UpsertPolicy creates/updates policy based on the provided request.

Version: 2.32.2

UpsertPolicy creates/updates policy based on the provided request.

Path Parameters

policy_name string required

application/json

Request Body required

policy object
Policy expresses observability-driven control logic.
info
See also Policy overview.
Policy specification contains a circuit that defines the controller logic and resources that need to be setup.
circuit object
Defines the control-loop logic of the policy.
components object[]
Defines a signal processing graph as a list of components.
Array [
alerter object
Alerter reacts to a signal and generates alert to send to alert manager.
in_ports object
Input ports for the Alerter component.
signal object
Signal which Alerter is monitoring. If the signal greater than 0, Alerter generates an alert.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
parameters object required
Alerter Parameters configure parameters such as alert name, severity, resolve timeout, alert channels and labels.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
and object
Logical AND.
in_ports object
Input ports for the And component.
inputs object[]
Array of input signals.
Array [
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
]
out_ports object
Output ports for the And component.
output object
Result of logical AND of all the input signals.
Will always be 0 (false), 1 (true) or invalid (unknown).
signal_name string
Name of the outgoing Signal on the OutPort.
arithmetic_combinator object
Applies the given operator on input operands (signals) and emits the result.
in_ports object
Input ports for the Arithmetic Combinator component.
lhs object
Left hand side of the arithmetic operation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
rhs object
Right hand side of the arithmetic operation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
operator string
Possible values: [add, sub, mul, div, xor, lshift, rshift]
Operator of the arithmetic operation.

The arithmetic operation can be addition, subtraction, multiplication, division, XOR, right bit shift or left bit shift. In case of XOR and bit shifts, value of signals is cast to integers before performing the operation.
out_ports object
Output ports for the Arithmetic Combinator component.
output object
Result of arithmetic operation.
signal_name string
Name of the outgoing Signal on the OutPort.
auto_scale object
AutoScale components are used to scale the service.
auto_scaler object
AutoScaler provides auto-scaling functionality for any scalable resource.
dry_run boolean
Dry run mode ensures that no scaling is invoked by this auto scaler. This is useful for observing the behavior of auto scaler without disrupting any real deployment. This parameter sets the default value of dry run setting which can be overridden at runtime using dynamic configuration.
dry_run_config_key string
Configuration key for overriding dry run setting through dynamic configuration.
scale_in_controllers object[]
List of Controllers for scaling in.
Array [
alerter object required
Configuration for embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
controller object required
gradient object
Decreasing Gradient defines a controller for scaling in based on Gradient Controller.
in_ports object
Input ports for the Gradient.
setpoint object
The setpoint to use for scale-in.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object
The signal to use for scale-in.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
parameters object
This allows subset of parameters with constrained values compared to a regular gradient controller. For full documentation of these parameters, refer to the GradientControllerParameters.
min_gradient double
Default value: -1.7976931348623157e+308
slope double
Default value: 1
periodic object
PeriodicDecrease defines a controller for scaling in based on a periodic timer.
period string required
The period of the timer. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
scale_in_percentage double required
Possible values: <= 100
The percentage of scale to reduce.
]
scale_out_controllers object[]
List of Controllers for scaling out.
Array [
alerter object required
Configuration for embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
controller object required
gradient object
Increasing Gradient defines a controller for scaling out based on Gradient Controller.
in_ports object
Input ports for the Gradient.
setpoint object
The setpoint to use for scale-out.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object
The signal to use for scale-out.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
parameters object
This allows subset of parameters with constrained values compared to a regular gradient controller. For full documentation of these parameters, refer to the GradientControllerParameters.
max_gradient double
Default value: 1.7976931348623157e+308
slope double
Default value: 1
]
scaling_backend object required
kubernetes_replicas object
KubernetesReplicas defines a horizontal pod scaler for Kubernetes.
kubernetes_object_selector object required
The Kubernetes object on which horizontal scaling is applied.
agent_group string
Default value: default
Which agent-group this selector applies to.
api_version API version of Kubernetes resource required
kind string required
Kubernetes resource type.
name string required
Kubernetes resource name.
namespace string required
Kubernetes namespace that the resource belongs to.
max_replicas int64
Possible values: non-empty
Default value: 9223372036854775807
The maximum replicas to which the AutoScaler can scale-out.
min_replicas int64
Default value: 0
The minimum replicas to which the AutoScaler can scale-in.
out_ports object
Output ports for Kubernetes Replicas.
actual_replicas object
signal_name string
Name of the outgoing Signal on the OutPort.
configured_replicas object
signal_name string
Name of the outgoing Signal on the OutPort.
desired_replicas object
signal_name string
Name of the outgoing Signal on the OutPort.
scaling_parameters object required
Parameters that define the scaling behavior.
cooldown_override_percentage double
Default value: 50
Cooldown override percentage defines a threshold change in scale-out beyond which previous cooldown is overridden. For example, if the cooldown is 5 minutes and the cooldown override percentage is 10%, then if the scale-increases by 10% or more, the previous cooldown is canceled. Defaults to 50%.
max_scale_in_percentage double
Default value: 1
The maximum decrease of scale (for example, pods) at one time. Defined as percentage of current scale value. Can never go below one even if percentage computation is less than one. Defaults to 1% of current scale value.
max_scale_out_percentage double
Default value: 10
The maximum increase of scale (for example, pods) at one time. Defined as percentage of current scale value. Can never go below one even if percentage computation is less than one. Defaults to 10% of current scale value.
scale_in_alerter object required
Configuration for scale-in Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
scale_in_cooldown string
Default value: 120s
The amount of time to wait after a scale-in operation for another scale-in operation. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
scale_out_alerter object required
Configuration for scale-out Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
scale_out_cooldown string
Default value: 30s
The amount of time to wait after a scale-out operation for another scale-out or scale-in operation. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
pod_scaler object
PodScaler provides pod horizontal scaling functionality for scalable Kubernetes resources.
dry_run boolean
Dry run mode ensures that no scaling is invoked by this pod scaler. This is useful for observing the behavior of pod scaler without disrupting any real deployment. This parameter sets the default value of dry run setting which can be overridden at runtime using dynamic configuration.
dry_run_config_key string
Configuration key for overriding dry run setting through dynamic configuration.
in_ports object
Input ports for the PodScaler component.
replicas object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
kubernetes_object_selector object required
The Kubernetes object to which this pod scaler applies.
agent_group string
Default value: default
Which agent-group this selector applies to.
api_version API version of Kubernetes resource required
kind string required
Kubernetes resource type.
name string required
Kubernetes resource name.
namespace string required
Kubernetes namespace that the resource belongs to.
out_ports object
Output ports for the PodScaler component.
actual_replicas object
The number of replicas that are currently running.
signal_name string
Name of the outgoing Signal on the OutPort.
configured_replicas object
The number of replicas that are desired.
signal_name string
Name of the outgoing Signal on the OutPort.
bool_variable object
BoolVariable emits a constant Boolean signal which can be changed at runtime through dynamic configuration.
config_key string
Configuration key for overriding value setting through dynamic configuration.
constant_output boolean
The constant Boolean signal emitted by this component. The value of the constant Boolean signal can be overridden at runtime through dynamic configuration.
out_ports object
Output ports for the BoolVariable component.
output object
The value is emitted to the output port.
signal_name string
Name of the outgoing Signal on the OutPort.
decider object
Decider emits the binary result of comparison operator on two operands.
false_for string
Default value: 0s
Duration of time to wait before changing to false state. If the duration is zero, the change will happen instantaneously. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
in_ports object
Input ports for the Decider component.
lhs object
Left hand side input signal for the comparison operation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
rhs object
Right hand side input signal for the comparison operation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
operator string
Possible values: [gt, lt, gte, lte, eq, neq]
Comparison operator that computes operation on LHS and RHS input signals.
out_ports object
Output ports for the Decider component.
output object
Selected signal (1.0 or 0.0).
signal_name string
Name of the outgoing Signal on the OutPort.
true_for string
Default value: 0s
Duration of time to wait before changing to true state. If the duration is zero, the change will happen instantaneously.``` This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
differentiator object
Differentiator calculates rate of change per tick. Deprecated: v3.0.0. Use PIDController instead.
in_ports object
Input ports for the Differentiator component.
input object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Differentiator component.
output object
signal_name string
Name of the outgoing Signal on the OutPort.
window string
Default value: 5s
The window of time over which differentiator operates. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
ema object
Exponential Moving Average filter.
in_ports object
Input ports for the EMA component.
input object
Input signal to be used for the EMA computation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
max_envelope object
Upper bound of the moving average.
When the signal exceeds max_envelope it is multiplied by correction_factor_on_max_envelope_violation once per tick.
note
If the signal deviates from max_envelope faster than the correction faster, it might end up exceeding the envelope.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
min_envelope object
Lower bound of the moving average.
Behavior is similar to max_envelope.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the EMA component.
output object
Exponential moving average of the series of reading as an output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the EMA component.
correction_factor_on_max_envelope_violation double
Default value: 1
Correction factor to apply on the output value if its in violation of the max envelope.
correction_factor_on_min_envelope_violation double
Default value: 1
Correction factor to apply on the output value if its in violation of the min envelope.
ema_window string required
EMA window duration. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
valid_during_warmup boolean
Default value: false
Whether the output is valid during the warm-up stage.
warmup_window string required
Duration of EMA warming up window.

