Technologies/Prometheus/envoy.appmesh.cpu.utilization
PrometheusPrometheusMetric

envoy.appmesh.cpu.utilization

CPU utilization percentage
Dimensions:None

Technical Annotations (45)

Configuration Parameters (18)
container_spec_cpu_quota
CPU quota allocation for service container used to calculate saturation percentage
healthCheck.timeoutrecommended: 5
Timeout in seconds for healthcheck command; default 2s is too aggressive under load
healthCheck.intervalrecommended: 5
Interval between healthchecks in seconds
healthCheck.retriesrecommended: 3
Number of consecutive failures before marking unhealthy
healthCheck.startPeriodrecommended: 10
Grace period in seconds before healthchecks count toward failure threshold
concurrencyrecommended: 2
Worker threads for services under 1000 RPS via proxy.istio.io/config annotation or meshConfig.defaultConfig
accessLogging.disabledrecommended: true
Disables access logging in Telemetry resource to reduce CPU
tracing.disableSpanReportingrecommended: true
Disables span reporting in Telemetry resource to reduce CPU
trafficPolicy.connectionPool.http.maxRequestsPerConnectionrecommended: 0
Never close connection based on request count in DestinationRule
trafficPolicy.connectionPool.http.h2UpgradePolicyrecommended: UPGRADE
Multiplex requests over HTTP/2 to reduce handshakes in DestinationRule
trafficPolicy.connectionPool.tcp.tcpKeepalive.timerecommended: 7200s
TCP keepalive time in DestinationRule
traffic.sidecar.istio.io/excludeOutboundPortsrecommended: 5432,6379,9200
Annotation to bypass sidecar for database ports: PostgreSQL, Redis, Elasticsearch
traffic.sidecar.istio.io/excludeInboundPortsrecommended: 15090
Annotation to bypass sidecar for Prometheus scrape endpoint
sidecar.istio.io/proxyCPUrecommended: 50m
Annotation for sidecar CPU request
sidecar.istio.io/proxyCPULimitrecommended: 200m
Annotation for sidecar CPU limit
trafficPolicy.outlierDetection.intervalrecommended: 30s
Health check interval in DestinationRule, default 10s, increase to reduce CPU
trafficPolicy.outlierDetection.consecutive5xxErrorsrecommended: 5
Errors before ejection in DestinationRule
trafficPolicy.outlierDetection.baseEjectionTimerecommended: 60s
Ejection duration in DestinationRule
Error Signatures (2)
Health check exceeded timeout (2s)log pattern
ExitCode: -1exit code
CLI Commands (4)
curl -s http://localhost:9901/server_info | grep state | grep -q LIVEdiagnostic
kubectl exec -it deploy/my-app -c istio-proxy -- curl -s localhost:15000/stats | grep "server.concurrency\|server.total_connections"diagnostic
kubectl exec -it deploy/my-app -c istio-proxy -- cat /sys/fs/cgroup/cpu/cpu.statdiagnostic
kubectl top pods -n my-namespace --containers | grep istio-proxy | sort -k3 -hdiagnostic
Technical References (21)
Lua filterscomponentHPAcomponentcontainer_cpu_usage_seconds_totalcomponentlocalhost:9901/server_infocomponentworker threadsconceptevent loopconceptxDSprotocolistiodcomponentSidecar resourcecomponentTelemetry resourcecomponenttagOverridescomponentmTLSprotocolDestinationRulecomponentprotocol sniffingconceptPostgreSQLcomponentRediscomponentElasticsearchcomponent/sys/fs/cgroup/cpu/cpu.statfile pathistio-proxycomponentoutlierDetectioncomponentVirtualServicecomponent
Related Insights (13)
High CPU utilization from filters or TLS handshakeswarning
Service CPU saturation above 85% causes request drops and latency increasecritical
Healthcheck timeout too aggressive for Envoy admin API under loadwarning
Excessive worker threads cause unnecessary baseline CPU consumptionwarning
Large xDS configuration updates cause CPU spikeswarning
Telemetry collection consumes excessive CPU per requestwarning
mTLS handshakes are the biggest CPU consumerwarning
Protocol sniffing adds CPU overhead per new connectioninfo
Non-mesh traffic unnecessarily consumes sidecar CPUinfo
Insufficient CPU limits cause sidecar throttlingwarning
Frequent health checks generate constant background CPU usageinfo
Complex routing rules with regex are expensive per requestinfo
Health check connection draining causes CPU spikewarning