istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.6/docs/concepts/traffic-management/rules-configuration.html

267 lines
71 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><meta name="theme-color" content="#466BB0"/><meta name="title" content="Rules Configuration"><meta name="description" content="Provides a high-level overview of the domain-specific language used by Istio to configure traffic management rules in the service mesh."><meta name="og:title" content="Rules Configuration"><meta name="og:description" content="Provides a high-level overview of the domain-specific language used by Istio to configure traffic management rules in the service mesh."><meta name="og:url" content="/docs/concepts/traffic-management/rules-configuration.html"><meta name="og.site_name" content="Istio"><title>Istioldie 0.6 / Rules Configuration</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.6/feed.xml"><link rel="shortcut icon" href="/v0.6/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.6/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.6/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.6/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.6/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.6/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.6/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.6/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.6/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.6/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.6/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.6/css/all.css"><link rel="stylesheet" href="/v0.6/css/light_theme.css" title="light"><link rel="alternate stylesheet" href="/v0.6/css/dark_theme.css" title="dark"> <script src="/v0.6/js/styleSwitcher.min.js"></script></head><body class="language-unknown theme-unknown"><header role="banner"><nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark"> <a class="navbar-brand" href="/v0.6/" style="visibility: visible"> <img class="logo" src="/v0.6/img/istio-logo.svg" alt="Istio Logo"/> <span class="brand-name">Istioldie 0.6</span> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarCollapse" aria-controls="navbarCollapse" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button><div class="collapse navbar-collapse justify-content-end" id="navbarCollapse"><ul class="navbar-nav"><li class="nav-item"> <a class="nav-link " href="/v0.6/about/intro.html">About</a></li><li class="nav-item"> <a class="nav-link " href="/v0.6/blog/2018/traffic-mirroring.html">Blog</a></li><li class="nav-item"> <a class="nav-link active" href="/v0.6/docs/">Docs</a></li><li class="nav-item"> <a class="nav-link " href="/v0.6/help/">Help</a></li><li class="nav-item"> <a class="nav-link " href="/v0.6/community.html">Community</a></li><li class="nav-item dropdown" id="gearDropdown" style="white-space: nowrap"> <a href="" class="nav-link dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <i style="width: 1em" class='fa fa-lg fa-cog'></i> </a><ul class="dropdown-menu" aria-labelledby="gearDropdown"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li><li class="dropdown-divider"></li><li> <i class='fa fa-check light'></i> <a href="" onclick="setActiveStyleSheet('light');return false;">Light Theme</a></li><li> <i class='fa fa-check dark'></i> <a href="" onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a></li></ul></li></ul><form name="cse" id="searchbox" class="form-inline justify-content-end" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /> <button class="btn btn-search input-group-addon my-2 my-sm-0 fa fa-search" type="submit"></button></div></form></div></nav></header><div class="container-fluid"><div class="row row-offcanvas row-offcanvas-left"><div class="col-6 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar"><div class="spacer"></div><div class="directory" role="tablist"><div class="card"><div class="card-header" role="tab" id="header1"> <a data-toggle="collapse" href="#collapse1" title="Concepts help you learn about the different parts of the Istio system and the abstractions it uses." role="button" aria-controls="collapse1"><div> Concepts</div></a></div><div id="collapse1" class="collapse show" data-parent="#sidebar" role="tabpanel" aria-labelledby="header1"><div class="card-body"><ul class="tree"><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="A broad overview of the Istio system." href="/v0.6/docs/concepts/what-is-istio">What is Istio?</a> </label><ul class="tree collapse"><li> <a title="Provides a conceptual introduction to Istio, including the problems it solves and its high-level architecture." href="/v0.6/docs/concepts/what-is-istio/overview.html">Overview</a></li><li> <a title="Describes the core principles that Istio's design adheres to." href="/v0.6/docs/concepts/what-is-istio/goals.html">Design Goals</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-down'></i> <a class="" title="Describes the various Istio features focused on traffic routing and control." href="/v0.6/docs/concepts/traffic-management">Traffic Management</a> </label><ul class="tree"><li> <a title="Provides a conceptual overview of traffic management in Istio and the features it enables." href="/v0.6/docs/concepts/traffic-management/overview.html">Overview</a></li><li> <a title="Introduces Pilot, the component responsible for managing a distributed deployment of Envoy proxies in the service mesh." href="/v0.6/docs/concepts/traffic-management/pilot.html">Pilot</a></li><li> <a title="Describes how requests are routed between services in an Istio service mesh." href="/v0.6/docs/concepts/traffic-management/request-routing.html">Request Routing</a></li><li> <a title="Describes how traffic is load balanced across instances of a service in the mesh." href="/v0.6/docs/concepts/traffic-management/load-balancing.html">Discovery & Load Balancing</a></li><li> <a title="An overview of failure recovery capabilities in Envoy that can be leveraged by unmodified applications to improve robustness and prevent cascading failures." href="/v0.6/docs/concepts/traffic-management/handling-failures.html">Handling Failures</a></li><li> <a title="Introduces the idea of systematic fault injection that can be used to uncover conflicting failure recovery policies across services." href="/v0.6/docs/concepts/traffic-management/fault-injection.html">Fault Injection</a></li><li> <span class="current" title="Provides a high-level overview of the domain-specific language used by Istio to configure traffic management rules in the service mesh.">Rules Configuration</span></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes Istio's authorization and authentication functionality." href="/v0.6/docs/concepts/security">Security</a> </label><ul class="tree collapse"><li> <a title="Describes Istio's mutual TLS authentication architecture which provides a strong service identity and secure communication channels between services." href="/v0.6/docs/concepts/security/mutual-tls.html">Mutual TLS Authentication</a></li><li> <a title="Describes Istio RBAC which provides access control for services in Istio Mesh." href="/v0.6/docs/concepts/security/rbac.html">Istio Role-Based Access Control (RBAC)</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Introduces the policy control mechanisms." href="/v0.6/docs/concepts/policy-and-control">Policies and Control</a> </label><ul class="tree collapse"><li> <a title="Explains the important notion of attributes, which is a central mechanism for how policies and control are applied to services within the mesh." href="/v0.6/docs/concepts/policy-and-control/attributes.html">Attributes</a></li><li> <a title="Architectural deep-dive into the design of Mixer, which provides the policy and control mechanisms within the service mesh." href="/v0.6/docs/concepts/policy-and-control/mixer.html">Mixer</a></li><li> <a title="An overview of the key concepts used to configure Mixer." href="/v0.6/docs/concepts/policy-and-control/mixer-config.html">Mixer Configuration</a></li></ul></li></ul></div></div></div><div class="card"><div class="card-header" role="tab" id="header20"> <a data-toggle="collapse" href="#collapse20" title="Setup contains instructions for installing the Istio control plane in various environments (e.g., Kubernetes, Consul, etc.), as well as instructions for installing the sidecar in the application deployment." role="button" aria-controls="collapse20"><div> Setup</div></a></div><div id="collapse20" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header20"><div class="card-body"><ul class="tree"><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Instructions for installing the Istio control plane on Kubernetes and adding VMs into the mesh." href="/v0.6/docs/setup/kubernetes">Kubernetes</a> </label><ul class="tree collapse"><li> <a title="Quick Start instructions to setup the Istio service mesh in a Kubernetes cluster." href="/v0.6/docs/setup/kubernetes/quick-start.html">Quick Start</a></li><li> <a title="Quick Start instructions to setup the Istio service using Google Kubernetes Engine (GKE)" href="/v0.6/docs/setup/kubernetes/quick-start-gke-dm.html">Quick Start with Google Kubernetes Engine</a></li><li> <a title="Instructions for the setup and configuration of Istio using the Helm package manager." href="/v0.6/docs/setup/kubernetes/helm.html">Istio Helm Chart Instructions</a></li><li> <a title="Instructions on using the included Ansible playbook to perform installation." href="/v0.6/docs/setup/kubernetes/ansible-install.html">Installing with Ansible</a></li><li> <a title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href="/v0.6/docs/setup/kubernetes/sidecar-injection.html">Installing Istio Sidecar</a></li><li> <a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href="/v0.6/docs/setup/kubernetes/mesh-expansion.html">Istio Mesh Expansion</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.6/docs/setup/consul">Nomad & Consul</a> </label><ul class="tree collapse"><li> <a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.6/docs/setup/consul/quick-start.html">Quick Start on Docker</a></li><li> <a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href="/v0.6/docs/setup/consul/install.html">Installation</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Instructions for installing the Istio control plane in a Eureka based environment." href="/v0.6/docs/setup/eureka">Eureka</a> </label><ul class="tree collapse"><li> <a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href="/v0.6/docs/setup/eureka/quick-start.html">Quick Start on Docker</a></li><li> <a title="Instructions for installing the Istio control plane in an Eureka based environment." href="/v0.6/docs/setup/eureka/install.html">Installation</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Instructions for installing the Istio control plane in Cloud Foundry." href="/v0.6/docs/setup/cloudfoundry">Cloud Foundry</a> </label><ul class="tree collapse"><li> <a title="Instructions for installing the Istio control plane in Cloud Foundry." href="/v0.6/docs/setup/cloudfoundry/install.html">Installation</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Instructions for installing the Istio control plane in Apache Mesos." href="/v0.6/docs/setup/mesos">Mesos</a> </label><ul class="tree collapse"><li> <a title="Instructions for installing the Istio control plane in Apache Mesos." href="/v0.6/docs/setup/mesos/install.html">Installation</a></li></ul></li></ul></div></div></div><div class="card"><div class="card-header" role="tab" id="header38"> <a data-toggle="collapse" href="#collapse38" title="Tasks show you how to do a single specific targeted activity with the Istio system." role="button" aria-controls="collapse38"><div> Tasks</div></a></div><div id="collapse38" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header38"><div class="card-body"><ul class="tree"><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes tasks that demonstrate traffic routing features of Istio service mesh." href="/v0.6/docs/tasks/traffic-management">Traffic Management</a> </label><ul class="tree collapse"><li> <a title="This task shows you how to configure dynamic request routing based on weights and HTTP headers." href="/v0.6/docs/tasks/traffic-management/request-routing.html">Configuring Request Routing</a></li><li> <a title="This task shows how to inject delays and test the resiliency of your application." href="/v0.6/docs/tasks/traffic-management/fault-injection.html">Fault Injection</a></li><li> <a title="This task shows you how to migrate traffic from an old to new version of a service." href="/v0.6/docs/tasks/traffic-management/traffic-shifting.html">Traffic Shifting</a></li><li> <a title="This task shows you how to setup request timeouts in Envoy using Istio." href="/v0.6/docs/tasks/traffic-management/request-timeouts.html">Setting Request Timeouts</a></li><li> <a title="Describes how to configure Istio Ingress on Kubernetes." href="/v0.6/docs/tasks/traffic-management/ingress.html">Istio Ingress</a></li><li> <a title="Describes how to configure Istio to route traffic from services in the mesh to external services." href="/v0.6/docs/tasks/traffic-management/egress.html">Control Egress Traffic</a></li><li> <a