to Zone Egress from different clients, yet.
-Moreover, Zone Egress is a simple proxy that uses long-lived L4 connection with each Zone Ingresses. Consequently, when a new `MeshLoadbalancingStrategy` with locality awareness is configured, connections won’t be refreshed, and locality awareness will apply only to new connections.
-
-Another thing you need to be aware of is how outbound traffic behaves when you use the `MeshCircuitBreaker`'s outlier detection to keep track of healthy endpoints. Normally, you would use `MeshCircuitBreaker` to act on failures and trigger traffic redirect to the next priority level if the number of healthy endpoints fall below `crossZone.failoverThreshold`. When you have a single instance of Zone Egress, all remote zones will be behind a single endpoint. Since `MeshCircuitBreaker` is configured on Data Plane Proxy, when one of the zones start responding with errors it will mark the whole Zone Egress as not healthy and won’t send traffic there even though there could be multiple zones with live endpoints. This will be changed in the future with overall improvements to the Zone Egress proxy.
-
+Moreover, Zone Egress is a simple proxy that uses long-lived L4 connection with each Zone Ingresses. Consequently, when a new `MeshLoadbalancingStrategy` with locality awareness is configured, connections are not refreshed, and locality awareness applies only to new connections.
-{% endif_version %}
+Another thing you need to be aware of is how outbound traffic behaves when you use the `MeshCircuitBreaker`'s outlier detection to keep track of healthy endpoints. Normally, you would use `MeshCircuitBreaker` to act on failures and trigger traffic redirect to the next priority level if the number of healthy endpoints fall below `crossZone.failoverThreshold`. When you have a single instance of Zone Egress, all remote zones will be behind a single endpoint. Since `MeshCircuitBreaker` is configured on data plane proxy, when one of the zones start responding with errors it marks the whole Zone Egress as not healthy and does not send traffic there, even if there are multiple zones with live endpoints. This is a known limitation that will be addressed with future Zone Egress proxy improvements.
### LoadBalancer
@@ -230,4 +210,4 @@ must be prime number limited to 5000011. If it is not specified, the default is
no data associated with the key, or the stored object is not `Envoy::Hashable`, no hash will be produced.
This way, we allow only one in-flight request on a TCP connection. Consequently, the client will open more TCP connections, leading to fairer load balancing.
-The downside is that we now have to establish and maintain more TCP connections. Keep this in mind as you adjust the value to suit your needs.
\ No newline at end of file
+The downside is that we now have to establish and maintain more TCP connections. Keep this in mind as you adjust the value to suit your needs.
diff --git a/app/_mesh_policies/meshmetric/examples/default.yaml b/app/_mesh_policies/meshmetric/examples/default.yaml
index 0886a9c112..939f62f67a 100644
--- a/app/_mesh_policies/meshmetric/examples/default.yaml
+++ b/app/_mesh_policies/meshmetric/examples/default.yaml
@@ -3,6 +3,9 @@ description: "A default `MeshMetric` policy for the `default` mesh"
weight: 900
+min_version:
+ mesh: '2.10'
+
namespace: kuma-demo
config:
type: MeshMetric
@@ -16,4 +19,9 @@ config:
default:
applications:
- path: "/metrics/prometheus"
- port: 8888
\ No newline at end of file
+ port: 8888
+ backends:
+ - type: Prometheus
+ prometheus:
+ port: 5670
+ path: /metrics
\ No newline at end of file
diff --git a/app/_mesh_policies/meshmetric/index.md b/app/_mesh_policies/meshmetric/index.md
index 1765acd3ea..f97908aa4c 100644
--- a/app/_mesh_policies/meshmetric/index.md
+++ b/app/_mesh_policies/meshmetric/index.md
@@ -27,112 +27,97 @@ For example, you might need to override the default metrics port if it's already
* Each proxy can expose its metrics in [Prometheus format](https://prometheus.io/docs/instrumenting/exposition_formats/#text-based-format).
* {{site.mesh_product_name}} exposes an API called the monitoring assignment service (MADS) which exposes proxies configured by `MeshMetric`.
-{% if_version gte:2.7.x %}
Moreover, {{site.mesh_product_name}} provides integration with OpenTelemetry:
-{% endif_version %}
-
-{% if_version lte:2.6.x %}
-Moreover, {{site.mesh_product_name}} provides experimental integration with OpenTelemetry:
-{% endif_version %}
* Each proxy can publish its metrics to [OpenTelemetry collector](https://opentelemetry.io/docs/collector/).
To collect metrics from {{site.mesh_product_name}}, you need to expose metrics from proxies and applications.
-{% tip %}
-In the rest of this page we assume you have already configured your observability tools to work with {{site.mesh_product_name}}.
-If you haven't already read the [observability docs](/docs/{{ page.release }}/explore/observability).
-{% endtip %}
+{:.info}
+> In the rest of this page we assume you have already configured your observability tools to work with {{site.mesh_product_name}}.
+> If you haven't already read the [observability docs](/mesh/observability/).
## TargetRef support matrix
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% endtab %}
-
-{% endtabs %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
There are three main sections of the configuration: `sidecar`, `applications`, `backends`.
The first two define how to scrape parts of the mesh (sidecar and underlying applications), the third one defines what to do with the data (in case of Prometheus instructs to scrape specific address, in case of OpenTelemetry defines where to push data).
-{% tip %}
-In contrast to [Traffic Metrics](/docs/{{ page.release }}/policies/traffic-metrics) all configuration is dynamic and no restarts of the Data Plane Proxies are needed.
-You can define configuration refresh interval by using `KUMA_DATAPLANE_RUNTIME_DYNAMIC_CONFIGURATION_REFRESH_INTERVAL` env var or `{{site.set_flag_values_prefix}}dataplaneRuntime.dynamicConfiguration.refreshInterval` Helm value.
-{% endtip %}
+{:.info}
+> In contrast to Traffic Metrics, all configuration is dynamic and no restarts of the data plane proxies are needed.
+> You can define configuration refresh interval by using `KUMA_DATAPLANE_RUNTIME_DYNAMIC_CONFIGURATION_REFRESH_INTERVAL` env var or `{{site.set_flag_values_prefix}}dataplaneRuntime.dynamicConfiguration.refreshInterval` Helm value.
### Sidecar
{% if site.mesh_product_name != "Kuma" %}
-{% if_version lte:2.6.x %}
-{% warning %}
-If you're using Mesh Manager the field `regex` is no longer available.
-You need to use version 2.7.x or above and migrate to `profiles.exclude`.
-{% endwarning %}
-{% endif_version %}
{% endif %}
This part of the configuration applies to the data plane proxy scraping.
In case you don't want to retrieve all Envoy's metrics, it's possible to filter them.
-{% if_version gte:2.7.x %}
Below are different methods of filtering.
The order of the operations is as follows:
1. Unused metrics
2. Profiles
3. Exclude
4. Include
-{% endif_version %}
-
-{% if_version lte:2.6.x %}
-#### Regex
-
-You are able to specify [`regex`](https://www.envoyproxy.io/docs/envoy/latest/operations/admin#get--stats?filter=regex) which causes the metrics endpoint to return only matching metrics.
-{% endif_version %}
#### Unused metrics
By default, metrics that were not updated won't be published.
You can set the `includeUnused` flag that returns all metrics from Envoy.
-{% if_version gte:2.7.x %}
#### Profiles
Profiles are predefined sets of metrics with manual `include` and `exclude` functionality.
@@ -146,47 +131,17 @@ Today only 3 profiles are available: `All`, `Basic` and `None`.
`None` profile removes all metrics
- `exclude` - after profiles are applied you can manually exclude metrics on top of profile filtering.
- `include` - after exclude is applied you can manually include metrics.