The initial value of the EMA is the average of signal readings received during the warm up window. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
extrapolator object
Takes an input signal and emits the extrapolated value; either mirroring the input value or repeating the last known value up to the maximum extrapolation interval.
in_ports object
Input ports for the Extrapolator component.
input object
Input signal for the Extrapolator component.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Extrapolator component.
output object
Extrapolated signal.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Extrapolator component.
max_extrapolation_interval string required
Maximum time interval to repeat the last valid value of input signal. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
first_valid object
Picks the first valid input signal and emits it.
in_ports object
Input ports for the FirstValid component.
inputs object[]
Array of input signals.
Array [
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
]
out_ports object
Output ports for the FirstValid component.
output object
First valid input signal as an output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
flow_control object
FlowControl components are used to regulate requests flow.
adaptive_load_scheduler object
Adaptive Load Scheduler component does additive increase of load multiplier during non-overload state. During overload, the load multiplier is throttled based on the provided strategy. Deprecated: v3.0.0. Use AIMDLoadScheduler instead.
dry_run boolean
Decides whether to run the load scheduler in dry-run mode. In dry run mode the scheduler acts as pass through to all flow and does not queue flows. It is useful for observing the behavior of load scheduler without disrupting any real traffic.
dry_run_config_key string
Configuration key for setting dry run mode through dynamic configuration.
in_ports object required
Collection of input ports for the Adaptive Load Scheduler component.
overload_confirmation object
The overload_confirmation port provides additional criteria to determine overload state which results in Flow throttling at the service.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
setpoint object required
The setpoint input to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object required
The input signal to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Collection of output ports for the Adaptive Load Scheduler component.
desired_load_multiplier object
Desired Load multiplier is the ratio of desired token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
is_overload object
A Boolean signal that indicates whether the service is in overload state.
signal_name string
Name of the outgoing Signal on the OutPort.
observed_load_multiplier object
Observed Load multiplier is the ratio of accepted token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Adaptive Load Scheduler component.
alerter object required
Configuration parameters for the embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
gradient object required
Parameters for the Gradient Controller.
max_gradient double
Default value: 1.7976931348623157e+308
Maximum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
min_gradient double
Default value: -1.7976931348623157e+308
Minimum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
slope double required
Slope controls the aggressiveness and direction of the Gradient Controller.

Slope is used as exponent on the signal to setpoint ratio in computation of the gradient (see the main description for exact equation). This parameter decides how aggressive the controller responds to the deviation of signal from the setpoint. for example:

$\text{slope} = 1$: when signal is too high, increase control variable,

$\text{slope} = -1$: when signal is too high, decrease control variable,

$\text{slope} = -0.5$: when signal is too high, decrease control variable gradually.

The sign of slope depends on correlation between the signal and control variable:

Use $\text{slope} < 0$ if there is a positive correlation between the signal and the control variable (for example, Per-pod CPU usage and total concurrency).

Use $\text{slope} > 0$ if there is a negative correlation between the signal and the control variable (for example, Per-pod CPU usage and number of pods).

:::note

You need to set negative slope for a positive correlation, as you're describing the action which controller should make when the signal increases.

:::

The magnitude of slope describes how aggressively should the controller react to a deviation of signal. With $|\text{slope}| = 1$, the controller will aim to bring the signal to the setpoint in one tick (assuming linear correlation with signal and setpoint). Smaller magnitudes of slope will make the controller adjust the control variable gradually.

Setting $|\text{slope}| < 1$ (for example, $\pm0.8$) is recommended. If you experience overshooting, consider lowering the magnitude even more. Values of $|\text{slope}| > 1$ aren't recommended.

:::note

Remember that the gradient and output signal can be (optionally) clamped, so the slope might not fully describe aggressiveness of the controller.

:::
load_multiplier_linear_increment double
Default value: 0.0025
Linear increment to load multiplier every 10 seconds while the system is not in the overloaded state, up until the max_load_multiplier is reached.
load_scheduler object required
Parameters for the Load Scheduler.
scheduler object
Configuration of Weighted Fair Queuing-based workload scheduler.
Contains configuration of per-agent scheduler
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
workload_latency_based_tokens boolean
Default value: false
Automatically estimate the size of flows within each workload, based on historical latency. Each workload's tokens will be set to average latency of flows in that workload during the last few seconds (exact duration of this average can change). This setting is useful in concurrency limiting use-case, where the concurrency is calculated as (avg. latency \* in-flight flows) (Little's Law).

The value of tokens estimated takes a lower precedence than the value of tokens specified in the workload definition and tokens explicitly specified in the flow labels.
max_load_multiplier double
Default value: 2
The maximum load multiplier that can be reached during recovery from an overload state.

Helps protect the service from request bursts while the system is still recovering.

Once this value is reached, the scheduler enters the pass-through mode, allowing requests to bypass the scheduler and be sent directly to the service.

The pass-through mode gets disabled if the system enters the overload state again.

aiad_load_scheduler object
AIAD Load Scheduler.
dry_run boolean
Decides whether to run the load scheduler in dry-run mode. In dry run mode the scheduler acts as pass through to all flow and does not queue flows. It is useful for observing the behavior of load scheduler without disrupting any real traffic.
dry_run_config_key string
Configuration key for setting dry run mode through dynamic configuration.
in_ports object
Input ports for the AIAD Load Scheduler.
overload_confirmation object
The overload_confirmation port provides additional criteria to determine overload state which results in Flow throttling at the service.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
setpoint object required
The setpoint input to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object required
The input signal to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the AIAD Load Scheduler.
desired_load_multiplier object
Desired Load multiplier is the ratio of desired token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
is_overload object
A Boolean signal that indicates whether the service is in overload state.
signal_name string
Name of the outgoing Signal on the OutPort.
observed_load_multiplier object
Observed Load multiplier is the ratio of accepted token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
overload_condition Overload condition determines the criteria to determine overload state. The default condition is "gt", that is, when the signal is greater than the setpoint. The condition must be one of:  - "gt": greater than - "lt": less than - "gte": greater than or equal to - "lte": less than or equal to  required
Possible values: [gt, lt, gte, lte]
Default value: gt
parameters object required
Parameters for the AIAD Load Scheduler.
alerter object required
Configuration parameters for the embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
load_multiplier_linear_decrement double
Default value: 0.05
Linear decrement to load multiplier every 10 seconds while the system is in the overloaded state, up until the min_load_multiplier is reached.
load_multiplier_linear_increment double
Default value: 0.025
Linear increment to load multiplier every 10 seconds while the system is not in the overloaded state, up until the max_load_multiplier is reached.
load_scheduler object required
Parameters for the Load Scheduler.
scheduler object
Configuration of Weighted Fair Queuing-based workload scheduler.
Contains configuration of per-agent scheduler
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
workload_latency_based_tokens boolean
Default value: false
Automatically estimate the size of flows within each workload, based on historical latency. Each workload's tokens will be set to average latency of flows in that workload during the last few seconds (exact duration of this average can change). This setting is useful in concurrency limiting use-case, where the concurrency is calculated as (avg. latency \* in-flight flows) (Little's Law).