title="Describes how to configure Istio to route TCP traffic from services in the mesh to external services." href="/v0.6/docs/tasks/traffic-management/egress-tcp.html">Control Egress TCP Traffic</a></li><li> <a title="This task demonstrates the circuit-breaking capability for resilient applications" href="/v0.6/docs/tasks/traffic-management/circuit-breaking.html">Circuit Breaking</a></li><li> <a title="Demonstrates Istio's traffic shadowing/mirroring capabilities" href="/v0.6/docs/tasks/traffic-management/mirroring.html">Mirroring</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes tasks that demonstrate policy enforcement features." href="/v0.6/docs/tasks/policy-enforcement">Policy Enforcement</a> </label><ul class="tree collapse"><li> <a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href="/v0.6/docs/tasks/policy-enforcement/rate-limiting.html">Enabling Rate Limits</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes tasks that demonstrate how to collect telemetry information from the service mesh." href="/v0.6/docs/tasks/telemetry">Metrics, Logs, and Traces</a> </label><ul class="tree collapse"><li> <a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger" href="/v0.6/docs/tasks/telemetry/distributed-tracing.html">Distributed Tracing</a></li><li> <a title="This task shows you how to configure Istio to collect metrics and logs." href="/v0.6/docs/tasks/telemetry/metrics-logs.html">Collecting Metrics and Logs</a></li><li> <a title="This task shows you how to configure Istio to collect metrics for TCP services." href="/v0.6/docs/tasks/telemetry/tcp-metrics.html">Collecting Metrics for TCP services</a></li><li> <a title="This task shows you how to query for Istio Metrics using Prometheus." href="/v0.6/docs/tasks/telemetry/querying-metrics.html">Querying Metrics from Prometheus</a></li><li> <a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href="/v0.6/docs/tasks/telemetry/using-istio-dashboard.html">Visualizing Metrics with Grafana</a></li><li> <a title="This task shows you how to generate a graph of services within an Istio mesh." href="/v0.6/docs/tasks/telemetry/servicegraph.html">Generating a Service Graph</a></li><li> <a title="This task shows you how to configure Istio to log to a Fluentd daemon" href="/v0.6/docs/tasks/telemetry/fluentd.html">Logging with Fluentd</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes tasks that help securing the service mesh traffic." href="/v0.6/docs/tasks/security">Security</a> </label><ul class="tree collapse"><li> <a title="This task shows you how to verify and test Istio's automatic mutual TLS authentication." href="/v0.6/docs/tasks/security/mutual-tls.html">Testing Istio mutual TLS authentication</a></li><li> <a title="This task shows how to control access to a service using the Kubernetes labels." href="/v0.6/docs/tasks/security/basic-access-control.html">Setting up Basic Access Control</a></li><li> <a title="This task shows how to securely control access to a service using service accounts." href="/v0.6/docs/tasks/security/secure-access-control.html">Setting up Secure Access Control</a></li><li> <a title="This task shows how to set up role-based access control for services in Istio mesh." href="/v0.6/docs/tasks/security/role-based-access-control.html">Setting up Istio Role-Based Access Control</a></li><li> <a title="This task shows how to change mutual TLS authentication for a single service." href="/v0.6/docs/tasks/security/per-service-mtls.html">Per-service mutual TLS authentication enablement</a></li><li> <a title="This task shows how operators can plug existing certificate and key into Istio CA." href="/v0.6/docs/tasks/security/plugin-ca-cert.html">Plugging in CA certificate and key</a></li><li> <a title="This task shows how to enable Istio CA health check." href="/v0.6/docs/tasks/security/health-check.html">Enabling Istio CA health check</a></li></ul></li></ul></div></div></div><div class="card"><div class="card-header" role="tab" id="header67"> <a data-toggle="collapse" href="#collapse67" title="Guides include a variety of fully working example uses for Istio that you can experiment with." role="button" aria-controls="collapse67"><div> Guides</div></a></div><div id="collapse67" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header67"><div class="card-body"><ul class="tree"><li> <a title="This guide deploys a sample application composed of four separate microservices which will be used to demonstrate various features of the Istio service mesh." href="/v0.6/docs/guides/bookinfo.html">Bookinfo</a></li><li> <a title="This guide demonstrates how to use various traffic management capabilities of an Istio service mesh." href="/v0.6/docs/guides/intelligent-routing.html">Intelligent Routing</a></li><li> <a title="This sample demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href="/v0.6/docs/guides/telemetry.html">In-Depth Telemetry</a></li><li> <a title="This sample deploys the Bookinfo services across Kubernetes and a set of virtual machines, and illustrates how to use the Istio service mesh to control this infrastructure as a single mesh." href="/v0.6/docs/guides/integrating-vms.html">Integrating Virtual Machines</a></li></ul></div></div></div><div class="card"><div class="card-header" role="tab" id="header72"> <a data-toggle="collapse" href="#collapse72" title="The Reference section contains detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role="button" aria-controls="collapse72"><div> Reference</div></a></div><div id="collapse72" class="collapse" data-parent="#sidebar" role="tabpanel" aria-labelledby="header72"><div class="card-body"><ul class="tree"><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Detailed information on API parameters." href="/v0.6/docs/reference/api">API</a> </label><ul class="tree collapse"><li> <a title="API definitions to interact with Mixer" href="/v0.6/docs/reference/api/istio.mixer.v1.html">Mixer</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Detailed information on configuration options." href="/v0.6/docs/reference/config">Configuration</a> </label><ul class="tree collapse"><li> <a title="Configuration affecting the service mesh as a whole" href="/v0.6/docs/reference/config/istio.mesh.v1alpha1.html">Service Mesh</a></li><li> <a title="Configuration state for the Mixer client library" href="/v0.6/docs/reference/config/istio.mixer.v1.config.client.html">Mixer Client</a></li><li> <a title="Describes the rules used to configure Mixer's policy and telemetry features." href="/v0.6/docs/reference/config/istio.mixer.v1.config.html">Policy and Telemetry Rules</a></li><li> <a