-{% endif_version %}
#### Examples
-{% if_version lte:2.6.x %}
-##### Include unused metrics and filter them by regex
-
-{% policy_yaml %}
-```yaml
-type: MeshMetric
-mesh: default
-name: metrics-default
-spec:
- targetRef:
- kind: Mesh
- default:
- sidecar:
- regex: http2_act.*
- includeUnused: true
- backends:
- - type: Prometheus
- prometheus:
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-
-{% endif_version %}
-
-{% if_version gte:2.7.x %}
##### Include unused metrics of only Basic profile with manual exclude and include
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshMetric
mesh: default
name: metrics-default
spec:
- targetRef:
- kind: Mesh
default:
sidecar:
includeUnused: true
@@ -206,66 +161,10 @@ spec:
path: /metrics
```
{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
-```yaml
-type: MeshMetric
-mesh: default
-name: metrics-default
-spec:
- default:
- sidecar:
- includeUnused: true
- profiles:
- appendProfiles:
- - name: Basic
- exclude:
- - type: Regex
- match: "envoy_cluster_external_upstream_rq_.*"
- include:
- - type: Exact
- match: "envoy_cluster_default_total_match_count"
- backends:
- - type: Prometheus
- prometheus:
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-{% endif_version %}
##### Include only manually defined metrics
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
-```yaml
-type: MeshMetric
-mesh: default
-name: metrics-default
-spec:
- targetRef:
- kind: Mesh
- default:
- sidecar:
- profiles:
- appendProfiles:
- - name: None
- include:
- - type: Regex
- match: "envoy_cluster_external_upstream_rq_.*"
- backends:
- - type: Prometheus
- prometheus:
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshMetric
mesh: default
@@ -286,19 +185,15 @@ spec:
path: /metrics
```
{% endpolicy_yaml %}
-{% endif_version %}
##### Exclude all metrics apart from one manually added
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshMetric
mesh: default
name: metrics-default
spec:
- targetRef:
- kind: Mesh
default:
sidecar:
profiles:
@@ -314,41 +209,11 @@ spec:
path: /metrics
```
{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
-```yaml
-type: MeshMetric
-mesh: default
-name: metrics-default
-spec:
- default:
- sidecar:
- profiles:
- appendProfiles:
- - name: None
- include:
- - type: Regex
- match: "envoy_cluster_external_upstream_rq_.*"
- backends:
- - type: Prometheus
- prometheus:
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-{% endif_version %}
-
-{% endif_version %}
### Applications
-{% if_version gte:2.7.x %}
-{% warning %}
-Metrics exposed by the application need to be in Prometheus format for the Dataplane Proxy to be able to parse and expose them to either Prometheus or OpenTelemetry backend.
-{% endwarning %}
-{% endif_version %}
+{:.warning}
+> Metrics exposed by the application need to be in Prometheus format for the Dataplane Proxy to be able to parse and expose them to either Prometheus or OpenTelemetry backend.
In addition to exposing metrics from the data plane proxies, you might want to expose metrics from applications running next to the proxies.
{{site.mesh_product_name}} allows scraping Prometheus metrics from the applications endpoint running in the same `Pod` or `VM`.
@@ -358,7 +223,7 @@ It is possible to configure it at the `Mesh` level, for all the applications in
Here are reasons where you'd want to use this feature:
- Application metrics are labelled with your mesh parameters (tags, mesh, data plane name...), this means that in mixed Universal and Kubernetes mode metrics are reported with the same types of labels.
- Both application and sidecar metrics are scraped at the same time. This makes sure they are coherent (with 2 different scrapers they can end up scraping at different intervals and make metrics harder to correlate).
-- If you disable [passthrough](/docs/{{ page.release }}/networking/non-mesh-traffic#outgoing) and your mesh uses mTLS and Prometheus is outside the mesh this is the only way to retrieve these metrics as the app is completely hidden behind the sidecar.
+- If you disable passthrough and your mesh uses mTLS and Prometheus is outside the mesh this is the only way to retrieve these metrics as the app is completely hidden behind the sidecar.
Example section of the configuration:
@@ -390,7 +255,7 @@ By default, all available metrics are returned.
##### Secure metrics with TLS
-{{site.mesh_product_name}} allows configuring metrics endpoint with TLS.
+{{site.mesh_product_name}} lets you configure metrics endpoint with TLS.
```yaml
backends:
@@ -404,22 +269,22 @@ backends:
In addition to the `MeshMetric` configuration, `kuma-sidecar` requires a provided certificate and key for its operation.
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
When the certificate and key are available within the container, `kuma-sidecar` needs the paths to provided files as the following environment variables:
* `KUMA_DATAPLANE_RUNTIME_METRICS_CERT_PATH`
* `KUMA_DATAPLANE_RUNTIME_METRICS_KEY_PATH`
-It's possible to use a [`ContainerPatch`](/docs/{{ page.release }}/production/dp-config/dpp-on-kubernetes/#custom-container-configuration) to add variables to `kuma-sidecar`:
+It's possible to use a [`ContainerPatch`](/mesh/data-plane-kubernetes/#custom-container-configuration) to add variables to `kuma-sidecar`:
```yaml
apiVersion: kuma.io/v1alpha1
kind: ContainerPatch
metadata:
name: container-patch-1
- namespace: kuma-system
+ namespace: kong-mesh-system
spec:
sidecarPatch:
- op: add
@@ -436,16 +301,16 @@ spec:
}'
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
Please upload the certificate and the key to the machine, and then define the following environment variables with the correct paths:
* `KUMA_DATAPLANE_RUNTIME_METRICS_CERT_PATH`
* `KUMA_DATAPLANE_RUNTIME_METRICS_KEY_PATH`
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
##### `activeMTLSBackend`
@@ -453,11 +318,10 @@ We no longer support `activeMTLSBackend`, if you need to encrypt and authorize t
##### Running multiple Prometheus deployments
-If you need to run multiple instances of Prometheus and want to target different set of Data Plane Proxies you can do this by using Client ID setting on both `MeshMetric` (`clientId`) and [Prometheus configuration](https://github.com/prometheus/prometheus/pull/13278/files#diff-17f1012e0c2fbd9bcd8dff3c23b18ff4b6676eef3beca6f8a3e72e6a36633334R2233) (`client_id`).
+If you need to run multiple instances of Prometheus and want to target different set of data plane proxies you can do this by using Client ID setting on both `MeshMetric` (`clientId`) and [Prometheus configuration](https://github.com/prometheus/prometheus/pull/13278/files#diff-17f1012e0c2fbd9bcd8dff3c23b18ff4b6676eef3beca6f8a3e72e6a36633334R2233) (`client_id`).
-{% warning %}
-Support for `clientId` was added in Prometheus version `2.50.0`.
-{% endwarning %}
+{:.warning}
+> Support for `clientId` was added in Prometheus version `2.50.0`.
###### Example Prometheus configuration
@@ -492,29 +356,6 @@ scrape_configs:
Now we can configure first `MeshMetric` policy to pick data plane proxies with tag `prometheus: main` for main Prometheus discovery.
`clientId` in policy should be the same as `client_id` in Prometheus configuration.
-{% if_version eq:2.9.x %}
-{% policy_yaml %}
-```yaml
-type: MeshMetric
-name: prometheus-one
-mesh: default
-spec:
- targetRef:
- kind: MeshSubset
- tags:
- prometheus: "main"
- default:
- backends:
- - type: Prometheus
- prometheus:
- clientId: "prometheus-main"
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.10.x %}
{% policy_yaml %}
```yaml
type: MeshMetric
@@ -534,33 +375,9 @@ spec:
path: /metrics
```
{% endpolicy_yaml %}
-{% endif_version %}
And policy for secondary Prometheus deployment that will pick data plane proxies with tag `prometheus: secondary`.
-{% if_version eq:2.9.x %}
-{% policy_yaml %}
-```yaml
-type: MeshMetric
-name: prometheus-two
-mesh: default
-spec:
- targetRef:
- kind: MeshSubset
- tags:
- prometheus: "secondary"
- default:
- backends:
- - type: Prometheus
- prometheus:
- clientId: "prometheus-secondary" # this clientId should be the same as client_id in Prometheus
- port: 5670
- path: /metrics
-```
-{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.10.x %}
{% policy_yaml %}
```yaml
type: MeshMetric
@@ -580,37 +397,7 @@ spec:
path: /metrics
```
{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version lte:2.6.x %}
-#### OpenTelemetry (experimental)
-
-```yaml
-backends:
- - type: OpenTelemetry
- openTelemetry:
- endpoint: otel-collector.observability.svc:4317
-```
-
-This configuration tells {{site.mesh_product_name}} data plane proxy to push metrics to [OpenTelemetry collector](https://opentelemetry.io/docs/collector/).
-Dataplane Proxy will scrape metrics from Envoy and other [applications](/docs/{{ page.release }}/policies/meshmetric/#applications) in a Pod/VM.
-and push them to configured OpenTelemetry collector.
-
-When you configure application scraping make sure to specify `application.name` to use [OpenTelemetry scoping](https://opentelemetry.io/docs/concepts/instrumentation-scope/)
-##### Limitations
-
-- You cannot configure scraping interval for OpenTelemetry. By default, it will publish metrics to collector every **30 seconds**. Ability to configure scraping interval in policy will be added in the future.
-- Right now {{site.mesh_product_name}} supports configuring only one `OpenTelemetry` backend.
-{% if_version lte:2.6.x %}
-- OpenTelemetry integration does not take [sidecar](/docs/{{ page.release }}/policies/meshmetric/#sidecar) configuration into account.
- This support will be added in the next release.
-{% endif_version %}
-- [Application](/docs/{{ page.release }}/policies/meshmetric/#applications) must expose metrics in Prometheus format for this integration to work
-
-{% endif_version %}
-
-{% if_version gte:2.7.x %}
#### OpenTelemetry
```yaml
@@ -622,9 +409,7 @@ backends:
```
This configuration tells {{site.mesh_product_name}} Dataplane Proxy to push metrics to [OpenTelemetry collector](https://opentelemetry.io/docs/collector/).