The value of tokens estimated takes a lower precedence than the value of tokens specified in the workload definition and tokens explicitly specified in the flow labels.
max_load_multiplier double
Default value: 2
The maximum load multiplier that can be reached during recovery from an overload state.

Helps protect the service from request bursts while the system is still recovering.

Once this value is reached, the scheduler enters the pass-through mode, allowing requests to bypass the scheduler and be sent directly to the service.

The pass-through mode gets disabled if the system enters the overload state again.

min_load_multiplier double
Default value: 0
The minimum load multiplier that can be reached during an overload state.
aimd_load_scheduler object
AIMD Load Scheduler.
dry_run boolean
Decides whether to run the load scheduler in dry-run mode. In dry run mode the scheduler acts as pass through to all flow and does not queue flows. It is useful for observing the behavior of load scheduler without disrupting any real traffic.
dry_run_config_key string
Configuration key for setting dry run mode through dynamic configuration.
in_ports object
Input ports for the AIMD Load Scheduler.
overload_confirmation object
The overload_confirmation port provides additional criteria to determine overload state which results in Flow throttling at the service.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
setpoint object required
The setpoint input to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object required
The input signal to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the AIMD Load Scheduler.
desired_load_multiplier object
Desired Load multiplier is the ratio of desired token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
is_overload object
A Boolean signal that indicates whether the service is in overload state.
signal_name string
Name of the outgoing Signal on the OutPort.
observed_load_multiplier object
Observed Load multiplier is the ratio of accepted token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the AIMD Load Scheduler.
alerter object required
Configuration parameters for the embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
gradient object required
Parameters for the Gradient Controller.
max_gradient double
Default value: 1.7976931348623157e+308
Maximum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
min_gradient double
Default value: -1.7976931348623157e+308
Minimum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
slope double required
Slope controls the aggressiveness and direction of the Gradient Controller.

Slope is used as exponent on the signal to setpoint ratio in computation of the gradient (see the main description for exact equation). This parameter decides how aggressive the controller responds to the deviation of signal from the setpoint. for example:

$\text{slope} = 1$: when signal is too high, increase control variable,

$\text{slope} = -1$: when signal is too high, decrease control variable,

$\text{slope} = -0.5$: when signal is too high, decrease control variable gradually.

The sign of slope depends on correlation between the signal and control variable:

Use $\text{slope} < 0$ if there is a positive correlation between the signal and the control variable (for example, Per-pod CPU usage and total concurrency).

Use $\text{slope} > 0$ if there is a negative correlation between the signal and the control variable (for example, Per-pod CPU usage and number of pods).

:::note

You need to set negative slope for a positive correlation, as you're describing the action which controller should make when the signal increases.

:::

The magnitude of slope describes how aggressively should the controller react to a deviation of signal. With $|\text{slope}| = 1$, the controller will aim to bring the signal to the setpoint in one tick (assuming linear correlation with signal and setpoint). Smaller magnitudes of slope will make the controller adjust the control variable gradually.

Setting $|\text{slope}| < 1$ (for example, $\pm0.8$) is recommended. If you experience overshooting, consider lowering the magnitude even more. Values of $|\text{slope}| > 1$ aren't recommended.

:::note

Remember that the gradient and output signal can be (optionally) clamped, so the slope might not fully describe aggressiveness of the controller.

:::
load_multiplier_linear_increment double
Default value: 0.025
Linear increment to load multiplier every 10 seconds while the system is not in the overloaded state, up until the max_load_multiplier is reached.
load_scheduler object required
Parameters for the Load Scheduler.
scheduler object
Configuration of Weighted Fair Queuing-based workload scheduler.
Contains configuration of per-agent scheduler
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
workload_latency_based_tokens boolean
Default value: false
Automatically estimate the size of flows within each workload, based on historical latency. Each workload's tokens will be set to average latency of flows in that workload during the last few seconds (exact duration of this average can change). This setting is useful in concurrency limiting use-case, where the concurrency is calculated as (avg. latency \* in-flight flows) (Little's Law).

The value of tokens estimated takes a lower precedence than the value of tokens specified in the workload definition and tokens explicitly specified in the flow labels.
max_load_multiplier double
Default value: 2
The maximum load multiplier that can be reached during recovery from an overload state.

Helps protect the service from request bursts while the system is still recovering.

Once this value is reached, the scheduler enters the pass-through mode, allowing requests to bypass the scheduler and be sent directly to the service.

The pass-through mode gets disabled if the system enters the overload state again.

concurrency_limiter object
in_ports object required
Input ports for the Concurrency Limiter component.
max_concurrency object required
The maximum number of concurrent requests to be allowed.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
pass_through object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Concurrency Limiter component.
accept_percentage object
The percentage of flows being accepted by the Concurrency Limiter.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Concurrency Limiter component.
limit_by_label_key string
Specifies which label the concurrency calculation should be keyed by.

Concurrency limiting is done independently for each value of the label with given key. For example, to give each API Key a separate limit, assuming you have a api_key flow label set up, set limit_by_label_key: "api_key". If no label key is specified, then all requests matching the selectors will be concurrency limited based on the global concurrency count.
max_idle_time string
Default value: 7200s
Max idle time before concurrency count for a label is removed. If set to 0, the state is never removed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
max_inflight_duration string required
The time duration after which flow is assumed to have ended in case the end call gets missed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
request_parameters object
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (429 Too Many Requests) that is returned when a request is denied.
tokens_label_key string
Flow label key that will be used to override the number of tokens for this request. This is an optional parameter and takes highest precedence when assigning tokens to a request. The label value must be a valid number.
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
concurrency_scheduler object
Schedules the traffic based on in-flight request concurrency.
concurrency_limiter object required
Parameter to configure concurrency limiting.
limit_by_label_key string
Specifies which label the concurrency calculation should be keyed by.

Concurrency limiting is done independently for each value of the label with given key. For example, to give each API Key a separate limit, assuming you have a api_key flow label set up, set limit_by_label_key: "api_key". If no label key is specified, then all requests matching the selectors will be concurrency limited based on the global concurrency count.
max_idle_time string
Default value: 7200s
Max idle time before concurrency count for a label is removed. If set to 0, the state is never removed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
max_inflight_duration string required
The time duration after which flow is assumed to have ended in case the end call gets missed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
in_ports object required
max_concurrency object required
The maximum number of concurrent requests to be allowed.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
pass_through object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Concurrency Scheduler component.
accept_percentage object
The percentage of flows being accepted by the Concurrency Limiter.
signal_name string
Name of the outgoing Signal on the OutPort.
scheduler object
Scheduler is used to schedule the requests when the concurrency limit is reached.
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Flow selection criteria.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
load_ramp object
Load Ramp smoothly regulates the flow of requests over specified steps.
in_ports object
Inputs for the Load Ramp component.
backward object
Whether to progress the Load Ramp towards the previous step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
forward object
Whether to progress the Load Ramp towards the next step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
reset object
Whether to reset the Load Ramp to the first step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Outputs for the Load Ramp component.
accept_percentage object
The percentage of flows being accepted by the Load Ramp.
signal_name string
Name of the outgoing Signal on the OutPort.
at_end object
A Boolean signal indicating whether the Load Ramp is at the end of signal generation.
signal_name string
Name of the outgoing Signal on the OutPort.
at_start object
A Boolean signal indicating whether the Load Ramp is at the start of signal generation.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Load Ramp component.
sampler object required
Parameters for the Sampler.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (403 Forbidden) that is returned when a request is denied.
ramp_mode boolean
Default value: false
Ramp component can accept flows with ramp_mode flag set.
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
session_label_key string
The flow label key for identifying sessions.