title="Configuration affecting resource-based access control" href="/v0.6/docs/reference/config/istio.rbac.v1alpha1.html">RBAC</a></li><li> <a title="Configuration affecting traffic routing" href="/v0.6/docs/reference/config/istio.routing.v1alpha1.html">Route Rules Alpha 1</a></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Detailed information on configuration and API exposed by Mixer." href="/v0.6/docs/reference/config/mixer">Mixer</a> </label><ul class="tree collapse"><li> <a title="Definitions used when creating Mixer templates" href="/v0.6/docs/reference/config/mixer/istio.mixer.adapter.model.v1beta1.html">Mixer Adapter Model</a></li><li> <a title="Value types used with templates" href="/v0.6/docs/reference/config/mixer/istio.mixer.v1.config.descriptor.html">Value Type</a></li><li> <a title="Definitions used when creating Mixer templates" href="/v0.6/docs/reference/config/mixer/istio.mixer.v1.template.html">Template Metadata</a></li><li> <a title="Describes the base attribute vocabulary used for policy and control." href="/v0.6/docs/reference/config/mixer/attribute-vocabulary.html">Attribute Vocabulary</a></li><li> <a title="Mixer config expression language reference." href="/v0.6/docs/reference/config/mixer/expression-language.html">Expression Language</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Generated documentation for Mixer's adapters." href="/v0.6/docs/reference/config/adapters">Adapters</a> </label><ul class="tree collapse"><li> <a title="Adapter for circonus.com's monitoring solution." href="/v0.6/docs/reference/config/adapters/circonus.html">Circonus</a></li><li> <a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog" href="/v0.6/docs/reference/config/adapters/datadog.html">Datadog</a></li><li> <a title="Adapter that always returns a precondition denial." href="/v0.6/docs/reference/config/adapters/denier.html">Denier</a></li><li> <a title="Adapter that delivers logs to a fluentd daemon." href="/v0.6/docs/reference/config/adapters/fluentd.html">Fluentd</a></li><li> <a title="Adapter that extracts information from a Kubernetes environment." href="/v0.6/docs/reference/config/adapters/kubernetesenv.html">Kubernetes Env</a></li><li> <a title="Adapter that performs whitelist or blacklist checks" href="/v0.6/docs/reference/config/adapters/list.html">List</a></li><li> <a title="Adapter for a simple in-memory quota management system." href="/v0.6/docs/reference/config/adapters/memquota.html">Memory quota</a></li><li> <a title="Adapter that implements an Open Policy Agent engine" href="/v0.6/docs/reference/config/adapters/opa.html">OPA</a></li><li> <a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href="/v0.6/docs/reference/config/adapters/prometheus.html">Prometheus</a></li><li> <a title="Adapter that exposes Istio's Role-Based Access Control model." href="/v0.6/docs/reference/config/adapters/rbac.html">RBAC</a></li><li> <a title="Adapter for a Redis-based quota management system." href="/v0.6/docs/reference/config/adapters/redisquota.html">Redis Quota</a></li><li> <a title="Adapter that delivers logs and metrics to Google Service Control" href="/v0.6/docs/reference/config/adapters/servicecontrol.html">Service Control</a></li><li> <a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends" href="/v0.6/docs/reference/config/adapters/solarwinds.html">SolarWinds</a></li><li> <a title="Adapter to deliver logs and metrics to Stackdriver" href="/v0.6/docs/reference/config/adapters/stackdriver.html">Stackdriver</a></li><li> <a title="Adapter to deliver metrics to a StatsD backend" href="/v0.6/docs/reference/config/adapters/statsd.html">StatsD</a></li><li> <a title="Adapter for outputting logs and metrics locally." href="/v0.6/docs/reference/config/adapters/stdio.html">Stdio</a></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Generated documentation for Mixer's Templates." href="/v0.6/docs/reference/config/template">Templates</a> </label><ul class="tree collapse"><li> <a title="A template that represents a single API key." href="/v0.6/docs/reference/config/template/apikey.html">API Key</a></li><li> <a title="A template used to represent an access control query." href="/v0.6/docs/reference/config/template/authorization.html">Authorization</a></li><li> <a title="A template that carries no data, useful for testing." href="/v0.6/docs/reference/config/template/checknothing.html">Check Nothing</a></li><li> <a title="A template that is used to control the production of Kubernetes-specific attributes." href="/v0.6/docs/reference/config/template/kubernetes.html">Kubernetes</a></li><li> <a title="A template designed to let you perform list checking operations." href="/v0.6/docs/reference/config/template/listentry.html">List Entry</a></li><li> <a title="A template that represents a single runtime log entry." href="/v0.6/docs/reference/config/template/logentry.html">Log Entry</a></li><li> <a title="A template that represents a single runtime metric." href="/v0.6/docs/reference/config/template/metric.html">Metric</a></li><li> <a title="A template that represents a quota allocation request" href="/v0.6/docs/reference/config/template/quota.html">Quota</a></li><li> <a title="A template that carries no data, useful for testing." href="/v0.6/docs/reference/config/template/reportnothing.html">Report Nothing</a></li><li> <a title="A template used by the Google Service Control adapter." href="/v0.6/docs/reference/config/template/servicecontrolreport.html">Service Control Report</a></li></ul></li></ul></li><li class="sublist"> <label class='tree-toggle'> <i class='fa fa-lg fa-caret-right'></i> <a class="" title="Describes usage and options of the Istio commands and utilities." href="/v0.6/docs/reference/commands">Commands</a> </label><ul class="tree collapse"><li> <a title="Istio Certificate Authority (CA)" href="/v0.6/docs/reference/commands/istio_ca.html">istio_ca</a></li><li> <a title="Istio control interface" href="/v0.6/docs/reference/commands/istioctl.html">istioctl</a></li><li> <a title="Utility to trigger direct calls to Mixer&#39;s API." href="/v0.6/docs/reference/commands/mixc.html">mixc</a></li><li> <a title="Mixer is Istio&#39;s abstraction on top of infrastructure backends." href="/v0.6/docs/reference/commands/mixs.html">mixs</a></li><li> <a title="Istio security per-node agent" href="/v0.6/docs/reference/commands/node_agent.html">node_agent</a></li><li> <a title="Istio Pilot agent" href="/v0.6/docs/reference/commands/pilot-agent.html">pilot-agent</a></li><li> <a title="Istio Pilot" href="/v0.6/docs/reference/commands/pilot-discovery.html">pilot-discovery</a></li><li> <a