-Dataplane Proxy will scrape metrics from Envoy and other [applications](/docs/{{ page.release }}/policies/meshmetric/#applications) in a Pod/VM
+Dataplane Proxy will scrape metrics from Envoy and other applications in a Pod/VM
and push them to configured OpenTelemetry collector, by default every **60 seconds** (use `refreshInterval` to change it).
When you configure application scraping make sure to specify `application.name` to use [OpenTelemetry scoping](https://opentelemetry.io/docs/concepts/instrumentation-scope/).
-
-{% endif_version %}
\ No newline at end of file
diff --git a/app/_mesh_policies/meshopa/index.md b/app/_mesh_policies/meshopa/index.md
index cfd28f3f75..61b81edf0d 100644
--- a/app/_mesh_policies/meshopa/index.md
+++ b/app/_mesh_policies/meshopa/index.md
@@ -24,52 +24,36 @@ When the `MeshOPA` policy is applied, the control plane configures the following
## TargetRef support matrix
-{% if_version gte:2.11.x %}Add `commentMore` actions
-{% tabs %}
-{% tab Sidecar %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway` |
-{% endtab %}
-{% endtabs %}
-{% endif_version %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.10.x %}
-{% tabs %}
-{% tab Sidecar %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway` |
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ❌ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ❌ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-| MeshGatewayRoute | ❌ | ❌ | ❌ |
-
-{% endif_version %}
-
-
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane` (new_in 2.11), `MeshSubset` (deprecated), `MeshService` (removed in 2.11), `MeshServiceSubset` (removed in 2.11)"
+{% endtable %}
+
+{% endnavtab %}
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
## Configuration
@@ -261,14 +245,44 @@ Encoding the policy in a Secret provides some security for policies that contain
The following environment variables are available:
-| Variable | Type | What it configures | Default value {:width=25%:} |
-| -------------------------- | --------- | --------------------------------------| ------------------- |
-| KMESH_OPA_ADDR | string | Address OPA API server listens on | `localhost:8181` |
-| KMESH_OPA_CONFIG_PATH | string | Path to file of initial config | N/A |
-| KMESH_OPA_DIAGNOSTIC_ADDR | string | Address of OPA diagnostics server | `0.0.0.0:8282` |
-| KMESH_OPA_ENABLED | bool | Whether `kuma-dp` starts embedded OPA | true |
-| KMESH_OPA_EXT_AUTHZ_ADDR | string | Address of Envoy External AuthZ service | `localhost:9191` |
-| KMESH_OPA_CONFIG_OVERRIDES | strings | Overrides for OPA configuration, in addition to config file(*) | nil |
+
+{% table %}
+columns:
+ - title: Variable
+ key: variable
+ - title: Type
+ key: type
+ - title: What it configures
+ key: what_it_configures
+ - title: Default value
+ key: default_value
+rows:
+ - variable: KMESH_OPA_ADDR
+ type: string
+ what_it_configures: Address OPA API server listens on
+ default_value: "`localhost:8181`"
+ - variable: KMESH_OPA_CONFIG_PATH
+ type: string
+ what_it_configures: Path to file of initial config
+ default_value: N/A
+ - variable: KMESH_OPA_DIAGNOSTIC_ADDR
+ type: string
+ what_it_configures: Address of OPA diagnostics server
+ default_value: "`0.0.0.0:8282`"
+ - variable: KMESH_OPA_ENABLED
+ type: bool
+ what_it_configures: "Whether `kuma-dp` starts embedded OPA"
+ default_value: "true"
+ - variable: KMESH_OPA_EXT_AUTHZ_ADDR
+ type: string
+ what_it_configures: Address of Envoy External AuthZ service
+ default_value: "`localhost:9191`"
+ - variable: KMESH_OPA_CONFIG_OVERRIDES
+ type: strings
+ what_it_configures: "Overrides for OPA configuration, in addition to config file(*)"
+ default_value: nil
+{% endtable %}
+
{% navtabs "configuration" %}
{% navtab "kumactl" %}
@@ -322,7 +336,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: example-app
- namespace: kuma-example
+ namespace: kong-mesh-example
spec:
...
template:
@@ -337,7 +351,6 @@ spec:
The `run` command on the data plane proxy accepts the following equivalent parameters if you prefer not to set environment variables:
-
```
--opa-addr
--opa-config-path
@@ -401,9 +414,9 @@ spec:
{% endnavtab %}
{% endnavtabs %}
-By default, the body will not be sent to the agent.
+By default, the body is not sent to the agent.
To send it, set `authConfig.requestBody.maxSize` to the maximum size of your body.
-If the request body is larger than this parameter, it will be truncated and the header `x-envoy-auth-partial-body` will be set to `true`.
+If the request body is larger than this parameter, it is truncated and the header `x-envoy-auth-partial-body` is set to `true`.
## Support for external API management servers
@@ -543,7 +556,7 @@ spec:
}
```
-`appendPolicies` is a list you can append, therefore in the case of the data plane proxy `test-server_kuma-demo_svc_80` service, both policies will be applied.
+`appendPolicies` is a list you can append, therefore in the case of the data plane proxy `test-server_kuma-demo_svc_80` service, both policies are applied.
{{site.mesh_product_name}} will autogenerate an additional OPA decision policy:
```rego
@@ -566,7 +579,7 @@ This way, the mesh operator can expose utility functions to service owner.
## Example
-The following example shows how to deploy and test a sample MeshOPA policy on Kubernetes, using the kuma-demo application.
+The following example shows how to deploy and test a sample MeshOPA policy on Kubernetes, using the kong-mesh-demo application.
1. Deploy the example application:
@@ -577,14 +590,14 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku
1. Make a request from the frontend to the backend:
```sh
- kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -c kuma-fe -- curl backend:3001 -v
+ kubectl exec -i -t $(kubectl get pod -l "app=kong-mesh-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kong-mesh-demo) -n kong-mesh-demo -c kong-mesh-fe -- curl backend:3001 -v
```
The output looks like:
```
- Defaulting container name to kuma-fe.
- Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod.
+ Defaulting container name to kong-mesh-fe.
+ Use 'kubectl describe pod/kong-mesh-demo-app-6787b4f7f5-m428c -n kong-mesh-demo' to see all of the containers in this pod.
* Trying 10.111.108.218:3001...
* TCP_NODELAY set
* Connected to backend (10.111.108.218) port 3001 (#0)
@@ -666,13 +679,13 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku
1. Make an invalid request from the frontend to the backend:
```sh
- kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -c kuma-fe -- curl backend:3001 -v
+ kubectl exec -i -t $(kubectl get pod -l "app=kong-mesh-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kong-mesh-demo) -n kong-mesh-demo -c kong-mesh-fe -- curl backend:3001 -v
```
The output looks like:
```
- Defaulting container name to kuma-fe.
- Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-bwvnb -n kuma-demo' to see all of the containers in this pod.
+ Defaulting container name to kong-mesh-fe.
+ Use 'kubectl describe pod/kong-mesh-demo-app-6787b4f7f5-bwvnb -n kong-mesh-demo' to see all of the containers in this pod.
* Trying 10.105.146.164:3001...
* TCP_NODELAY set
* Connected to backend (10.105.146.164) port 3001 (#0)
@@ -704,14 +717,14 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku
Make the request:
```sh
- kubectl exec -i -t $(kubectl get pod -l "app=kuma-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kuma-demo) -n kuma-demo -c kuma-fe -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001
+ kubectl exec -i -t $(kubectl get pod -l "app=kong-mesh-demo-frontend" -o jsonpath='{.items[0].metadata.name}' -n kong-mesh-demo) -n kong-mesh-demo -c kong-mesh-fe -- curl -H "Authorization: Bearer $ADMIN_TOKEN" backend:3001
```
The output looks like:
```
- Defaulting container name to kuma-fe.
- Use 'kubectl describe pod/kuma-demo-app-6787b4f7f5-m428c -n kuma-demo' to see all of the containers in this pod.
+ Defaulting container name to kong-mesh-fe.
+ Use 'kubectl describe pod/kong-mesh-demo-app-6787b4f7f5-m428c -n kong-mesh-demo' to see all of the containers in this pod.
* Trying 10.111.108.218:3001...
* TCP_NODELAY set
* Connected to backend (10.111.108.218) port 3001 (#0)
@@ -743,6 +756,3 @@ The following example shows how to deploy and test a sample MeshOPA policy on Ku
```
The request is valid again because the token is signed with the `secret` private key, its payload includes the admin role, and it is not expired.