When label key is specified, Sampler acts as a sticky filter. The series of flows with the same value of label key get the same decision provided that the accept_percentage is same or higher.

When label key is not specified, Sampler acts as a stateless filter. Percentage of flows are selected randomly for rejection.

steps object[] required
Possible values: >= 1
Array [
duration string required
Duration for which the step is active. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
target_accept_percentage double
Possible values: <= 100
The value of the step.
]
pass_through_label_values string[]
Specify certain label values to be always accepted by the Sampler regardless of accept percentage.
pass_through_label_values_config_key string
Configuration key for setting pass through label values through dynamic configuration.
load_scheduler object
Load Scheduler provides service protection by creating a prioritized workload queue in front of the service using Weighted Fair Queuing.
dry_run boolean
Decides whether to run the load scheduler in dry-run mode. In dry run mode the scheduler acts as pass through to all flow and does not queue flows. It is useful for observing the behavior of load scheduler without disrupting any real traffic.
dry_run_config_key string
Configuration key for setting dry run mode through dynamic configuration.
in_ports object required
Input ports for the LoadScheduler component.
load_multiplier object
Load multiplier is proportion of incoming token rate that needs to be accepted. The signal gets updated once every 10 seconds.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the LoadScheduler component.
observed_load_multiplier object
Observed load multiplier is the proportion of incoming token rate that is being accepted. The signal gets updated once every 10 seconds.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
scheduler object
Configuration of Weighted Fair Queuing-based workload scheduler.
Contains configuration of per-agent scheduler
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
workload_latency_based_tokens boolean
Default value: false
Automatically estimate the size of flows within each workload, based on historical latency. Each workload's tokens will be set to average latency of flows in that workload during the last few seconds (exact duration of this average can change). This setting is useful in concurrency limiting use-case, where the concurrency is calculated as (avg. latency \* in-flight flows) (Little's Law).

The value of tokens estimated takes a lower precedence than the value of tokens specified in the workload definition and tokens explicitly specified in the flow labels.
quota_scheduler object
Schedules the traffic based on token-bucket based quotas.
in_ports object required
bucket_capacity object required
Capacity of the bucket to allow for bursty traffic.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
fill_amount object required
Number of tokens to fill within an interval.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
pass_through object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Quota Scheduler component.
accept_percentage object
The percentage of flows being accepted.
signal_name string
Name of the outgoing Signal on the OutPort.
rate_limiter object required
Parameter to configure rate limiting quotas.
continuous_fill boolean
Default value: true
Continuous fill determines whether the token bucket should be filled continuously or only on discrete intervals.
delay_initial_fill boolean
Default value: false
Delays the initial filling of the token bucket. If set to false, the token bucket will start filling immediately after the first request is received. This can potentially lead to more requests being accepted than the specified rate limit during the first interval. When set to true, the token bucket will be given a chance to empty out before the filling starts. The delay is equal to the time it takes to fill the bucket.
interval string required
Interval defines the time interval in which the token bucket will fill tokens specified by fill_amount signal. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
label_key string
Specifies which label the rate limiter should be keyed by.

Rate limiting is done independently for each value of the label with given key. For example, to give each user a separate limit, assuming you have a user flow label set up, set label_key: "user". If no label key is specified, then all requests matching the selectors will be rate limited based on the global bucket. Deprecated: v3.0.0. Use limit_by_label_key instead.
lazy_sync object
enabled Enables lazy sync
Default value: false
num_sync int64
Default value: 4
Number of times to lazy sync within the interval.
limit_by_label_key string
Specifies which label the rate limiter should be keyed by.

Rate limiting is done independently for each value of the label with given key. For example, to give each user a separate limit, assuming you have a user flow label set up, set limit_by_label_key: "user". If no label key is specified, then all requests matching the selectors will be rate limited based on the global bucket.
max_idle_time string
Default value: 7200s
Max idle time before token bucket state for a label is removed. If set to 0, the state is never removed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
scheduler object
Scheduler is used to schedule the requests when the quota is exhausted.
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Flow selection criteria.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
range_driven_load_scheduler object
Range Driven Load Scheduler.
dry_run boolean
Decides whether to run the load scheduler in dry-run mode. In dry run mode the scheduler acts as pass through to all flow and does not queue flows. It is useful for observing the behavior of load scheduler without disrupting any real traffic.
dry_run_config_key string
Configuration key for setting dry run mode through dynamic configuration.
in_ports object
Input ports for the Range Load Scheduler.
overload_confirmation object
The overload_confirmation port provides additional criteria to determine overload state which results in Flow throttling at the service.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object required
The input signal to the controller.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Range Load Scheduler.
desired_load_multiplier object
Desired Load multiplier is the ratio of desired token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
is_overload object
A Boolean signal that indicates whether the service is in overload state.
signal_name string
Name of the outgoing Signal on the OutPort.
observed_load_multiplier object
Observed Load multiplier is the ratio of accepted token rate to the incoming token rate.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Range Load Scheduler.
alerter object required
Configuration parameters for the embedded Alerter.
alert_channels string[]
A list of alert channel strings.
alert_name string required
Name of the alert.
labels object
Additional labels to add to alert.
property name* string
resolve_timeout string
Default value: 5s
Duration of alert resolver. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
severity string
Possible values: [info, warn, crit]
Default value: info
Severity of the alert, one of 'info', 'warn' or 'crit'.
degree double required
high_throttle_threshold object required
load_multiplier double
Possible values: <= 1
signal_value double
load_scheduler object required
Parameters for the Load Scheduler.
scheduler object
Configuration of Weighted Fair Queuing-based workload scheduler.
Contains configuration of per-agent scheduler
decision_deadline_margin string
Default value: 0.01s
Decision deadline margin is the amount of time that the scheduler will subtract from the request deadline to determine the deadline for the decision. This is to ensure that the scheduler has enough time to make a decision before the request deadline happens, accounting for processing delays. The request deadline is based on the gRPC deadline or the grpc-timeout HTTP header.

Fail-open logic is use for flow control APIs, so if the gRPC deadline reaches, the flow will end up being unconditionally allowed while it is still waiting on the scheduler. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
default_workload_parameters object
Parameters to be used if none of workloads specified in workloads match.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (503 Service Unavailable) that is returned when a request is denied.
fairness_label_key string
Key for a flow label that is used to enforce fairness among requests in a workload. If not specified, requests within a workload of the same priority are admitted in a FIFO manner.
priority_label_key string
Key for a flow label that can be used to override the default priority for this flow. The value associated with this key must be a valid number. Higher numbers means higher priority. If this parameter is not provided, the priority for the flow will be determined by the matched workload's priority.
tokens_label_key string
Key for a flow label that can be used to override the default number of tokens for this request. The value associated with this key must be a valid number. If this parameter is not provided, the number of tokens for the flow will be determined by the matched workload's token count.
workload_label_key string
Key for a flow label that can be used to provide workloads for this request. If this parameter is not provided, the workloads for the flow will be determined by the matched workload's name in the policy.
workloads object[]
List of workloads to be used in scheduler.
Categorizing flows into workloads allows for load throttling to be "intelligent" instead of queueing flows in an arbitrary order. There are two aspects of this "intelligence":
Scheduler can more precisely calculate concurrency if it understands that flows belonging to different classes have different weights (for example, insert queries compared to select queries).
Setting different priorities to different workloads lets the scheduler avoid dropping important traffic during overload.
Each workload in this list specifies also a matcher that is used to determine which flow will be categorized into which workload. In case of multiple matching workloads, the first matching one will be used. If none of workloads match, default_workload will be used.
info
See also workload definition in the concepts section.
Array [
label_matcher object required
Label Matcher to select a Workload based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
name string
Name of the workload.
parameters object
Parameters associated with flows matching the label matcher.
priority double
Default value: 1
$$ inverted_priority = {\frac {1} {priority}} $$