title="Kubernetes webhook for automatic Istio sidecar injection" href="/v0.6/docs/reference/commands/sidecar-injector.html">sidecar-injector</a></li></ul></li><li> <a title="How to write Istio config YAML content." href="/v0.6/docs/reference/writing-config.html">Writing Configuration</a></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-lg-7 col-xl-8"><p class="d-md-none"> <label class="sidebar-toggler" data-toggle="offcanvas"> <i class="fa fa-chevron-right"></i> </label></p><main role="main"><h1>Rules Configuration</h1><p>Istio provides a simple Domain-specific language (DSL) to control how API calls and layer-4 traffic flow across various services in the application deployment. The DSL allows the operator to configure service-level properties such as circuit breakers, timeouts, retries, as well as set up common continuous deployment tasks such as canary rollouts, A/B testing, staged rollouts with %-based traffic splits, etc. See <a href="/v0.6/docs/reference/config/istio.routing.v1alpha1.html">routing rules reference</a> for detailed information.</p><p>For example, a simple rule to send 100% of incoming traffic for a “reviews” service to version “v1” can be described using the Rules DSL as follows:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-default</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">weight</span><span class="pi">:</span> <span class="s">100</span>
</code></pre></div></div><p>The destination is the name of the service to which the traffic is being routed. The route <em>labels</em> identify the specific service instances that will recieve traffic. For example, in a Kubernetes deployment of Istio, the route <em>label</em> “version: v1” indicates that only pods containing the label “version: v1” will receive traffic.</p><p>Rules can be configured using the <a href="/v0.6/docs/reference/commands/istioctl.html">istioctl CLI</a>, or in a Kubernetes deployment using the <code class="highlighter-rouge">kubectl</code> command instead. See the <a href="/v0.6/docs/tasks/traffic-management/request-routing.html">configuring request routing task</a> for examples.</p><p>There are three kinds of traffic management rules in Istio: <strong>Route Rules</strong>, <strong>Destination Policies</strong> (these are not the same as Mixer policies), and <strong>Egress Rules</strong>. All three kinds of rules control how requests are routed to a destination service.</p><h2 id="route-rules">Route Rules</h2><p>Route rules control how requests are routed within an Istio service mesh. For example, a route rule could route requests to different versions of a service. Requests can be routed based on the source and destination, HTTP header fields, and weights associated with individual service versions. The following important aspects must be kept in mind while writing route rules:</p><h3 id="qualify-rules-by-destination">Qualify rules by destination</h3><p>Every rule corresponds to some destination service identified by a <em>destination</em> field in the rule. For example, rules that apply to calls to the “reviews” service will typically include at least the following.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
</code></pre></div></div><p>The <em>destination</em> value specifies, implicitly or explicitly, a fully qualified domain name (FQDN). It is used by Istio Pilot for matching rules to services.</p><p>Normally, the FQDN of the service is composed from three components: <em>name</em>, <em>namespace</em>, and <em>domain</em>:</p><div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>FQDN = name + "." + namespace + "." + domain
</code></pre></div></div><p>These fields can be explicitly specified as follows.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span>
<span class="na">domain</span><span class="pi">:</span> <span class="s">svc.cluster.local</span>
</code></pre></div></div><p>More commonly, to simplify and maximize reuse of the rule (for example, to use the same rule in more than one namespace or domain), the rule destination specifies only the <em>name</em> field, relying on defaults for the other two.</p><p>The default value for the <em>namespace</em> is the namespace of the rule itself, which can be specified in the <em>metadata</em> field of the rule, or during rule install using the <code class="highlighter-rouge">istioctl -n &lt;namespace&gt; create</code> or <code class="highlighter-rouge">kubectl -n &lt;namespace&gt; create</code> command. The default value of the <em>domain</em> field is implementation specific. In Kubernetes, for example, the default value is <code class="highlighter-rouge">svc.cluster.local</code>.</p><p>In some cases, such as when referring to external services in egress rules or on platforms where <em>namespace</em> and <em>domain</em> are not meaningful, an alternative <em>service</em> field can be used to explicitly specify the destination:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">destination</span><span class="pi">:</span>
<span class="na">service</span><span class="pi">:</span> <span class="s">my-service.com</span>
</code></pre></div></div><p>When the <em>service</em> field is specified, all other implicit or explicit values of the other fields are ignored.</p><h3 id="qualify-rules-by-sourceheaders">Qualify rules by source/headers</h3><p>Rules can optionally be qualified to only apply to requests that match some specific criteria such as the following:</p><p><em>1. Restrict to a specific caller</em>. For example, the following rule only applies to calls from the “reviews” service.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-to-ratings</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">source</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="s">...</span>
</code></pre></div></div><p>The <em>source</em> value, just like <em>destination</em>, specifies a FQDN of a service, either implicitly or explicitly.</p><p><em>2. Restrict to specific versions of the caller</em>. For example, the following rule refines the previous example to only apply to calls from version “v2” of the “reviews” service.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-v2-to-ratings</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">source</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="s">...</span>
</code></pre></div></div><p><em>3. Select rule based on HTTP headers</em>. For example, the following rule will only apply to an incoming request if it includes a “cookie” header that contains the substring “user=jason”.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-jason</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">request</span><span class="pi">:</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">cookie</span><span class="pi">:</span>