-
-
-[protocols]: /mesh/policies/
\ No newline at end of file
diff --git a/app/_mesh_policies/meshpassthrough/index.md b/app/_mesh_policies/meshpassthrough/index.md
index 64cb90166f..7a13dc3810 100644
--- a/app/_mesh_policies/meshpassthrough/index.md
+++ b/app/_mesh_policies/meshpassthrough/index.md
@@ -12,43 +12,51 @@ min_version:
icon: policy.svg
---
This policy enables {{site.mesh_product_name}} to configure traffic to external destinations that is allowed to pass outside the mesh.
-When using this policy, the [passthrough mode](/docs/{{ page.release }}/networking/non-mesh-traffic/#outgoing) flag is ignored.
+When using this policy, the passthrough mode flag is ignored.
## TargetRef support matrix
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endif_version %}
-{% endtab %}
-{% if_version gte:2.9.x %}
-{% tab Delegated Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endtab %}
-{% endif_version %}
-{% endtabs %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+{% endtable %}
+
+{% endnavtab %}
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
+
+
## Configuration
-{% warning %}
-This policy doesn't work with sidecars without [transparent-proxy](/docs/{{ page.release }}/networking/transparent-proxying/#what-is-transparent-proxying).
-{% endwarning %}
+{:.warning}
+> This policy doesn't work with sidecars without [transparent-proxy](/mesh/transparent-proxying/).
The following describes the default configuration settings of the `MeshPassthrough` policy:
-- **`passthroughMode`**: (Optional) Defines behaviour for handling traffic. Allowed values: `All`, `None` and `Matched`. Default: `None`
+- **`passthroughMode`**: (Optional) Defines behavior for handling traffic. Allowed values: `All`, `None` and `Matched`. Default: `None`
- **`All`** enables all traffic to pass through.
- **`Matched`** allows only the traffic defined in `appendMatch`.
- **`None`** disallows all traffic.
@@ -62,38 +70,15 @@ The following describes the default configuration settings of the `MeshPassthrou
- **`http`**
- **`http2`**
- **`grpc`**
- {% if_version gte:2.10.x %}- **`mysql`**{% endif_version %}
+ - {% new_in 2.10 %} **`mysql`**
### Wildcard DNS matching
`MeshPassthrough` policy allows you to create a match for a wildcard subdomain.
-{% warning %}
-Currently, support for partial subdomain matching is not implemented. For example, a match for `*w.example.com` will be rejected.
-{% endwarning %}
-
-{% if_version eq:2.9.x %}
-{% policy_yaml %}
-```yaml
-type: MeshPassthrough
-name: wildcard-passthrough
-mesh: default
-spec:
- targetRef:
- kind: Mesh
- proxyTypes: ["Sidecar"]
- default:
- passthroughMode: Matched
- appendMatch:
- - type: Domain
- value: '*.cluster-1.kafka.aws.us-east-2.com'
- protocol: tls
- port: 443
-```
-{% endpolicy_yaml %}
-{% endif_version %}
+{:.warning}
+> Currently, support for partial subdomain matching is not implemented. For example, a match for `*w.example.com` will be rejected.
-{% if_version gte:2.10.x %}
{% policy_yaml %}
```yaml
type: MeshPassthrough
@@ -111,11 +96,10 @@ spec:
port: 443
```
{% endpolicy_yaml %}
-{% endif_version %}
### Security
-It is advised that the Mesh Operator is responsible for managing the `MeshPassthrough` policy.
+We advise that the Mesh Operator is responsible for managing the `MeshPassthrough` policy.
This policy can introduce traffic outside of the mesh or even the cluster, and the Mesh Operator should be aware of this.
If you want to restrict access to `MeshPassthrough` to specific services, you must choose them manually.
If you rely on tags in the top-level `targetRef` you might consider securing them by using one of the following techniques:
@@ -126,7 +110,7 @@ If you rely on tags in the top-level `targetRef` you might consider securing the
### Limitations
* Due to the nature of some traffic, it is not possible to combine certain protocols on the same port. You can create a `MeshPassthrough` policy that handles `tcp`, `tls`, and one of `http`, `http2`, or `grpc` traffic on the same port. Layer 7 protocols cannot be distinguished, which could introduce unexpected behavior.
-* It isn't possible to route passthrough traffic through the [zone egress](/docs/{{ page.release }}/production/cp-deployment/zoneegress/#zone-egress).
+* It isn't possible to route passthrough traffic through the [zone egress](/mesh/zone-egress/#zone-egress).
* Wildcard domains with L7 protocol and all ports is not supported.
-* {% if_version gte:2.9.x %}Builtin gateway is not supported.{% endif_version %}{% if_version lte:2.8.x %}Gateways are currently not supported.{% endif_version %}
-* Envoy prioritizes matches in the following order: [first by Port, second by Address IP, and third by SNI](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchainmatch). For example, if you have an HTTP domain match configured for a specific port (e.g., 80) and a CIDR match also configured for port 80, a request to this domain may match the CIDR configuration if the domain's address falls within the CIDR range. However, if the domain's address does not match the CIDR, the request might fail to match entirely due to the absence of an appropriate matcher for that IP. This behavior is a limitation and could potentially be addressed in the future with the adoption of the [Matcher API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api).
+* Built-in gateway is not supported.
+* Envoy prioritizes matches in the following order: [first by Port, second by Address IP, and third by SNI](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchainmatch). For example, if you have an HTTP domain match configured for a specific port (for example, 80) and a CIDR match also configured for port 80, a request to this domain may match the CIDR configuration if the domain's address falls within the CIDR range. However, if the domain's address does not match the CIDR, the request might fail to match entirely due to the absence of an appropriate matcher for that IP. This behavior is a limitation and could potentially be addressed in the future with the adoption of the [Matcher API](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api).
diff --git a/app/_mesh_policies/meshproxypatch/index.md b/app/_mesh_policies/meshproxypatch/index.md
index c0602c287b..e1fc75375b 100644
--- a/app/_mesh_policies/meshproxypatch/index.md
+++ b/app/_mesh_policies/meshproxypatch/index.md
@@ -17,72 +17,61 @@ A `MeshProxyPatch` policy can modify:
* [HTTP Filters](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/filter/http/http)
* [VirtualHost](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-virtualhost)
-{% warning %}
-This policy uses a new policy matching algorithm.
-Do **not** combine with [Proxy Template](/mesh/policies/proxy-template/).
-{% endwarning %}
+{:.warning}
+> This policy uses a new policy matching algorithm.
+> Do **not** combine with the deprecated Proxy Template policy.
## `targetRef` support matrix
-{% if_version lte:2.4.x %}
-
-| `targetRef.kind` | top level |
-|---------------------|-----------|
-| `Mesh` | ✅ |
-| `MeshSubset` | ✅ |
-| `MeshService` | ✅ |
-| `MeshServiceSubset` | ✅ |
-
-{% endif_version %}
-{% if_version gte:2.5.x %}
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ---------------- | --------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-| `targetRef.kind` | top level |
-|---------------------|-----------|
-| `Mesh` | ✅ |
-| `MeshSubset` | ✅ |
-| `MeshService` | ✅ |
-| `MeshServiceSubset` | ✅ |
-| `MeshGateway` | ✅ |
-
-{% endif_version %}
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
@@ -127,9 +116,8 @@ Available operations:
Available matchers:
* `name` - name of the Cluster.
* `origin` - origin of the Cluster.
-
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
@@ -178,8 +166,8 @@ spec:
name: test-cluster # optional: if absent, all clusters regardless of name will be removed
origin: inbound # optional: if absent, all clusters regardless of its origin will be removed
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
```yaml
type: MeshProxyPatch
mesh: default
@@ -226,9 +214,9 @@ spec:
name: test-cluster # optional: if absent, all clusters regardless of name will be removed
origin: inbound # optional: if absent, all clusters regardless of its origin will be removed
```
-{% endtab %}
-{% endtabs %}
-
+{% endnavtab %}
+{% endnavtabs %}
+
#### Listener
Modifications that are applied on [Listeners](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener) resources.
@@ -243,8 +231,8 @@ Available matchers:
* `origin` - origin of the Listener.
* `tags` - tags of inbound or outbound Listeners. They match `Listener.metadata.filterMetadata[io.kuma.tags]` in XDS configuration.
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
@@ -292,8 +280,8 @@ spec:
name: test-listener # optional: if absent, all listeners regardless of name will be removed
origin: inbound # optional: if absent, all listeners regardless of its origin will be removed
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
```yaml
type: MeshProxyPatch
mesh: default
@@ -339,8 +327,8 @@ spec:
name: test-listener # optional: if absent, all listeners regardless of name will be removed
origin: inbound # optional: if absent, all listeners regardless of its origin will be removed
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
#### Network Filter
@@ -361,8 +349,8 @@ Available matchers:
* `listenerTags` - tags of inbound or outbound Listeners. They match `Listener.metadata.filterMetadata[io.kuma.tags]` in XDS configuration.
* `origin` - origin of the Listener.