$$ virtual_finish_time = virtual_time + \left(tokens \cdot inverted_priority\right) $$
queue_timeout string
Timeout for the flow in the workload. If timeout is provided on the Check call as well, the minimum of the two is picked. If this override is not provided, the timeout provided in the check call is used. 0 timeout value implies that the request will not wait in the queue and will be accepted or dropped immediately. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
tokens double
Default value: 1
Tokens determines the cost of admitting a single flow in the workload, which is typically defined as milliseconds of flow latency (time to response or duration of a feature) or simply equal to 1 if the resource being accessed is constrained by the number of flows (3rd party rate limiters). This override is applicable only if tokens for the flow aren't specified in the flow labels.
]
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
workload_latency_based_tokens boolean
Default value: false
Automatically estimate the size of flows within each workload, based on historical latency. Each workload's tokens will be set to average latency of flows in that workload during the last few seconds (exact duration of this average can change). This setting is useful in concurrency limiting use-case, where the concurrency is calculated as (avg. latency \* in-flight flows) (Little's Law).

The value of tokens estimated takes a lower precedence than the value of tokens specified in the workload definition and tokens explicitly specified in the flow labels.
low_throttle_threshold object required
load_multiplier double
Possible values: <= 1
signal_value double
rate_limiter object
Rate Limiter provides service protection by applying rate limits using the token bucket algorithm.
in_ports object required
bucket_capacity object required
Capacity of the bucket to allow for bursty traffic.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
fill_amount object required
Number of tokens to fill within an interval.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
pass_through object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Rate Limiter component.
accept_percentage object
The percentage of flows being accepted.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
continuous_fill boolean
Default value: true
Continuous fill determines whether the token bucket should be filled continuously or only on discrete intervals.
delay_initial_fill boolean
Default value: false
Delays the initial filling of the token bucket. If set to false, the token bucket will start filling immediately after the first request is received. This can potentially lead to more requests being accepted than the specified rate limit during the first interval. When set to true, the token bucket will be given a chance to empty out before the filling starts. The delay is equal to the time it takes to fill the bucket.
interval string required
Interval defines the time interval in which the token bucket will fill tokens specified by fill_amount signal. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
label_key string
Specifies which label the rate limiter should be keyed by.

Rate limiting is done independently for each value of the label with given key. For example, to give each user a separate limit, assuming you have a user flow label set up, set label_key: "user". If no label key is specified, then all requests matching the selectors will be rate limited based on the global bucket. Deprecated: v3.0.0. Use limit_by_label_key instead.
lazy_sync object
enabled Enables lazy sync
Default value: false
num_sync int64
Default value: 4
Number of times to lazy sync within the interval.
limit_by_label_key string
Specifies which label the rate limiter should be keyed by.

Rate limiting is done independently for each value of the label with given key. For example, to give each user a separate limit, assuming you have a user flow label set up, set limit_by_label_key: "user". If no label key is specified, then all requests matching the selectors will be rate limited based on the global bucket.
max_idle_time string
Default value: 7200s
Max idle time before token bucket state for a label is removed. If set to 0, the state is never removed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
request_parameters object
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (429 Too Many Requests) that is returned when a request is denied.
tokens_label_key string
Flow label key that will be used to override the number of tokens for this request. This is an optional parameter and takes highest precedence when assigning tokens to a request. The label value must be a valid number.
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
sampler object
Sampler is a component that regulates the flow of requests to the service by allowing only the specified percentage of requests or sticky sessions.
in_ports object
Input ports for the Sampler.
accept_percentage object
The percentage of requests to accept.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
parameters object required
Parameters for the Sampler.
denied_response_status_code HTTP response codes. For more details: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml
Possible values: [Empty, Continue, OK, Created, Accepted, NonAuthoritativeInformation, NoContent, ResetContent, PartialContent, MultiStatus, AlreadyReported, IMUsed, MultipleChoices, MovedPermanently, Found, SeeOther, NotModified, UseProxy, TemporaryRedirect, PermanentRedirect, BadRequest, Unauthorized, PaymentRequired, Forbidden, NotFound, MethodNotAllowed, NotAcceptable, ProxyAuthenticationRequired, RequestTimeout, Conflict, Gone, LengthRequired, PreconditionFailed, PayloadTooLarge, URITooLong, UnsupportedMediaType, RangeNotSatisfiable, ExpectationFailed, MisdirectedRequest, UnprocessableEntity, Locked, FailedDependency, UpgradeRequired, PreconditionRequired, TooManyRequests, RequestHeaderFieldsTooLarge, InternalServerError, NotImplemented, BadGateway, ServiceUnavailable, GatewayTimeout, HTTPVersionNotSupported, VariantAlsoNegotiates, InsufficientStorage, LoopDetected, NotExtended, NetworkAuthenticationRequired]
Default value: Empty
This field allows you to override the default HTTP status code (403 Forbidden) that is returned when a request is denied.
ramp_mode boolean
Default value: false
Ramp component can accept flows with ramp_mode flag set.
selectors object[] required
Possible values: >= 1
Selectors for the component.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
session_label_key string
The flow label key for identifying sessions.

When label key is specified, Sampler acts as a sticky filter. The series of flows with the same value of label key get the same decision provided that the accept_percentage is same or higher.

When label key is not specified, Sampler acts as a stateless filter. Percentage of flows are selected randomly for rejection.

pass_through_label_values string[]
Specify certain label values to be always accepted by this Sampler regardless of accept percentage.
pass_through_label_values_config_key string
Configuration key for setting pass through label values through dynamic configuration.
gradient_controller object
Gradient controller calculates the ratio between the signal and the setpoint to determine the magnitude of the correction that need to be applied. This controller can be used to build AIMD (Additive Increase, Multiplicative Decrease) or MIMD style response.
in_ports object
Input ports of the Gradient Controller.
control_variable object
Actual current value of the control variable.
This signal is multiplied by the gradient to produce the output.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
max object
Maximum value to limit the output signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
min object
Minimum value to limit the output signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
setpoint object
Setpoint to be used for the gradient computation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object
Signal to be used for the gradient computation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
manual_mode boolean
In manual mode, the controller does not adjust the control variable. It emits the same output as the control variable input. This setting can be adjusted at runtime through dynamic configuration without restarting the policy.
manual_mode_config_key string
Configuration key for overriding manual_mode setting through dynamic configuration.
out_ports object
Output ports of the Gradient Controller.
output object
Computed desired value of the control variable.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Gradient Parameters.
max_gradient double
Default value: 1.7976931348623157e+308
Maximum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
min_gradient double
Default value: -1.7976931348623157e+308
Minimum gradient which clamps the computed gradient value to the range, [min_gradient, max_gradient].
slope double required
Slope controls the aggressiveness and direction of the Gradient Controller.

Slope is used as exponent on the signal to setpoint ratio in computation of the gradient (see the main description for exact equation). This parameter decides how aggressive the controller responds to the deviation of signal from the setpoint. for example:

$\text{slope} = 1$: when signal is too high, increase control variable,

$\text{slope} = -1$: when signal is too high, decrease control variable,

$\text{slope} = -0.5$: when signal is too high, decrease control variable gradually.

The sign of slope depends on correlation between the signal and control variable:

Use $\text{slope} < 0$ if there is a positive correlation between the signal and the control variable (for example, Per-pod CPU usage and total concurrency).

Use $\text{slope} > 0$ if there is a negative correlation between the signal and the control variable (for example, Per-pod CPU usage and number of pods).

:::note

You need to set negative slope for a positive correlation, as you're describing the action which controller should make when the signal increases.

