Admission Control¶
This extension may be referenced by the qualified name envoy.filters.http.admission_control
Note
This extension is functional but has not had substantial production burn time, use only with this caveat.
This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.
Tip
This extension extends and can be used with the following extension category:
Warning
This API is work-in-progress and is subject to breaking changes.
extensions.filters.http.admission_control.v3alpha.AdmissionControl¶
[extensions.filters.http.admission_control.v3alpha.AdmissionControl proto]
{
"enabled": "{...}",
"success_criteria": "{...}",
"sampling_window": "{...}",
"aggression": "{...}",
"sr_threshold": "{...}"
}
- enabled
(config.core.v3.RuntimeFeatureFlag) If set to false, the admission control filter will operate as a pass-through filter. If the message is unspecified, the filter will be enabled.
- success_criteria
(extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria, REQUIRED) Defines how a request is considered a success/failure.
- sampling_window
(Duration) The sliding time window over which the success rate is calculated. The window is rounded to the nearest second. Defaults to 30s.
- aggression
(config.core.v3.RuntimeDouble) Rejection probability is defined by the formula:
max(0, (rq_count - rq_success_count / sr_threshold) / (rq_count + 1)) ^ (1 / aggression)
The aggression dictates how heavily the admission controller will throttle requests upon SR dropping at or below the threshold. A value of 1 will result in a linear increase in rejection probability as SR drops. Any values less than 1.0, will be set to 1.0. If the message is unspecified, the aggression is 1.0. See the admission control documentation for a diagram illustrating this.
- sr_threshold
(config.core.v3.RuntimePercent) Dictates the success rate at which the rejection probability is non-zero. As success rate drops below this threshold, rejection probability will increase. Any success rate above the threshold results in a rejection probability of 0. Defaults to 95%.
extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria¶
[extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria proto]
Default method of specifying what constitutes a successful request. All status codes that indicate a successful request must be explicitly specified if not relying on the default values.
{
"http_criteria": "{...}",
"grpc_criteria": "{...}"
}
- http_criteria
(extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria.HttpCriteria) If HTTP criteria are unspecified, all HTTP status codes below 500 are treated as successful responses.
Note
The default HTTP codes considered successful by the admission controller are done so due to the unlikelihood that sending fewer requests would change their behavior (for example: redirects, unauthorized access, or bad requests won’t be alleviated by sending less traffic).
- grpc_criteria
(extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria.GrpcCriteria) GRPC status codes to consider as request successes. If unspecified, defaults to: Ok, Cancelled, Unknown, InvalidArgument, NotFound, AlreadyExists, Unauthenticated, FailedPrecondition, OutOfRange, PermissionDenied, and Unimplemented.
Note
The default gRPC codes that are considered successful by the admission controller are chosen because of the unlikelihood that sending fewer requests will change the behavior.
extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria.HttpCriteria¶
{
"http_success_status": []
}
- http_success_status
(repeated type.v3.Int32Range, REQUIRED) Status code ranges that constitute a successful request. Configurable codes are in the range [100, 600).
extensions.filters.http.admission_control.v3alpha.AdmissionControl.SuccessCriteria.GrpcCriteria¶
{
"grpc_success_status": []
}
- grpc_success_status
(repeated uint32, REQUIRED) Status codes that constitute a successful request. Mappings can be found at: https://github.com/grpc/grpc/blob/master/doc/statuscodes.md.