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
@@ -468,8 +456,8 @@ spec:
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
```yaml
type: MeshProxyPatch
mesh: default
@@ -573,15 +561,15 @@ spec:
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
#### HTTP Filter
Modifications that are applied on [HTTP Filters](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/filter/http/http) that are part of [Listeners](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#config-listener-v3-listener) resource.
Modifications that {{site.mesh_product_name}} applies on all [HTTP Connection Managers](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#http-connection-manager-proto) in the Listener.
-HTTP Filter modifications can only be applied on services [configured as HTTP](/docs/{{ page.release }}/policies/protocol-support-in-kuma).
+HTTP Filter modifications can only be applied on services configured as HTTP.
Available operations:
* `AddFirst` - add a new filter as a first filter in HTTP Connection Manager.
@@ -597,8 +585,8 @@ Available matchers:
* `listenerTags` - tags of inbound or outbound Listeners. They match `Listener.metadata.filterMetadata[io.kuma.tags]` in XDS configuration.
* `origin` - origin of the Listener.
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
@@ -696,8 +684,8 @@ spec:
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
```yaml
type: MeshProxyPatch
mesh: default
@@ -793,14 +781,14 @@ spec:
kuma.io/service: backend
origin: inbound # optional: if absent, all filters regardless of its origin will be removed
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
#### VirtualHost
Modifications that are applied on [VirtualHost](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-virtualhost) resources.
-VirtualHost modifications can only be applied on services [configured as HTTP](/docs/{{ page.release }}/policies/protocol-support-in-kuma).
+VirtualHost modifications can only be applied on services configured as HTTP.
Available operations:
* `Add` - add a new VirtualHost.
@@ -812,8 +800,8 @@ Available matchers:
* `origin` - origin of the VirtualHost.
* `routeConfigurationName` - name of the [RouteConfiguration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto.html#http-route-configuration-proto).
-{% tabs %}
-{% tab Kubernetes %}
+{% navtabs "environment" %}
+{% navtab "Kubernetes" %}
```yaml
apiVersion: kuma.io/v1alpha1
kind: MeshProxyPatch
@@ -866,8 +854,8 @@ spec:
name: test-listener # optional: if absent, all virtual hsots regardless of name will be removed
origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be removed
```
-{% endtab %}
-{% tab Universal %}
+{% endnavtab %}
+{% navtab "Universal" %}
```yaml
type: MeshProxyPatch
mesh: default
@@ -918,8 +906,8 @@ spec:
name: test-listener # optional: if absent, all virtual hsots regardless of name will be removed
origin: inbound # optional: if absent, all virtual hosts regardless of its origin will be removed
```
-{% endtab %}
-{% endtabs %}
+{% endnavtab %}
+{% endnavtabs %}
## Merging
diff --git a/app/_mesh_policies/meshratelimit/index.md b/app/_mesh_policies/meshratelimit/index.md
index 7e8de0a304..30a63250c1 100644
--- a/app/_mesh_policies/meshratelimit/index.md
+++ b/app/_mesh_policies/meshratelimit/index.md
@@ -9,7 +9,6 @@ type: policy
icon: meshratelimit.png
---
-
This policy enables per-instance service request limiting. Policy supports rate limiting of HTTP/HTTP2 requests and TCP connections.
The `MeshRateLimit` policy leverages Envoy's [local rate limiting](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter) for HTTP/HTTP2 and [local rate limit filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter) for TCP connections.
@@ -23,59 +22,51 @@ The policy is applied per service instance. This means that if a service `backen
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags` |
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-
-{% warning %}
-`MeshRateLimit` isn't supported on delegated gateways.
-{% endwarning %}
-
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ❌ | ✅ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ❌ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{:.warning}
+> `MeshRateLimit` isn't supported on delegated gateways.
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
@@ -107,4 +98,4 @@ TCP rate limiting allows the configuration of a number of connections in the spe
- **`disabled`** - (optional) - should rate limiting policy be disabled
- **`connectionRate`** - configuration of the number of connections in the specific time window
- **`num`** - the number of requests to limit
- - **`interval`** - the interval for which `connections` will be limited
\ No newline at end of file
+ - **`interval`** - the interval for which `connections` will be limited
diff --git a/app/_mesh_policies/meshretry/index.md b/app/_mesh_policies/meshretry/index.md
index c2366acbdc..a2aec7639b 100644
--- a/app/_mesh_policies/meshretry/index.md
+++ b/app/_mesh_policies/meshretry/index.md
@@ -16,95 +16,66 @@ This policy enables {{site.mesh_product_name}} to know how to behave if there ar
## TargetRef support matrix
-{% if_version gte:2.4.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% if_version lte:2.5.x %}
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ✅ | ❌ |
-| `MeshSubset` | ✅ | ❌ | ❌ |
-| `MeshService` | ✅ | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ | ❌ |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-{% if_version gte:2.6.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags` |
-| `to[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version lte:2.5.x %}
-| `targetRef.kind` | top level | to |
-| ------------------- | --------- | --- |
-| `Mesh` | ✅ | ✅ |
-| `MeshGateway` | ✅ | ❌ |
-| `MeshService` | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ |
-{% endif_version %}
-{% endtab %}
-
-{% if_version gte:2.6.x %}
-{% tab Delegated Gateway %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% endtab %}
-{% endif_version %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.3.x %}
-
-| `targetRef.kind` | top level | to | from |
-| ------------------- | --------- | --- | ---- |
-| `Mesh` | ✅ | ✅ | ❌ |
-| `MeshSubset` | ✅ | ❌ | ❌ |
-| `MeshService` | ✅ | ✅ | ❌ |
-| `MeshServiceSubset` | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
+
+
## Configuration
-The policy let you configure retry behaviour for `HTTP`, `GRPC` and `TCP` protocols.
-The protocol is selected by picking the most [specific protocol](/docs/{{ page.release }}/policies/protocol-support-in-kuma).
+The policy let you configure retry behavior for `HTTP`, `GRPC` and `TCP` protocols.
+The protocol is selected by picking the most specific protocol.
Each protocol has a separate section under `default` in the policy yaml.
Some sections are common between protocols or have similar meaning.
@@ -223,4 +194,4 @@ x-ratelimit-reset: 1706096119
The request will be retried at `Wed Jan 24 2024 11:35:19 GMT+0000`.
If the response does not contain `retry-after` or `x-ratelimit-reset` header (with valid integer value)
-then the amount of time to wait before issuing a request is determined by [back off](#back-off) algorithm.
\ No newline at end of file
+then the amount of time to wait before issuing a request is determined by [back off](#back-off) algorithm.
diff --git a/app/_mesh_policies/meshtcproute/index.md b/app/_mesh_policies/meshtcproute/index.md
index b715515c25..8122018c06 100644
--- a/app/_mesh_policies/meshtcproute/index.md
+++ b/app/_mesh_policies/meshtcproute/index.md
@@ -14,110 +14,68 @@ icon: meshtcproute.png
The `MeshTCPRoute` policy allows you to alter and redirect TCP requests
depending on where the request is coming from and where it's going to.
-{% if_version lte:2.5.x %}
-{% warning %}
-`MeshTCPRoute` doesn't support cross zone traffic before version 2.6.0.
-{% endwarning %}
-{% endif_version %}
-
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags` |
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `to[].targetRef.kind` | `MeshService` |
-{% endif_version %}
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-|-------------------|-----------|-----|------|
-| Mesh | ✅ | ❌ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-For more information, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`MeshService`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
+
+For more information, see the [matching docs](/mesh/policies-introduction/).
## Configuration
Unlike other outbound policies, `MeshTCPRoute` doesn't contain `default`
directly in the `to` array. The `default` section is nested inside `rules`. For more information review the [MeshTCPRoute policy documentation](/mesh/policies/meshtcproute/reference/).
-{% if_version lte:2.8.x %}
-```yaml
-spec:
- targetRef: # top-level targetRef selects a group of proxies to configure
- kind: Mesh|MeshSubset|MeshService|MeshServiceSubset
- to:
- - targetRef: # targetRef selects a destination (outbound listener)
- kind: MeshService
- name: backend
- rules:
- - default: # configuration applied for the matched TCP traffic
- backendRefs: [...]
-```
-{% endif_version %}
-
-{% if_version eq:2.9.x %}
-```yaml
-spec:
- targetRef: # top-level targetRef selects a group of proxies to configure
- kind: Mesh|MeshSubset
- to:
- - targetRef: # targetRef selects a destination (outbound listener)
- kind: MeshService
- name: backend
- rules:
- - default: # configuration applied for the matched TCP traffic
- backendRefs: [...]
-```
-{% endif_version %}
-
-{% if_version gte:2.10.x %}
```yaml
spec:
targetRef: # top-level targetRef selects a group of proxies to configure
@@ -130,14 +88,13 @@ spec:
- default: # configuration applied for the matched TCP traffic
backendRefs: [...]