:::

The magnitude of slope describes how aggressively should the controller react to a deviation of signal. With $|\text{slope}| = 1$, the controller will aim to bring the signal to the setpoint in one tick (assuming linear correlation with signal and setpoint). Smaller magnitudes of slope will make the controller adjust the control variable gradually.

Setting $|\text{slope}| < 1$ (for example, $\pm0.8$) is recommended. If you experience overshooting, consider lowering the magnitude even more. Values of $|\text{slope}| > 1$ aren't recommended.

:::note

Remember that the gradient and output signal can be (optionally) clamped, so the slope might not fully describe aggressiveness of the controller.

:::
holder object
Holds the last valid signal value for the specified duration then waits for next valid value to hold.
hold_for string
Default value: 5s
Holding the last valid signal value for the hold_for duration. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
in_ports object
Input ports for the Holder component.
input object
The input signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
reset object
Resets the holder output to the current input signal when reset signal is valid and non-zero.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Holder component.
output object
The output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
integrator object
Accumulates sum of signal every tick.
evaluation_interval string
The evaluation interval of the Integrator. This determines how often the Integrator is incremented. Defaults to the evaluation interval of the circuit. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
in_ports object
Input ports for the Integrator component.
input object
The input signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
max object
The maximum output.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
min object
The minimum output.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
reset object
Resets the integrator output to zero when reset signal is valid and non-zero. Reset also resets the max and min constraints.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
initial_value double
Default value: 0
Initial value of the integrator.
out_ports object
Output ports for the Integrator component.
output object
signal_name string
Name of the outgoing Signal on the OutPort.
inverter object
Logical NOT.
in_ports object
Input ports for the Inverter component.
input object
Signal to be negated.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Inverter component.
output object
Logical negation of the input signal.
Will always be 0 (false), 1 (true) or invalid (unknown).
signal_name string
Name of the outgoing Signal on the OutPort.
max object
Emits the maximum of the input signals.
in_ports object
Input ports for the Max component.
inputs object[]
Array of input signals.
Array [
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
]
out_ports object
Output ports for the Max component.
output object
Signal with maximum value as an output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
min object
Emits the minimum of the input signals.
in_ports object
Input ports for the Min component.
inputs object[]
Array of input signals.
Array [
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
]
out_ports object
Output ports for the Min component.
output object
Signal with minimum value as an output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
nested_circuit object
Nested circuit defines a sub-circuit as a high-level component. It consists of a list of components and a map of input and output ports.
components object[]
List of components in the nested circuit.
Array [
0
1
2
3
4
5
6
7
8
9
]
in_ports_map object
Maps input port names to input ports.
property name* object (Components receive input from other components through InPorts)
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports_map object
Maps output port names to output ports.
property name* object (Components produce output for other components through OutPorts)
signal_name string
Name of the outgoing Signal on the OutPort.
nested_signal_egress object
Nested signal egress is a special type of component that allows to extract a signal from a nested circuit.
in_ports object
Input ports for the NestedSignalEgress component.
signal object
Egress signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
port_name string
Name of the port.
nested_signal_ingress object
Nested signal ingress is a special type of component that allows to inject a signal into a nested circuit.
out_ports object
Output ports for the NestedSignalIngress component.
signal object
Ingress signal.
signal_name string
Name of the outgoing Signal on the OutPort.
port_name string
Name of the port.
or object
Logical OR.
in_ports object
Input ports for the Or component.
inputs object[]
Array of input signals.
Array [
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
]
out_ports object
Output ports for the Or component.
output object
Result of logical OR of all the input signals.
Will always be 0 (false), 1 (true) or invalid (unknown).
signal_name string
Name of the outgoing Signal on the OutPort.
pid_controller object
PID Controller is a proportional–integral–derivative controller.
in_ports object
max object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
min object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
setpoint object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
signal object
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
output object
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
evaluation_interval string
The evaluation interval of the PID controller. This determines how often the PID output is computed. Defaults to the evaluation interval of the circuit. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
kd double
Default value: 0
The derivative gain of the PID controller.
ki double
Default value: 0
The integral gain of the PID controller.
kp double
Default value: 0
The proportional gain of the PID controller.
reset_after_invalid_samples int32
Possible values: >= 1
Default value: 4
The integrator resets after the specified number of ticks if the signal or setpoint are continuously invalid. Defaults to 4 invalid samples.
polynomial_range_function object
Polynomial Range Function is a function that maps a signal to a range of values following a polynomial function.
in_ports object
input object
The input signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
output object
The output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
clamp_to_custom_values object
post_end double
pre_start double
clamp_to_datapoint Clamp to the nearest data-point
continue_curve Continue polynomial curve
degree double
end object
input double
output double
start object
input double
output double
pulse_generator object
Generates 0 and 1 in turns.
false_for string
Default value: 5s
Emitting 0 for the false_for duration. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
out_ports object
Output ports for the PulseGenerator component.
output object
signal_name string
Name of the outgoing Signal on the OutPort.
true_for string
Default value: 5s
Emitting 1 for the true_for duration. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
query object
Query components that are query databases such as Prometheus.
promql object
Periodically runs a Prometheus query in the background and emits the result.
evaluation_interval string
Default value: 10s
Describes the interval between successive evaluations of the Prometheus query. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
out_ports object
Output ports for the PromQL component.
output object
The result of the Prometheus query as an output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
query_string string
Describes the PromQL query to be run.

:::note

The query must return a single value either as a scalar or as a vector with a single element.

:::

:::info Usage with Flux Meter

Flux Meter metrics can be queried using PromQL. Flux Meter defines histogram type of metrics in Prometheus. Therefore, one can refer to flux_meter_sum, flux_meter_count and flux_meter_bucket. The particular Flux Meter can be identified with the flux_meter_name label. There are additional labels available on a Flux Meter such as valid, flow_status, http_status_code and decision_type.

:::

:::info Usage with OpenTelemetry Metrics

Aperture supports OpenTelemetry metrics. See reference for more details.

:::
signal_generator object
Generates the specified signal.
in_ports object
Inputs for the Signal Generator component.
backward object
Whether to progress the Signal Generator towards the previous step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
forward object
Whether to progress the Signal Generator towards the next step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
reset object
Whether to reset the Signal Generator to the first step.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Outputs for the Signal Generator component.
at_end object
A Boolean signal indicating whether the Signal Generator is at the end of signal generation.
signal_name string
Name of the outgoing Signal on the OutPort.
at_start object
A Boolean signal indicating whether the Signal Generator is at the start of signal generation.
signal_name string
Name of the outgoing Signal on the OutPort.
output object
The generated signal.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the Signal Generator component.
steps object[] required
Possible values: >= 1
Array [
duration string required
Duration for which the step is active. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
target_output object
The value of the step.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
]
sma object
Simple Moving Average filter.
in_ports object
Input ports for the SMA component.
input object
Signal to be used for the moving average computation.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the SMA component.
output object
Computed moving average.
signal_name string
Name of the outgoing Signal on the OutPort.
parameters object required
Parameters for the SMA component.
sma_window string required
Window of time over which the moving average is computed. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
valid_during_warmup boolean
Default value: false
Whether the output is valid during the warm-up stage.
switcher object
Switcher acts as a switch that emits one of the two signals based on third signal.
in_ports object
Input ports for the Switcher component.
off_signal object
Output signal when switch is invalid or 0.0.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
on_signal object
Output signal when switch is valid and not 0.0.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
switch object
Decides whether to return on_signal or off_signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
out_ports object
Output ports for the Switcher component.
output object
Selected signal (on_signal or off_signal).
signal_name string
Name of the outgoing Signal on the OutPort.
unary_operator object
Takes an input signal and emits the square root of the input signal.
in_ports object
Input ports for the UnaryOperator component.
input object
Input signal.
constant_signal object
Constant value to be used for this InPort instead of a signal.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
signal_name string
Name of the incoming Signal on the InPort.
operator string
Possible values: [abs, acos, acosh, asin, asinh, atan, atanh, cbrt, ceil, cos, cosh, erf, erfc, erfcinv, erfinv, exp, exp2, expm1, floor, gamma, j0, j1, lgamma, log, log10, log1p, log2, round, roundtoeven, sin, sinh, sqrt, tan, tanh, trunc, y0, y1]
Unary Operator to apply.