<span class="na">regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">^(.*?;)?(user=jason)(;.*)?$"</span>
<span class="s">...</span>
</code></pre></div></div><p>If more than one header is provided, then all of the corresponding headers must match for the rule to apply.</p><p>Multiple criteria can be set simultaneously. In such a case, AND semantics apply. For example, the following rule only applies if the source of the request is “reviews:v2” AND the “cookie” header containing “user=jason” is present.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-reviews-jason</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">source</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="na">request</span><span class="pi">:</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">cookie</span><span class="pi">:</span>
<span class="na">regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">^(.*?;)?(user=jason)(;.*)?$"</span>
<span class="s">...</span>
</code></pre></div></div><h3 id="split-traffic-between-service-versions">Split traffic between service versions</h3><p>Each route rule identifies one or more weighted backends to call when the rule is activated. Each backend corresponds to a specific version of the destination service, where versions can be expressed using <em>labels</em>.</p><p>If there are multiple registered instances with the specified tag(s), they will be routed to based on the load balancing policy configured for the service, or round-robin by default.</p><p>For example, the following rule will route 25% of traffic for the “reviews” service to instances with the “v2” tag and the remaining traffic (i.e., 75%) to “v1”.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-v2-rollout</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="na">weight</span><span class="pi">:</span> <span class="s">25</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">weight</span><span class="pi">:</span> <span class="s">75</span>
</code></pre></div></div><h3 id="timeouts-and-retries">Timeouts and retries</h3><p>By default, the timeout for http requests is 15 seconds, but this can be overridden in a route rule as follows:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-timeout</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">httpReqTimeout</span><span class="pi">:</span>
<span class="na">simpleTimeout</span><span class="pi">:</span>
<span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span>
</code></pre></div></div><p>The number of retries for a given http request can also be specified in a route rule. The maximum number of attempts, or as many as possible within the default or overridden timeout period, can be set as follows:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-retry</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">httpReqRetries</span><span class="pi">:</span>
<span class="na">simpleRetry</span><span class="pi">:</span>
<span class="na">attempts</span><span class="pi">:</span> <span class="s">3</span>
</code></pre></div></div><p>Note that request timeouts and retries can also be <a href="./handling-failures.html#fine-tuning">overridden on a per-request basis</a>.</p><p>See the <a href="/v0.6/docs/tasks/traffic-management/request-timeouts.html">request timeouts task</a> for a demonstration of timeout control.</p><h3 id="injecting-faults-in-the-request-path">Injecting faults in the request path</h3><p>A route rule can specify one or more faults to inject while forwarding http requests to the rules corresponding request destination. The faults can be either delays or aborts.</p><p>The following example will introduce a 5 second delay in 10% of the requests to the “v1” version of the “reviews” microservice.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-delay</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">httpFault</span><span class="pi">:</span>
<span class="na">delay</span><span class="pi">:</span>
<span class="na">percent</span><span class="pi">:</span> <span class="s">10</span>
<span class="na">fixedDelay</span><span class="pi">:</span> <span class="s">5s</span>
</code></pre></div></div><p>The other kind of fault, abort, can be used to prematurely terminate a request, for example, to simulate a failure.</p><p>The following example will return an HTTP 400 error code for 10% of the requests to the “ratings” service “v1”.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-abort</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">httpFault</span><span class="pi">:</span>
<span class="na">abort</span><span class="pi">:</span>
<span class="na">percent</span><span class="pi">:</span> <span class="s">10</span>
<span class="na">httpStatus</span><span class="pi">:</span> <span class="s">400</span>
</code></pre></div></div><p>Sometimes delays and abort faults are used together. For example, the following rule will delay by 5 seconds all requests from the “reviews” service “v2” to the “ratings” service “v1” and then abort 10 percent of them:</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-delay-abort</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">source</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">httpFault</span><span class="pi">:</span>
<span class="na">delay</span><span class="pi">:</span>
<span class="na">fixedDelay</span><span class="pi">:</span> <span class="s">5s</span>
<span class="na">abort</span><span class="pi">:</span>
<span class="na">percent</span><span class="pi">:</span> <span class="s">10</span>
<span class="na">httpStatus</span><span class="pi">:</span> <span class="s">400</span>
</code></pre></div></div><p>To see fault injection in action, see the <a href="/v0.6/docs/tasks/traffic-management/fault-injection.html">fault injection task</a>.</p><h3 id="rules-have-precedence">Rules have precedence</h3><p>Multiple route rules could be applied to the same destination. The order of evaluation of rules corresponding to a given destination, when there is more than one, can be specified by setting the <em>precedence</em> field of the rule.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">precedence</span><span class="pi">:</span> <span class="s">1</span>