```
-{% endif_version %}
### Default configuration
The following describes the default configuration settings of the `MeshTCPRoute` policy:
- **`backendRefs`**: (Optional) List of destinations for the request to be redirected to
- - **`kind`**: One of `MeshService`, `MeshServiceSubset`{% if_version gte:2.9.x %}, `MeshExtenalService`{% endif_version %}
+ - **`kind`**: One of `MeshService`, `MeshServiceSubset`, `MeshExternalService`
- **`name`**: The service name
- **`tags`**: Service tags. These must be specified if the `kind` is
`MeshServiceSubset`.
@@ -147,7 +104,7 @@ The following describes the default configuration settings of the `MeshTCPRoute`
### Gateways
-In order to route TCP traffic for a MeshGateway, you need to target the
+To route TCP traffic for a MeshGateway, you need to target the
MeshGateway in `spec.targetRef` and set `spec.to[].targetRef.kind: Mesh`.
### Interactions with `MeshHTTPRoute`
@@ -158,8 +115,8 @@ MeshGateway in `spec.targetRef` and set `spec.to[].targetRef.kind: Mesh`.
`MeshTCPRoute` takes priority over [`TrafficRoute`](../traffic-route) when a proxy is targeted by both policies.
-All legacy policies like `Retry`, `TrafficLog`, `Timeout` etc. only match on routes defined by `TrafficRoute`.
-All new recommended policies like `MeshRetry`, `MeshAccessLog`, `MeshTimeout` etc. match on routes defined by `MeshTCPRoute` and `TrafficRoute`.
+All legacy policies like `Retry`, `TrafficLog`, `Timeout` and so on only match on routes defined by `TrafficRoute`.
+All new recommended policies like `MeshRetry`, `MeshAccessLog`, `MeshTimeout` and so on match on routes defined by `MeshTCPRoute` and `TrafficRoute`.
-If you don't use legacy policies, it's recommended to remove any existing `TrafficRoute`.
-Otherwise, it's recommended to migrate to new policies and then removing `TrafficRoute`.
\ No newline at end of file
+If you don't use legacy policies, we recommend removing any existing `TrafficRoute`.
+Otherwise, we recommend migrating to new policies and then removing `TrafficRoute`.
diff --git a/app/_mesh_policies/meshtimeout/index.md b/app/_mesh_policies/meshtimeout/index.md
index 24b5aa6ecb..70dd75fb03 100644
--- a/app/_mesh_policies/meshtimeout/index.md
+++ b/app/_mesh_policies/meshtimeout/index.md
@@ -9,101 +9,74 @@ type: policy
icon: meshtimeout.png
---
-{% warning %}
-This policy uses new policy matching algorithm.
-Do **not** combine with the deprecated Timeout policy policy.
-{% endwarning %}
+{:.warning}
+> This policy uses a new policy matching algorithm.
+> Do **not** combine with the deprecated Timeout policy.
## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset`, `MeshHTTPRoute` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshHTTPRoute` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshHTTPRoute`, `MeshSubset(deprecated)` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway`, `MeshGateway` with listener `tags` |
-| `to[].targetRef.kind` | `Mesh` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version gte:2.6.x %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset`, `MeshHTTPRoute` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService` |
-{% endif_version %}
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshHTTPRoute` |
-| `to[].targetRef.kind` | `Mesh`, `MeshService`, `MeshExternalService` |
-{% endif_version %}
-{% endtab %}
-{% endtabs %}
-
-{% endif_version %}
-
-{% if_version lte:2.5.x %}
-{% if_version gte:2.3.x %}
-
-| TargetRef type | top level | to | from |
-|-------------------|-----------|-----|------|
-| Mesh | ✅ | ✅ | ✅ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-| MeshHTTPRoute | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-{% if_version lte:2.2.x %}
-
-| TargetRef type | top level | to | from |
-|-------------------|-----------|-----|------|
-| Mesh | ✅ | ✅ | ✅ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ✅ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshHTTPRoute`, `MeshSubset(deprecated)`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`, `MeshGateway` with listener `tags`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`, `MeshHTTPRoute`"
+ - targetref: "`to[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshService`, `MeshExternalService`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
+
+
## Configuration
This policy enables {{site.mesh_product_name}} to set timeouts on the inbound and outbound connections
depending on the protocol. Using this policy you can configure TCP and HTTP timeouts.
Timeout configuration is split into two sections: common configuration and HTTP configuration.
-Common config is applied to both HTTP and TCP communication. HTTP timeout are only applied when
-service is marked as http. More on this in [protocol support section](/docs/{{ page.release }}/policies/protocol-support-in-kuma).
+Common config is applied to both HTTP and TCP communication. HTTP timeouts apply only when
+the service is marked as http. More on this in protocol support section.
MeshTimeout policy lets you configure multiple timeouts:
@@ -113,7 +86,7 @@ MeshTimeout policy lets you configure multiple timeouts:
- `http.streamIdleTimeout`
- `http.maxStreamDuration`
- `http.maxConnectionDuration`
-{% if_version inline:true gte:2.6.x %}- `http.requestHeadersTimeout`{% endif_version %}
+- `http.requestHeadersTimeout`
### Timeouts explained
@@ -141,10 +114,9 @@ This timeout is strongly recommended for all requests (not just streaming reques
defends against a peer that does not open the stream window once an entire response has been buffered to be sent to a
downstream client.
-{% tip %}
-Stream timeouts apply even when you are only using HTTP/1.1 in you services. This is because every connection between
-data plane proxies is upgraded to HTTP/2.
-{% endtip %}
+{:.info}
+> Stream timeouts apply even when you are only using HTTP/1.1 in your services. This is because every connection between
+> data plane proxies is upgraded to HTTP/2.
#### HTTP max stream duration
@@ -158,8 +130,6 @@ starting from when it was first established. If there are no active streams, the
If there are any active streams, the drain sequence will kick-in, and the connection will be force-closed after 5
seconds.
-{% if_version gte:2.6.x %}
#### HTTP request headers timeout
The amount of time that proxy will wait for the request headers to be received. The timer is activated when the first byte of the headers is received, and is disarmed when the last byte of the headers has been received.
-{% endif_version %}
\ No newline at end of file
diff --git a/app/_mesh_policies/meshtls/index.md b/app/_mesh_policies/meshtls/index.md
index 38f8e9b0a8..8bfefa7fc5 100644
--- a/app/_mesh_policies/meshtls/index.md
+++ b/app/_mesh_policies/meshtls/index.md
@@ -13,29 +13,40 @@ icon: meshtls.png
## TargetRef support matrix
-{% tabs %}
-{% tab targetRef For mode %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endif_version %}
-{% endtab %}
-{% tab targetRef For tls ciphers/version %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | ------------------- |
-| `targetRef.kind` | `Mesh` |
-| `from[].targetRef.kind` | `Mesh` |
-{% endtab %}
-{% endtabs %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
+{% navtabs "targetref-for-mode" %}
+{% navtab "targetRef For mode" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+{% endtable %}
+
+{% endnavtab %}
+{% navtab "targetRef For tls ciphers/version" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`"
+{% endtable %}
+
+{% endnavtab %}
+{% endnavtabs %}
+
+
## Configuration
@@ -45,9 +56,8 @@ The following describes the default configuration settings of the `MeshTLS` poli
- **`tlsCiphers`**: Defines TLS ciphers to be used by **both client and server**. Allowed values: `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-RSA-CHACHA20-POLY1305`.
- **`mode`**: Defines the mTLS mode - `Permissive` mode encrypts outbound connections the same way as `Strict` mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: `Strict`, `Permissive`.
-{% tip %}
-Setting the TLS version and ciphers on both the client and server makes it harder to configure incorrectly.
-If you want to try out a specific version/cipher combination, we recommend creating a [temporary mesh](/docs/{{ page.release }}/production/mesh/#usage), deploying two applications within it, and testing whether communication is working.
-If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we'd love to hear about it.
-In that case, please open an [issue](https://github.com/kumahq/kuma/issues).
-{% endtip %}
+{:.info}
+> Setting the TLS version and ciphers on both the client and server makes it harder to configure incorrectly.
+> If you want to try out a specific version/cipher combination, we recommend creating a [temporary mesh](/mesh/mesh-multi-tenancy/), deploying two applications within it, and testing whether communication is working.
+> If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we'd love to hear about it.
+> In that case, please open an [issue](https://github.com/kumahq/kuma/issues).
diff --git a/app/_mesh_policies/meshtrace/index.md b/app/_mesh_policies/meshtrace/index.md
index de8d99636e..c42f111c99 100644
--- a/app/_mesh_policies/meshtrace/index.md
+++ b/app/_mesh_policies/meshtrace/index.md
@@ -15,99 +15,91 @@ related_resources:
url: /mesh/meshopentelemetrybackend/
---
-{% warning %}
-This policy uses new policy matching algorithm.