The unary operator can be one of the following:

abs: Absolute value with the sign removed.

acos: arccosine, in radians.

acosh: Inverse hyperbolic cosine.

asin: arcsine, in radians.

asinh: Inverse hyperbolic sine.

atan: arctangent, in radians.

atanh: Inverse hyperbolic tangent.

cbrt: Cube root.

ceil: Least integer value greater than or equal to input signal.

cos: cosine, in radians.

cosh: Hyperbolic cosine.

erf: Error function.

erfc: Complementary error function.

erfcinv: Inverse complementary error function.

erfinv: Inverse error function.

exp: The base-e exponential of input signal.

exp2: The base-2 exponential of input signal.

expm1: The base-e exponential of input signal minus 1.

floor: Greatest integer value less than or equal to input signal.

gamma: Gamma function.

j0: Bessel function of the first kind of order 0.

j1: Bessel function of the first kind of order 1.

lgamma: Natural logarithm of the absolute value of the gamma function.

log: Natural logarithm of input signal.

log10: Base-10 logarithm of input signal.

log1p: Natural logarithm of input signal plus 1.

log2: Base-2 logarithm of input signal.

round: Round to nearest integer.

roundtoeven: Round to nearest integer, with ties going to the nearest even integer.

sin: sine, in radians.

sinh: Hyperbolic sine.

sqrt: Square root.

tan: tangent, in radians.

tanh: Hyperbolic tangent.

trunc: Truncate to integer.

y0: Bessel function of the second kind of order 0.

y1: Bessel function of the second kind of order 1.

out_ports object
Output ports for the UnaryOperator component.
output object
Output signal.
signal_name string
Name of the outgoing Signal on the OutPort.
variable object
Emits a variable signal which can be changed at runtime through dynamic configuration.
config_key string
Configuration key for overriding value setting through dynamic configuration.
constant_output object required
The constant signal emitted by this component. The value of the constant signal can be overridden at runtime through dynamic configuration.
special_value string
Possible values: [NaN, +Inf, -Inf]
A special value such as NaN, +Inf, -Inf.
value double
A constant value.
out_ports object
Output ports for the Variable component.
output object
The value is emitted to the output port.
signal_name string
Name of the outgoing Signal on the OutPort.
]
evaluation_interval string
Default value: 1s
Evaluation interval (tick) is the time between consecutive runs of the policy circuit. This interval is typically aligned with how often the corrective action (actuation) needs to be taken. This field employs the Duration JSON representation from Protocol Buffers. The format accommodates fractional seconds up to nine digits after the decimal point, offering nanosecond precision. Every duration value must be suffixed with an "s" to indicate 'seconds.' For example, a value of "10s" would signify a duration of 10 seconds.
resources object
Resources (such as Flux Meters, Classifiers) to setup.
flow_control object
FlowControlResources are resources that are provided by flow control integration.
classifiers object[]
Classifiers are installed in the data-plane and are used to label the requests based on payload content.
The flow labels created by Classifiers can be matched by Flux Meters to create metrics for control purposes.
Array [
rego object
Rego is a policy language used to express complex policies in a concise and declarative way. It can be used to define flow classification rules by writing custom queries that extract values from request metadata. For simple cases, such as directly reading a value from header or a field from JSON body, declarative extractors are recommended.
labels object required
A map of {key, value} pairs mapping from flow label keys to queries that define how to extract and propagate flow labels with that key. The name of the label maps to a variable in the Rego module. It maps to data.<package>.<label> variable.
property name* object
telemetry Decides if the created flow label should be available as an attribute in OLAP telemetry and propagated in [baggage](/2.32.2/concepts/flow-label#baggage)
Default value: true
:::note

The flow label is always accessible in Aperture Policies regardless of this setting.

:::

:::caution

When using FluxNinja extension, telemetry enabled labels are sent to Aperture Cloud for observability. Telemetry should be disabled for sensitive labels.

:::
module string required
Source code of the Rego module.

:::note

Must include a "package" declaration.

:::
rules object
A map of {key, value} pairs mapping from flow label keys to rules that define how to extract and propagate flow labels with that key.
property name* object (Rule describes a single classification Rule)
Example of a JSON extractor:
extractor: json: from: request.http.body pointer: /user/name
extractor object
High-level declarative extractor.
address object
Display an address as a single string - <ip>:<port>.
from string required
Attribute path pointing to some string - for example, source.address.
from Use an attribute with no conversion
Attribute path is a dot-separated path to attribute.

Should be either:

one of the fields of Attribute Context, or

a special request.http.bearer pseudo-attribute. For example, request.http.method or request.http.header.user-agent

Note: The same attribute path syntax is shared by other extractor variants, wherever attribute path is needed in their "from" syntax.

Example:

from: request.http.headers.user-agent
json object
Parse JSON, and extract one of the fields.
from string required
Attribute path pointing to some strings - for example, request.http.body.
pointer string
JSON pointer represents a parsed JSON pointer which allows to select a specified field from the payload.

Note: Uses JSON pointer syntax, for example, /foo/bar. If the pointer points into an object, it'd be converted to a string.
jwt object
Parse the attribute as JWT and read the payload.
from string required
JWT (JSON Web Token) can be extracted from any input attribute, but most likely you'd want to use request.http.bearer.
json_pointer string
JSON pointer allowing to select a specified field from the payload.

Note: Uses JSON pointer syntax, for example, /foo/bar. If the pointer points into an object, it'd be converted to a string.
path_templates object
Match HTTP Path to given path templates.
template_values object
Template value keys are OpenAPI-inspired path templates.
Static path segment /foo matches a path segment exactly
/{param} matches arbitrary path segment. (The parameter name is ignored and can be omitted ({}))
The parameter must cover whole segment.
Additionally, path template can end with /* wildcard to match arbitrary number of trailing segments (0 or more).
Multiple consecutive / are ignored, as well as trailing /.
Parametrized path segments must come after static segments.
*, if present, must come last.
Most specific template "wins" (/foo over /{} and /{} over /*).
See also https://swagger.io/specification/#path-templating-matching\
Example:
/register: register "/user/{userId}": user /static/*: other
property name* string
telemetry Decides if the created flow label should be available as an attribute in OLAP telemetry and propagated in [baggage](/2.32.2/concepts/flow-label#baggage)
Default value: true
:::note

The flow label is always accessible in Aperture Policies regardless of this setting.

:::

:::caution

When using FluxNinja extension, telemetry enabled labels are sent to Aperture Cloud for observability. Telemetry should be disabled for sensitive labels.

:::
selectors object[] required
Possible values: >= 1
Selectors for flows that will be classified by this Classifier.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
]
flux_meters object
Flux Meters are installed in the data-plane and form the observability leg of the feedback loop.
Flux Meter created metrics can be consumed as input to the circuit through the PromQL component.
property name* object
Flux Meter gathers metrics for the traffic that matches its selector. The histogram created by Flux Meter measures the workload latency by default.
info
See also Flux Meter overview.
Example:
static_buckets: buckets: [5.0,10.0,25.0,50.0,100.0,250.0,500.0,1000.0,2500.0,5000.0,10000.0] selectors: - agent_group: demoapp service: service1-demo-app.demoapp.svc.cluster.local control_point: ingress attribute_key: response_duration_ms
attribute_key string
Default value: workload_duration_ms
Key of the attribute in access log or span from which the metric for this flux meter is read.

