MeshCircuitBreaker

This policy uses new policy matching algorithm. Do not combine with CircuitBreaker.

This policy will look for errors in the live traffic being exchanged between our data plane proxies. It will mark a data proxy as unhealthy if certain conditions are met. The policy will ensure that no additional traffic can reach an unhealthy data plane proxy until it is healthy again.

Circuit breakers - unlike active MeshHealthChecks - do not send additional traffic to our data plane proxies but they rather inspect the existing service traffic. They are also commonly used to prevent cascading failures.

Like a real-world circuit breaker when the circuit is closed then traffic between a source and destination data plane proxy is allowed to freely flow through it. When it is open then the traffic is interrupted.

The conditions that determine when a circuit breaker is closed or open are being configured on connection limits or outlier detection basis. For outlier detection to open circuit breaker you can configure what we call detectors. This policy provides 5 different types of detectors, and they are triggered on some deviations in the upstream service behavior. All detectors could coexist on the same outbound interface.

Once one of the detectors has been triggered the corresponding data plane proxy is ejected from the set of the load balancer for a period equal to baseEjectionTime. Every further ejection of the same data plane proxy will further extend the baseEjectionTime multiplied by the number of ejections: for example the fourth ejection will be lasting for a period of time of 4 * baseEjectionTime.

This policy provides passive checks. If you want to configure active checks, please utilize the MeshHealthCheck policy. Data plane proxies with passive checks won’t explicitly send requests to other data plane proxies to determine if target proxies are healthy or not.

TargetRef support matrix

targetRef Allowed kinds
targetRef.kind Mesh, MeshSubset
to[].targetRef.kind Mesh, MeshService
from[].targetRef.kind Mesh

To learn more about the information in this table, see the matching docs.

Configuration

Connection limits

  • maxConnections - (optional) The maximum number of connections allowed to be made to the upstream Envoy Cluster. If not specified then equal to 1024.
  • maxConnectionPools - (optional) The maximum number of connection pools per Envoy Cluster that are concurrently supported at once. Set this for Envoy Clusters which create a large number of connection pools. If not specified, the default is unlimited.
  • maxPendingRequests - (optional) The maximum number of pending requests that are allowed to the upstream Envoy Cluster. This limit is applied as a connection limit for non-HTTP traffic. If not specified then equal to 1024.
  • maxRetries - (optional) The maximum number of parallel retries that will be allowed to the upstream Envoy Cluster. If not specified then equal to 3.
  • maxRequests - (optional) The maximum number of parallel requests that are allowed to be made to the upstream Envoy Cluster. This limit does not apply to non-HTTP traffic. If not specified then equal to 1024.

Outlier detection

Outlier detection can be configured for HTTP, TCP or gRPC traffic.

For gRPC requests, the outlier detection will use the HTTP status mapped from the grpc-status response header.

  • disabled - (optional) When set to true, outlierDetection configuration won’t take any effect.
  • interval - (optional) The time interval between ejection analysis sweeps. This can result in both new ejections and hosts being returned to service.
  • baseEjectionTime - (optional) The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected.
  • maxEjectionPercent - (optional) The maximum % of an upstream Envoy Clusters that can be ejected due to outlier detection. Defaults to 10% but will eject at least one host regardless of the value.
  • splitExternalAndLocalErrors - (optional) Determines whether to distinguish local origin failures from external errors. If set to true the following configuration parameters are taken into account: detectors.localOriginFailures.consecutive.
  • detectors - Contains configuration for supported outlier detectors. At least one detector needs to be configured when policy is configured for outlier detection.

Detectors configuration

Configuration for supported outlier detectors. At least one detector needs to be configured when policy is configured for outlier detection.

Depending on mode the outlier detection can take into account all or externally originated (transaction) errors only.

Default mode is when splitExternalAndLocalErrors is not set or equal false

This detection type takes into account all generated errors: locally originated and externally originated (transaction) errors.

Configuration

  • totalFailures.consecutive - The number of consecutive server-side error responses (for HTTP traffic, 5xx responses; for TCP traffic, connection failures; etc.) before a consecutive total failure ejection occurs.

Example

type: MeshCircuitBreaker
mesh: default
name: circuit-breaker
spec:
  targetRef:
    kind: Mesh
  to:
  - targetRef:
      kind: Mesh
    default:
      outlierDetection:
        detectors:
          totalFailures:
            consecutive: 10

Examples

Basic circuit breaker for outbound traffic from web, to backend service

apiVersion: kuma.io/v1alpha1
kind: MeshCircuitBreaker
metadata:
  name: web-to-backend-circuit-breaker
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: web
  to:
  - targetRef:
      kind: MeshService
      name: backend_kuma-demo_svc_8080
    default:
      connectionLimits:
        maxConnections: 2
        maxPendingRequests: 8
        maxRetries: 2
        maxRequests: 2
apiVersion: kuma.io/v1alpha1
kind: MeshCircuitBreaker
metadata:
  name: web-to-backend-circuit-breaker
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: web
  to:
  - targetRef:
      kind: MeshService
      name: backend
      namespace: kuma-demo
      sectionName: http
    default:
      connectionLimits:
        maxConnections: 2
        maxPendingRequests: 8
        maxRetries: 2
        maxRequests: 2

Outlier detection for inbound traffic to backend service

apiVersion: kuma.io/v1alpha1
kind: MeshCircuitBreaker
metadata:
  name: backend-inbound-outlier-detection
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  targetRef:
    kind: MeshSubset
    tags:
      app: web
  from:
  - targetRef:
      kind: Mesh
    default:
      outlierDetection:
        interval: 5s
        baseEjectionTime: 30s
        maxEjectionPercent: 20
        splitExternalAndLocalErrors: true
        detectors:
          totalFailures:
            consecutive: 10
          gatewayFailures:
            consecutive: 10
          localOriginFailures:
            consecutive: 10
          successRate:
            minimumHosts: 5
            requestVolume: 10
            standardDeviationFactor: 1.9
          failurePercentage:
            requestVolume: 10
            minimumHosts: 5
            threshold: 85

All policy options