-Do **not** combine with the deprecated TrafficTrace policy.
-{% endwarning %}
+{:.warning}
+> This policy uses new policy matching algorithm.
+> Do **not** combine with the deprecated TrafficTrace policy.
This policy enables publishing traces to a third party tracing solution.
Tracing is supported over HTTP, HTTP2, and gRPC protocols.
-You must [explicitly specify the protocol](/docs/{{ page.release }}/policies/protocol-support-in-kuma) for each service and data plane proxy you want to enable tracing for.
+You must explicitly specify the protocol for each service and data plane proxy you want to enable tracing for.
{{site.mesh_product_name}} currently supports the following trace exposition formats:
- `Zipkin` traces in this format can be sent to [many different tracing backends](https://github.com/openzipkin/openzipkin.github.io/issues/65)
- `Datadog`
-{% warning %}
-Services still need to be instrumented to preserve the trace chain across requests made across different services.
+{:.warning}
+> Services still need to be instrumented to preserve the trace chain across requests made across different services.
+>
+> You can instrument with a language library of your choice ([for Zipkin](https://zipkin.io/pages/tracers_instrumentation) and [for Datadog](https://docs.datadoghq.com/tracing/setup_overview/setup/java/?tab=containers)).
+> For HTTP you can also manually forward the following headers:
+>
+> - `x-request-id`
+> - `x-b3-traceid`
+> - `x-b3-parentspanid`
+> - `x-b3-spanid`
+> - `x-b3-sampled`
+> - `x-b3-flags`
-You can instrument with a language library of your choice ([for Zipkin](https://zipkin.io/pages/tracers_instrumentation) and [for Datadog](https://docs.datadoghq.com/tracing/setup_overview/setup/java/?tab=containers)).
-For HTTP you can also manually forward the following headers:
+## TargetRef support matrix
-- `x-request-id`
-- `x-b3-traceid`
-- `x-b3-parentspanid`
-- `x-b3-spanid`
-- `x-b3-sampled`
-- `x-b3-flags`
-{% endwarning %}
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Built-in Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshGateway`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% navtab "Delegated Gateway" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`"
+{% endtable %}
+
+{% endnavtab %}
+
+{% endnavtabs %}
-## TargetRef support matrix
-{% if_version gte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-{% endif_version %}
-{% endtab %}
-
-{% tab Builtin Gateway %}
-| `targetRef` | Allowed kinds |
-| ---------------- | --------------------- |
-| `targetRef.kind` | `Mesh`, `MeshGateway` |
-{% endtab %}
-
-{% tab Delegated Gateway %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version gte:2.9.x %}
-| `targetRef` | Allowed kinds |
-| --------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-{% endif_version %}
-{% endtab %}
-
-{% endtabs %}
-
-{% endif_version %}
-{% if_version lte:2.5.x %}
-
-| TargetRef type | top level | to | from |
-| ----------------- | --------- | --- | ---- |
-| Mesh | ✅ | ❌ | ❌ |
-| MeshSubset | ✅ | ❌ | ❌ |
-| MeshService | ✅ | ❌ | ❌ |
-| MeshServiceSubset | ✅ | ❌ | ❌ |
-
-{% endif_version %}
-
-To learn more about the information in this table, see the [matching docs](/docs/{{ page.release }}/policies/introduction).
## Configuration
### Sampling
-{% tip %}
-Most of the time setting only `overall` is sufficient. `random` and `client` are for advanced use cases.
-{% endtip %}
+{:.info}
+> Most of the time setting only `overall` is sufficient. `random` and `client` are for advanced use cases.
You can configure sampling settings equivalent to Envoy's:
diff --git a/app/_mesh_policies/meshtrafficpermission/index.md b/app/_mesh_policies/meshtrafficpermission/index.md
index b67221b7fd..2e9f7de97e 100644
--- a/app/_mesh_policies/meshtrafficpermission/index.md
+++ b/app/_mesh_policies/meshtrafficpermission/index.md
@@ -8,79 +8,52 @@ content_type: plugin
type: policy
icon: meshtrafficpermission.png
---
-{% warning %}
-This policy uses new policy matching algorithm.
-Do **not** combine with the deprecated TrafficPermission policy.
-{% endwarning %}
+{:.warning}
+> This policy uses new policy matching algorithm.
+> Do **not** combine with the deprecated TrafficPermission policy.
-{% tip %}
-[Mutual TLS](/docs/{{ page.release }}/policies/mutual-tls) has to be enabled to make MeshTrafficPermission work.
-{% endtip %}
+{:.info}
+> [Mutual TLS](/mesh/policies/mutual-tls/) has to be enabled to make MeshTrafficPermission work.
The `MeshTrafficPermission` policy provides access control within the Mesh.
It allows you to define granular rules about which services can communicate with each other.
## TargetRef support matrix
-{% if_version gte:2.7.x %}
-{% tabs %}
-{% tab Sidecar %}
-{% if_version lte:2.8.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version eq:2.9.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% if_version gte:2.10.x %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | --------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `Dataplane`, `MeshSubset(deprecated)` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshServiceSubset` |
-{% endif_version %}
-{% endtab %}
-{% tab Builtin Gateway %}
-`MeshTrafficPermission` isn't supported on builtin gateways. If applied via
+{% navtabs "support-matrix" %}
+{% navtab "Sidecar" %}
+
+{% table %}
+columns:
+ - title: "`targetRef`"
+ key: targetref
+ - title: Allowed kinds
+ key: allowed_kinds
+rows:
+ - targetref: "`targetRef.kind`"
+ allowed_kinds: "`Mesh`, `Dataplane`, `MeshSubset(deprecated)`"
+ - targetref: "`from[].targetRef.kind`"
+ allowed_kinds: "`Mesh`, `MeshSubset`, `MeshServiceSubset`"
+{% endtable %}
+
+{% endnavtab %}
+{% navtab "Built-in Gateway" %}
+`MeshTrafficPermission` isn't supported on built-in gateways. If applied via
`spec.targetRef.kind: MeshService`, it has no effect.
-{% endtab %}
+{% endnavtab %}
-{% tab Delegated Gateway %}
+{% navtab "Delegated Gateway" %}
`MeshTrafficPermission` isn't supported on delegated gateways.
-{% endtab %}
-{% endtabs %}
-{% endif_version %}
-
-{% if_version lte:2.6.x %}
-{% tabs %}
-{% tab Sidecar %}
-| `targetRef` | Allowed kinds |
-| ----------------------- | -------------------------------------------------------- |
-| `targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-| `from[].targetRef.kind` | `Mesh`, `MeshSubset`, `MeshService`, `MeshServiceSubset` |
-{% endtab %}
-{% tab Builtin Gateway %}
-`MeshTrafficPermission` isn't supported on builtin gateways. If applied via
-`spec.targetRef.kind: MeshService`, it has no effect.
-{% endtab %}
+{% endnavtab %}
+{% endnavtabs %}
-{% tab Delegated Gateway %}
-`MeshTrafficPermission` isn't supported on delegated gateways.
-{% endtab %}
-{% endtabs %}
-{% endif_version %}
-If you don't understand this table you should read [matching docs](/docs/{{ page.release }}/policies/introduction).
## Configuration
### Action
-{{ site.mesh_product_name }} allows configuring one of 3 actions for a group of service's clients:
+{{ site.mesh_product_name }} lets you configure one of 3 actions for a group of service's clients:
* `Allow` - allows incoming requests matching the from `targetRef`.
* `Deny` - denies incoming requests matching the from `targetRef`
@@ -90,111 +63,7 @@ If you don't understand this table you should read [matching docs](/docs/{{ page
### Service 'payments' allows requests from 'orders'
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
-```yaml
-type: MeshTrafficPermission
-name: allow-orders
-mesh: default
-spec:
- targetRef: # 1
- kind: MeshSubset
- tags:
- app: payments
- from:
- - targetRef: # 2
- kind: MeshSubset
- tags:
- kuma.io/service: orders
- default: # 3
- action: Allow
-```
-{% endpolicy_yaml %}
-
-#### Explanation
-
-1. Top level `targetRef` selects data plane proxies that implement `payments` service.
- MeshTrafficPermission `allow-orders` will be configured on these proxies.
-
- ```yaml
- targetRef: # 1
- kind: MeshService
- name: payments
- ```
-
-2. `TargetRef` inside the `from` array selects proxies that implement `order` service.
- These proxies will be subjected to the action from `default.action`.
-
- ```yaml
- - targetRef: # 2
- kind: MeshSubset
- tags:
- kuma.io/service: orders
- ```
-
-3. The action is `Allow`. All requests from service `orders` will be allowed on service `payments`.