:::info

For list of available attributes in Envoy access logs, refer Envoy Filter

:::
exponential_buckets object
ExponentialBuckets creates count number of buckets where the lowest bucket has an upper bound of start and each following bucket's upper bound is factor times the previous bucket's upper bound. The final +inf bucket is not counted.
count int32
Number of buckets.
factor double
Factor to be multiplied to the previous bucket's upper bound to calculate the following bucket's upper bound.
start double
Upper bound of the lowest bucket.
exponential_buckets_range object
ExponentialBucketsRange creates count number of buckets where the lowest bucket is min and the highest bucket is max. The final +inf bucket is not counted.
count int32
Number of buckets.
max double
Highest bucket.
min double
Lowest bucket.
linear_buckets object
LinearBuckets creates count number of buckets, each width wide, where the lowest bucket has an upper bound of start. The final +inf bucket is not counted.
count int32
Number of buckets.
start double
Upper bound of the lowest bucket.
width double
Width of each bucket.
selectors object[] required
Possible values: >= 1
Selectors for flows that will be metered by this Flux Meter.
Array [
agent_group string
Default value: aperture-cloud
Agent Group this selector applies to.

:::info

Agent Groups are used to scope policies to a subset of agents connected to the same controller. The agents within an agent group receive exact same policy configuration and form a peer to peer cluster to constantly share state.

:::
control_point string required
Control Point identifies location within services where policies can act on flows. For an SDK based insertion, a Control Point can represent a particular feature or execution block within a service. In case of service mesh or middleware insertion, a Control Point can identify ingress or egress calls or distinct listeners or filter chains.
label_matcher object
Label Matcher can be used to match flows based on flow labels.
expression object
An arbitrary expression to be evaluated on the labels.
all object
The expression is true when all sub expressions are true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
any object
The expression is true when any sub expression is true.
of object[]
List of sub expressions of the match expression.
Array [
0
1
2
3
4
5
6
7
8
9
]
label_equals object
The expression is true when label value equals given value.
label string required
Name of the label to equal match the value.
value string
Exact value that the label should be equal to.
label_exists string
The expression is true when label with given name exists.
label_matches object
The expression is true when label matches given regular expression.
label string required
Name of the label to match the regular expression.
regex string required
Regular expression that should match the label value. It uses Go's regular expression syntax.
not object
The expression negates the result of sub expression.
0
1
2
3
4
5
6
7
8
9
match_expressions object[]
List of Kubernetes-style label matcher requirements.
Note: The requirements are combined using the logical AND operator. Deprecated: v3.0.0. Use match_list instead.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
match_labels object
A map of {key,value} pairs representing labels to be matched. A single {key,value} in the match_labels requires that the label key is present and equal to value.
Note: The requirements are combined using the logical AND operator.
property name* string
match_list object[]
List of label matching requirements.
Note: The requirements are combined using the logical AND operator.
Array [
key string required
Label key that the selector applies to.
operator string required
Possible values: [In, NotIn, Exists, DoesNotExist]
Logical operator which represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values string[]
An array of string values that relates to the key by an operator. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
]
service string
Default value: any
The Fully Qualified Domain Name of the service to select.

In Kubernetes, this is the FQDN of the Service object.

:::info

any matches all services.

:::

:::info

An entity (for example, Kubernetes pod) might belong to multiple services.

:::
]
static_buckets object
StaticBuckets holds the static value of the buckets where latency histogram will be stored.
buckets double[]
Default value: [5, 10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10000]
The buckets in which latency histogram will be stored.
infra_meters object
Infra Meters configure custom metrics OpenTelemetry collector pipelines, which will receive and process telemetry at the agents and send metrics to the configured Prometheus. Key in this map refers to OTel pipeline name. Prefixing pipeline name with metrics/ is optional, as all the components and pipeline names would be normalized.
Example:
infra_meters: rabbitmq: agent_group: default per_agent_group: true processors: batch: send_batch_size: 10 timeout: 10s receivers: rabbitmq: collection_interval: 10s endpoint: http://<rabbitmq-svc-fqdn>:15672 password: secretpassword username: admin
caution
Validate the OTel configuration before applying it to the production cluster. Incorrect configuration will get rejected at the agents and might cause shutdown of the agent(s).
property name* object
InfraMeter is a resource that sets up OpenTelemetry pipelines. It defines receivers, processors, and a single metrics pipeline which will be exported to the configured Prometheus instance. Environment variables can be used in the configuration using format ${ENV_VAR_NAME}.
info
See also Get Started / Setup Integrations / Metrics.
agent_group string
Default value: default
AgentGroup is the agent group to sync this InfraMeter with.
per_agent_group boolean
Default value: false
PerAgentGroup marks the pipeline to be instantiated only once per agent group. This is helpful for receivers that scrape for example, some cluster-wide metrics. When not set, pipeline will be instantiated on every Agent.
pipeline object
Pipeline is an OTel metrics pipeline definition, which only uses receivers and processors defined above. Exporter would be added automatically.
If there are no processors defined or only one processor is defined, the pipeline definition can be omitted. In such cases, the pipeline will automatically use all given receivers and the defined processor (if any). However, if there are more than one processor, the pipeline must be defined explicitly.
processors string[]
receivers string[]
processors object
Processors define processors to be used in custom metrics pipelines. This should be in OTel format.
property name* object
receivers object
Receivers define receivers to be used in custom metrics pipelines. This should be in OTel format.
property name* object
telemetry_collectors object[]
TelemetryCollector configures OpenTelemetry collector integration. Deprecated: v3.0.0. Use infra_meters instead.
Array [
agent_group string
Default value: default
infra_meters object
Infra Meters configure custom metrics OpenTelemetry collector pipelines, which will receive and process telemetry at the agents and send metrics to the configured Prometheus. Key in this map refers to OTel pipeline name. Prefixing pipeline name with metrics/ is optional, as all the components and pipeline names would be normalized.
Example:
telemetry_collectors: - agent_group: default infra_meters: rabbitmq: processors: batch: send_batch_size: 10 timeout: 10s receivers: rabbitmq: collection_interval: 10s endpoint: http://<rabbitmq-svc-fqdn>:15672 password: secretpassword username: admin per_agent_group: true
caution
Validate the OTel configuration before applying it to the production cluster. Incorrect configuration will get rejected at the agents and might cause shutdown of the agent(s).
property name* object
InfraMeter is a resource that sets up OpenTelemetry pipelines. It defines receivers, processors, and a single metrics pipeline which will be exported to the configured Prometheus instance. Environment variables can be used in the configuration using format ${ENV_VAR_NAME}.
info
See also Get Started / Setup Integrations / Metrics.
agent_group string
Default value: default
AgentGroup is the agent group to sync this InfraMeter with.
per_agent_group boolean
Default value: false
PerAgentGroup marks the pipeline to be instantiated only once per agent group. This is helpful for receivers that scrape for example, some cluster-wide metrics. When not set, pipeline will be instantiated on every Agent.
pipeline object
Pipeline is an OTel metrics pipeline definition, which only uses receivers and processors defined above. Exporter would be added automatically.
If there are no processors defined or only one processor is defined, the pipeline definition can be omitted. In such cases, the pipeline will automatically use all given receivers and the defined processor (if any). However, if there are more than one processor, the pipeline must be defined explicitly.
processors string[]
receivers string[]
processors object
Processors define processors to be used in custom metrics pipelines. This should be in OTel format.
property name* object
receivers object
Receivers define receivers to be used in custom metrics pipelines. This should be in OTel format.
property name* object
]
policy_string string

Responses

200
default

A successful response.

application/json

Schema
Example (from schema)

Schema

policy_hash A hash of the policy, as reported in heartbeats (note: the hash might change after updating controller with new aperture version)

{
  "policy_hash": "string"
}

An unexpected error response.

application/json

Schema
Example (from schema)

Schema

code int32
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
details object[]
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Array [
@type string
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading "." is not accepted).

In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows:

If no scheme is provided, https is assumed.

An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error.

Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.)

Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one.

Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.
]
message string
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

{
  "code": 0,
  "details": [
    {
      "@type": "string"
    }
  ],
  "message": "string"
}

UpsertPolicy creates/updates policy based on the provided request.​

UpsertPolicy creates/updates policy based on the provided request.