</code></pre></div></div><p>The precedence field is an optional integer value, 0 by default. Rules with higher precedence values are evaluated first. <em>If there is more than one rule with the same precedence value the order of evaluation is undefined.</em></p><p><strong>When is precedence useful?</strong> Whenever the routing story for a particular service is purely weight based, it can be specified in a single rule, as shown in the earlier example. When, on the other hand, other criteria (e.g., requests from a specific user) are being used to route traffic, more than one rule will be needed to specify the routing. This is where the rule <em>precedence</em> field must be set to make sure that the rules are evaluated in the right order.</p><p>A common pattern for generalized route specification is to provide one or more higher priority rules that qualify rules by source/headers to specific destinations, and then provide a single weight-based rule with no match criteria at the lowest priority to provide the weighted distribution of traffic for all other cases.</p><p>For example, the following 2 rules, together, specify that all requests for the “reviews” service that includes a header named “Foo” with the value “bar” will be sent to the “v2” instances. All remaining requests will be sent to “v1”.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-foo-bar</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">precedence</span><span class="pi">:</span> <span class="s">2</span>
<span class="na">match</span><span class="pi">:</span>
<span class="na">request</span><span class="pi">:</span>
<span class="na">headers</span><span class="pi">:</span>
<span class="na">Foo</span><span class="pi">:</span> <span class="s">bar</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="nn">---</span>
<span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-default</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">precedence</span><span class="pi">:</span> <span class="s">1</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">weight</span><span class="pi">:</span> <span class="s">100</span>
</code></pre></div></div><p>Notice that the header-based rule has the higher precedence (2 vs. 1). If it was lower, these rules wouldnt work as expected since the weight-based rule, with no specific match criteria, would be evaluated first which would then simply route all traffic to “v1”, even requests that include the matching “Foo” header. Once a rule is found that applies to the incoming request, it will be executed and the rule-evaluation process will terminate. Thats why its very important to carefully consider the priorities of each rule when there is more than one.</p><h2 id="destination-policies">Destination policies</h2><p>Destination policies describe various routing related policies associated with a particular service or version, such as the load balancing algorithm, the configuration of circuit breakers, health checks, etc.</p><p>Unlike route rules, destination policies cannot be qualified based on attributes of a request other than the calling service, but they can be restricted to apply to requests that are routed to destination backends with specific labels. For example, the following load balancing policy will only apply to requests targeting the “v1” version of the “ratings” microservice that are called from version “v2” of the “reviews” service.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationPolicy</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings-lb-policy</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">source</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v2</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ratings</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">loadBalancing</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">ROUND_ROBIN</span>
</code></pre></div></div><h3 id="circuit-breakers">Circuit breakers</h3><p>A simple circuit breaker can be set based on a number of criteria such as connection and request limits.</p><p>For example, the following destination policy sets a limit of 100 connections to “reviews” service version “v1” backends.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationPolicy</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-v1-cb</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">circuitBreaker</span><span class="pi">:</span>
<span class="na">simpleCb</span><span class="pi">:</span>
<span class="na">maxConnections</span><span class="pi">:</span> <span class="s">100</span>
</code></pre></div></div><p>The complete set of simple circuit breaker fields can be found <a href="/v0.6/docs/reference/config/istio.routing.v1alpha1.html#CircuitBreaker">here</a>.</p><h3 id="destination-policy-evaluation">Destination policy evaluation</h3><p>Similar to route rules, destination policies are associated with a particular <em>destination</em> however if they also include <em>labels</em> their activation depends on route rule evaluation results.</p><p>The first step in the rule evaluation process evaluates the route rules for a <em>destination</em>, if any are defined, to determine the labels (i.e., specific version) of the destination service that the current request will be routed to. Next, the set of destination policies, if any, are evaluated to determine if they apply.</p><p><strong>NOTE:</strong> One subtlety of the algorithm to keep in mind is that policies that are defined for specific tagged destinations will only be applied if the corresponding tagged instances are explicitly routed to. For example, consider the following rule, as the one and only rule defined for the “reviews” service.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">DestinationPolicy</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-v1-cb</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">circuitBreaker</span><span class="pi">:</span>
<span class="na">simpleCb</span><span class="pi">:</span>
<span class="na">maxConnections</span><span class="pi">:</span> <span class="s">100</span>
</code></pre></div></div><p>Since there is no specific route rule defined for the “reviews” service, default round-robin routing behavior will apply, which will presumably call “v1” instances on occasion, maybe even always if “v1” is the only running version. Nevertheless, the above policy will never be invoked since the default routing is done at a lower level. The rule evaluation engine will be unaware of the final destination and therefore unable to match the destination policy to the request.</p><p>You can fix the above example in one of two ways. You can either remove the <code class="highlighter-rouge">labels:</code> from the rule, if “v1” is the only instance anyway, or, better yet, define proper route rules for the service. For example, you can add a simple route rule for “reviews:v1”.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews-default</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">reviews</span>