-
- ```yaml
- default: # 3
- action: Allow
- ```
-
-{% endif_version %}
-
-{% if_version eq:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
-```yaml
-type: MeshTrafficPermission
-name: allow-orders
-mesh: default
-spec:
- targetRef:
- kind: MeshSubset
- tags:
- app: payments
- from:
- - targetRef:
- kind: MeshSubset
- tags:
- kuma.io/service: orders
- default:
- action: Allow
-```
-{% endpolicy_yaml %}
-
-#### Explanation
-
-1. Top level `targetRef` selects data plane proxies that have `app: payments` tag.
- MeshTrafficPermission `allow-orders` will be configured on these proxies.
-
- ```yaml
- targetRef: # 1
- kind: MeshSubset
- tags:
- app: payments
- ```
-
-2. `TargetRef` inside the `from` array selects proxies that implement `order` service.
- These proxies will be subjected to the action from `default.action`.
-
- ```yaml
- - targetRef: # 2
- kind: MeshSubset
- tags:
- kuma.io/service: orders
- ```
-
-3. The action is `Allow`. All requests from service `orders` will be allowed on service `payments`.
-
- ```yaml
- default: # 3
- action: Allow
- ```
-
-{% endif_version %}
-
-{% if_version gte:2.10.x %}
-{% policy_yaml namespace=kuma-demo %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshTrafficPermission
name: allow-orders
@@ -243,54 +112,9 @@ spec:
action: Allow
```
-{% endif_version %}
-
### Deny all
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
-```yaml
-type: MeshTrafficPermission
-name: deny-all
-mesh: default
-spec:
- targetRef: # 1
- kind: Mesh
- from:
- - targetRef: # 2
- kind: Mesh
- default: # 3
- action: Deny
-```
-{% endpolicy_yaml %}
-
-#### Explanation
-
-1. Top level `targetRef` selects all proxies in the mesh.
-
- ```yaml
- targetRef: # 1
- kind: Mesh
- ```
-
-2. `TargetRef` inside the `from` array selects all clients.
-
- ```yaml
- - targetRef: # 2
- kind: Mesh
- ```
-
-3. The action is `Deny`. All requests from all services will be denied on all proxies in the `default` mesh.
-
- ```yaml
- default: # 3
- action: Deny
- ```
-
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshTrafficPermission
name: deny-all
@@ -321,54 +145,9 @@ spec:
action: Deny
```
-{% endif_version %}
-
### Allow all
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
-```yaml
-type: MeshTrafficPermission
-name: allow-all
-mesh: default
-spec:
- targetRef: # 1
- kind: Mesh
- from:
- - targetRef: # 2
- kind: Mesh
- default: # 3
- action: Allow
-```
-{% endpolicy_yaml %}
-
-#### Explanation
-
-1. Top level `targetRef` selects all proxies in the mesh.
-
- ```yaml
- targetRef: # 1
- kind: Mesh
- ```
-
-2. `targetRef` inside the element of the `from` array selects all clients within the mesh.
-
- ```yaml
- - targetRef: # 2
- kind: Mesh
- ```
-
-3. The action is `Allow`. All requests from all services will be allow on all proxies in the `default` mesh.
-
- ```yaml
- default: # 3
- action: Allow
- ```
-
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshTrafficPermission
name: allow-all
@@ -399,19 +178,14 @@ spec:
action: Allow
```
-{% endif_version %}
-
### Allow requests from zone 'us-east', deny requests from 'dev' environment
-{% if_version lte:2.8.x %}
-{% policy_yaml %}
+{% policy_yaml namespace=kong-mesh-demo %}
```yaml
type: MeshTrafficPermission
name: example-with-tags
mesh: default
spec:
- targetRef: # 1
- kind: Mesh
from:
- targetRef: # 2
kind: MeshSubset
@@ -427,78 +201,7 @@ spec:
action: Deny
```
{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version gte:2.9.x %}
-{% policy_yaml namespace=kuma-demo %}
-```yaml
-type: MeshTrafficPermission
-name: example-with-tags
-mesh: default
-spec:
- from:
- - targetRef: # 2
- kind: MeshSubset
- tags:
- kuma.io/zone: us-east
- default: # 3
- action: Allow
- - targetRef: # 4
- kind: MeshSubset
- tags:
- env: dev
- default: # 5
- action: Deny
-```
-{% endpolicy_yaml %}
-{% endif_version %}
-
-{% if_version lte:2.8.x %}
-#### Explanation
-
-1. Top level `targetRef` selects all proxies in the mesh.
-
- ```yaml
- targetRef: # 1
- kind: Mesh
- ```
-
-2. `TargetRef` inside the `from` array selects proxies that have label `kuma.io/zone: us-east`.
- These proxies will be subjected to the action from `default.action`.
-
- ```yaml
- - targetRef: # 2
- kind: MeshSubset
- tags:
- kuma.io/zone: us-east
- ```
-
-3. The action is `Allow`. All requests from the zone `us-east` will be allowed on all proxies.
-
- ```yaml
- default: # 3
- action: Allow
- ```
-
-4. `TargetRef` inside the `from` array selects proxies that have tags `kuma.io/zone: us-east`.
- These proxies will be subjected to the action from `default.action`.
-
- ```yaml
- - targetRef: # 4
- kind: MeshSubset
- tags:
- env: dev
- ```
-
-5. The action is `Deny`. All requests from the env `dev` will be denied on all proxies.
-
- ```yaml
- default: # 5
- action: Deny
- ```
-{% endif_version %}
-{% if_version gte:2.9.x %}
#### Explanation
1. Since top level `targetRef` is empty it selects all proxies in the mesh.
@@ -535,10 +238,8 @@ spec:
default: # 5
action: Deny
```
-{% endif_version %}
-{% tip %}
-Order of rules inside the `from` array matters.
-Request from the proxy that has both `kuma.io/zone: east` and `env: dev` will be denied.
-This is because the rule with `Deny` is later in the `from` array than any `Allow` rules.
-{% endtip %}
\ No newline at end of file
+{:.info}
+> Order of rules inside the `from` array matters.
+> Request from the proxy that has both `kuma.io/zone: east` and `env: dev` will be denied.
+> This is because the rule with `Deny` is later in the `from` array than any `Allow` rules.
diff --git a/app/mesh/annotations.md b/app/mesh/annotations.md
index 54766d6926..923fdf3b1a 100644
--- a/app/mesh/annotations.md
+++ b/app/mesh/annotations.md
@@ -303,7 +303,7 @@ metadata:
### `kuma.io/builtindns`
-Tells the sidecar to use its builtin DNS server.
+Tells the sidecar to use its built-in DNS server.
```yaml
apiVersion: v1
@@ -316,7 +316,7 @@ metadata:
### `kuma.io/builtindnsport`
-Port the builtin DNS server should listen on for DNS queries.
+Port the built-in DNS server should listen on for DNS queries.
```yaml
apiVersion: v1
diff --git a/app/mesh/ca-rotation.md b/app/mesh/ca-rotation.md
index 28a00f95be..725b9d0bf8 100644
--- a/app/mesh/ca-rotation.md
+++ b/app/mesh/ca-rotation.md
@@ -34,7 +34,7 @@ related_resources:
{{site.mesh_product_name}} lets you provide secure communication between applications with mTLS. You can change the mTLS backend with
-Certificate Authority rotation, to support a scenario such as migrating from the builtin CA to a Vault CA.
+Certificate Authority rotation, to support a scenario such as migrating from the built-in CA to a Vault CA.
You can define many backends in the `mtls` section of the Mesh configuration. The Data Plane proxy is configured to support
certificates signed by the CA of each defined backend. However, the proxy uses only one certificate, specified by the `enabledBackend`
diff --git a/app/mesh/enterprise.md b/app/mesh/enterprise.md
index cab7637017..ba3c7947f8 100644
--- a/app/mesh/enterprise.md
+++ b/app/mesh/enterprise.md
@@ -67,7 +67,7 @@ FIPS support is provided by implementing Envoy's FIPS-compliant mode for BoringS
{{site.mesh_product_name}} lets you provide secure communication between applications with mTLS.
You can change the mTLS backend with [Certificate Authority rotation](/mesh/ca-rotation/),
-to support a scenario such as migrating from the builtin CA to a Vault CA.
+to support a scenario such as migrating from the built-in CA to a Vault CA.
## Role-Based Access Control (RBAC)
diff --git a/app/mesh/mutual-tls.md b/app/mesh/mutual-tls.md
index c1624c4a9e..f14c185282 100644
--- a/app/mesh/mutual-tls.md
+++ b/app/mesh/mutual-tls.md
@@ -41,7 +41,7 @@ To enable mTLS, configure the `mtls` property in a `Mesh` resource. You can have
A missing or empty `enabledBackend` property deactivates mTLS for the entire mesh.
-## Using a builtin CA
+## Using a built-in CA
A `builtin` CA is the fastest and simplest way to enable mTLS in {{site.mesh_product_name}}.