<span class="na">route</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">labels</span><span class="pi">:</span>
<span class="na">version</span><span class="pi">:</span> <span class="s">v1</span>
</code></pre></div></div><p>Although the default Istio behavior conveniently sends traffic from all versions of a source service to all versions of a destination service without any rules being set, as soon as version discrimination is desired rules are going to be needed. Therefore, setting a default rule for every service, right from the start, is generally considered a best practice in Istio.</p><h2 id="egress-rules">Egress Rules</h2><p>Egress rules are used to enable requests to services outside of an Istio service mesh. For example, the following rule can be used to allow external calls to services hosted under the <code class="highlighter-rouge">*.foo.com</code> domain.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">EgressRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">foo-egress-rule</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">service</span><span class="pi">:</span> <span class="err">*</span><span class="s">.foo.com</span>
<span class="na">ports</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">80</span>
<span class="na">protocol</span><span class="pi">:</span> <span class="s">http</span>
<span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="s">443</span>
<span class="na">protocol</span><span class="pi">:</span> <span class="s">https</span>
</code></pre></div></div><p>The destination of an egress rule is specified using the <em>service</em> field, which can be either a fully qualified or wildcard domain name. It represents a white listed set of one or more external services that services in the mesh are allowed to access. The supported wildcard syntax can be found <a href="/v0.6/docs/reference/config/istio.routing.v1alpha1.html">here</a>.</p><p>Currently, only HTTP-based services can be expressed using an egress rule, however, TLS origination from the sidecar can be achieved by setting the protocol of the associated service port to “https”, as shown in the above example. The service must be accessed over HTTP (e.g., <code class="highlighter-rouge">http://secure-service.foo.com:443</code>, instead of <code class="highlighter-rouge">https://secure-service.foo.com</code>), however, the sidecar will upgrade the connection to TLS in this case.</p><p>Egress rules work well in conjunction with route rules and destination policies as long as they refer to the external services using the exact same specification for the destination service as the corresponding egress rule. For example, the following rule can be used in conjunction with the above egress rule to set a 10s timeout for calls to the external services.</p><div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">config.istio.io/v1alpha2</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">RouteRule</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">foo-timeout-rule</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">destination</span><span class="pi">:</span>
<span class="na">service</span><span class="pi">:</span> <span class="err">*</span><span class="s">.foo.com</span>
<span class="na">httpReqTimeout</span><span class="pi">:</span>
<span class="na">simpleTimeout</span><span class="pi">:</span>
<span class="na">timeout</span><span class="pi">:</span> <span class="s">10s</span>
</code></pre></div></div><p>Destination policies and route rules to redirect and forward traffic, to define retry, timeout and fault injection policies are all supported for external destinations. Weighted (version-based) routing is not possible, however, since there is no notion of multiple versions of an external service.</p></main></div><div class="col-12 col-md-2 d-none d-lg-block"><nav class="toc"><div class="spacer"></div><div class="directory" role="directory"><ul><li><a href="#route-rules">Route Rules</a><ul><li><a href="#qualify-rules-by-destination">Qualify rules by destination</a></li><li><a href="#qualify-rules-by-sourceheaders">Qualify rules by source/headers</a></li><li><a href="#split-traffic-between-service-versions">Split traffic between service versions</a></li><li><a href="#timeouts-and-retries">Timeouts and retries</a></li><li><a href="#injecting-faults-in-the-request-path">Injecting faults in the request path</a></li><li><a href="#rules-have-precedence">Rules have precedence</a></li></ul></li><li><a href="#destination-policies">Destination policies</a><ul><li><a href="#circuit-breakers">Circuit breakers</a></li><li><a href="#destination-policy-evaluation">Destination policy evaluation</a></li></ul></li><li><a href="#egress-rules">Egress Rules</a></li></ul></div></nav></div></div></div><div class="footer"><footer><div class="container-fluid"><div class="row"><div class="col-sm-2"></div><nav class=" col-12 col-sm-3" role="navigation"><ul class="first"><li><a class="header" href="/v0.6/docs/">Docs</a></li><li><a href="/v0.6/docs/concepts/">Concepts</a></li><li><a href="/v0.6/docs/setup/">Setup</a></li><li><a href="/v0.6/docs/tasks/">Tasks</a></li><li><a href="/v0.6/docs/guides/">Guides</a></li><li><a href="/v0.6/docs/reference/">Reference</a></li></ul></nav><nav class="col-12 col-sm-3" role="navigation"><ul><li><a class="header" href="/v0.6/help/">Help</a></li><li><a href="/v0.6/help/faq/index.html">FAQ</a></li><li><a href="/v0.6/help/glossary.html">Glossary</a></li><li><a href="/v0.6/help/troubleshooting.html">Troubleshooting</a></li><li><a href="/v0.6/help/bugs.html">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/concepts/traffic-management/rules-configuration.md" target="_blank" rel="noopener">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/concepts/traffic-management/rules-configuration.md" target="_blank" rel="noopener">Edit This Page</a></li></ul></nav><nav class="col-12 col-sm-3" role="navigation"><ul><li><a class="header" href="/v0.6/community.html">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community/" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></nav></div><div class="row"><div class="col-12"><p class="description text-center" role="contentinfo"> Istio Archive 0.6, Copyright &copy; 2018 Istio Authors<br> Archived on 02-Apr-2018</p></div></div></div></footer></div><script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://www.google.com/cse/brand?form=searchbox"></script> <script src="/v0.6/js/misc.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink