---
title: Global Mesh Options
description: Configuration affecting the service mesh as a whole.
location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 74
---
Configuration affecting the service mesh as a whole.
Affinity
Mirrors k8s.io.api.core.v1.
AuthenticationPolicy
AuthenticationPolicy defines authentication policy. It can be set for
different scopes (mesh, service …), and the most narrow scope with
non-INHERIT value will be used.
Mesh policy cannot be INHERIT.
| Name |
Description |
NONE |
Do not encrypt Envoy to Envoy traffic.
|
MUTUAL_TLS |
Envoy to Envoy traffic is wrapped into mutual TLS connections.
|
INHERIT |
Use the policy defined by the parent scope. Should not be used for mesh
policy.
|
Certificate
Certificate configures the provision of a certificate and its key.
Example 1: key and cert stored in a secret
{ secretName: galley-cert
secretNamespace: istio-system
dnsNames:
- galley.istio-system.svc
- galley.mydomain.com
}
Example 2: key and cert stored in a directory
{ dnsNames:
- pilot.istio-system
- pilot.istio-system.svc
- pilot.mydomain.com
}
| Field |
Type |
Description |
Required |
secretName |
string |
Name of the secret the certificate and its key will be stored into.
If it is empty, it will not be stored into a secret.
Instead, the certificate and its key will be stored into a hard-coded directory.
|
No
|
dnsNames |
string[] |
The DNS names for the certificate. A certificate may contain
multiple DNS names.
|
No
|
ClientIPConfig
| Field |
Type |
Description |
Required |
timeoutSeconds |
int32 |
|
No
|
ComponentSpec
Configuration for internal components.
| Field |
Type |
Description |
Required |
enabled |
TypeBoolValueForPB |
Selects whether this component is installed.
|
No
|
namespace |
string |
Namespace for the component.
|
No
|
hub |
string |
Hub for the component (overrides top level hub setting).
|
No
|
tag |
string |
Tag for the component (overrides top level tag setting).
|
No
|
spec |
TypeInterface |
Arbitrary install time configuration for the component.
|
No
|
k8s |
KubernetesResourcesSpec |
Kubernetes resource spec.
|
No
|
ConfigMapKeySelector
| Field |
Type |
Description |
Required |
localObjectReference |
LocalObjectReference |
|
No
|
key |
string |
|
No
|
optional |
bool |
|
No
|
ConfigSource
ConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.
| Field |
Type |
Description |
Required |
address |
string |
Address of the server implementing the Istio Mesh Configuration
protocol (MCP). Can be IP address or a fully qualified DNS name.
Use fs:/// to specify a file-based backend with absolute path to the directory.
|
No
|
tlsSettings |
TLSSettings |
Use the tlssettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as ISTIOMUTUAL.
|
No
|
subscribedResources |
Resource[] |
Describes the source of configuration, if nothing is specified default is MCP
|
No
|
DeploymentStrategy
Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.
EnvVar
| Field |
Type |
Description |
Required |
name |
string |
|
No
|
value |
string |
|
No
|
valueFrom |
EnvVarSource |
|
No
|
EnvVarSource
ExecAction
Mirrors k8s.io.api.core.v1.ExecAction for unmarshaling.
| Field |
Type |
Description |
Required |
command |
string[] |
|
No
|
ExternalComponentSpec
Configuration for external components.
| Field |
Type |
Description |
Required |
namespace |
string |
Namespace for the component.
|
No
|
spec |
TypeInterface |
Arbitrary install time configuration for the component.
|
No
|
chartPath |
string |
Chart path for addon components.
|
No
|
schema |
Any |
Optional schema to validate spec against.
|
No
|
k8s |
KubernetesResourcesSpec |
Kubernetes resource spec.
|
No
|
GatewaySpec
Configuration for gateways.
| Field |
Type |
Description |
Required |
namespace |
string |
Namespace for the gateway.
|
No
|
name |
string |
Name for the gateway.
|
No
|
label |
map<string, string> |
Labels for the gateway.
|
No
|
hub |
string |
Hub for the component (overrides top level hub setting).
|
No
|
tag |
string |
Tag for the component (overrides top level tag setting).
|
No
|
k8s |
KubernetesResourcesSpec |
Kubernetes resource spec.
|
No
|
HTTPGetAction
Mirrors k8s.io.api.core.v1.HTTPGetAction for unmarshaling.
| Field |
Type |
Description |
Required |
path |
string |
|
No
|
port |
TypeIntOrStringForPB |
|
No
|
host |
string |
|
No
|
scheme |
string |
|
No
|
Mirrors k8s.io.api.core.v1.HTTPHeader for unmarshaling.
| Field |
Type |
Description |
Required |
IstioComponentSetSpec
IstioComponentSpec defines the desired installed state of Istio components.
IstioOperatorSpec
IstioOperatorSpec defines the desired installed state of Istio components.
The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
component values.
| Field |
Type |
Description |
Required |
profile |
string |
Path or name for the profile e.g.
- minimal (looks in profiles dir for a file called minimal.yaml)
- /tmp/istio/install/values/custom/custom-install.yaml (local file path)
default profile is used if this field is unset.
|
No
|
installPackagePath |
string |
Path for the install package. e.g.
- /tmp/istio-installer/nightly (local file path)
|
No
|
hub |
string |
Root for docker image paths e.g. docker.io/istio
|
No
|
tag |
string |
Version tag for docker images e.g. 1.0.6
|
No
|
resourceSuffix |
string |
Resource suffix is appended to all resources installed by each component. Used in upgrade scenarios where two
Istio control planes must exist in the same namespace.
|
No
|
meshConfig |
MeshConfig |
Config used by control plane components internally.
|
No
|
components |
IstioComponentSetSpec |
Kubernetes resource settings, enablement and component-specific settings that are not internal to the
component.
|
No
|
values |
TypeMapStringInterface2 |
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
See the Helm installation options for schema details: https://istio.io/docs/reference/config/installation-options/.
Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
includes Kubernetes resource settings for components in KubernetesResourcesSpec.
|
No
|
unvalidatedValues |
TypeMapStringInterface2 |
Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.
|
No
|
status |
Status |
Overall status of all components controlled by the operator.
- If all components have status NONE, overall status is NONE.
- If all components are HEALTHY, overall status is HEALTHY.
- If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
- If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
- If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
- If any component is in ERROR state, overall status is ERROR.
|
No
|
componentStatus |
map<string, VersionStatus> |
Individual status of each component controlled by the operator. The map key is the name of the component.
|
No
|
IstioOperatorSpec.Status
Status describes the current state of a component.
| Name |
Description |
NONE |
Component is not present.
|
UPDATING |
Component is being updated to a different version.
|
RECONCILING |
Controller has started but not yet completed reconciliation loop for the component.
|
HEALTHY |
Component is healthy.
|
ERROR |
Component is in an error state.
|
IstioOperatorSpec.VersionStatus
VersionStatus is the status and version of a component.
| Field |
Type |
Description |
Required |
version |
string |
|
No
|
status |
Status |
|
No
|
statusString |
string |
|
No
|
error |
string |
|
No
|
K8sObjectOverlay
Patch for an existing k8s resource.
| Field |
Type |
Description |
Required |
apiVersion |
string |
Resource API version.
|
No
|
kind |
string |
Resource kind.
|
No
|
name |
string |
Name of resource.
Namespace is always the component namespace.
|
No
|
patches |
PathValue[] |
List of patches to apply to resource.
|
No
|
K8sObjectOverlay.PathValue
| Field |
Type |
Description |
Required |
path |
string |
Path of the form a.b:c.e.:f
Where b:c is a list element selector of the form key:value and :f is a list selector of the form :value.
All path intermediate nodes must exist.
|
No
|
value |
TypeInterface |
Value to add, delete or replace.
For add, the path should be a new leaf.
For delete, value should be unset.
For replace, path should reference an existing node.
All values are strings but are converted into appropriate type based on schema.
|
No
|
KubernetesResourcesSpec
KubernetesResourcesConfig is a common set of k8s resource configs for components.
| Field |
Type |
Description |
Required |
affinity |
Affinity |
k8s affinity.
https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
No
|
env |
EnvVar[] |
Deployment environment variables.
https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
|
No
|
hpaSpec |
HorizontalPodAutoscalerSpec |
k8s HorizontalPodAutoscaler settings.
https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
|
No
|
imagePullPolicy |
string |
k8s imagePullPolicy.
https://kubernetes.io/docs/concepts/containers/images/
|
No
|
nodeSelector |
map<string, string> |
k8s nodeSelector.
https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
|
No
|
podDisruptionBudget |
PodDisruptionBudgetSpec |
k8s PodDisruptionBudget settings.
https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work
|
No
|
podAnnotations |
map<string, string> |
k8s pod annotations.
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
No
|
priorityClassName |
string |
k8s priorityclassname. Default for all resources unless overridden.
https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
No
|
readinessProbe |
ReadinessProbe |
k8s readinessProbe settings.
https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
k8s.io.api.core.v1.Probe readiness_probe = 9;
|
No
|
replicaCount |
uint32 |
k8s Deployment replicas setting.
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
|
No
|
resources |
Resources |
k8s resources settings.
https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
|
No
|
service |
ServiceSpec |
k8s Service settings.
https://kubernetes.io/docs/concepts/services-networking/service/
|
No
|
strategy |
DeploymentStrategy |
k8s deployment strategy.
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
|
No
|
tolerations |
Toleration |
k8s toleration
https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
No
|
overlays |
K8sObjectOverlay[] |
Overlays for k8s resources in rendered manifests.
|
No
|
LocalObjectReference
| Field |
Type |
Description |
Required |
name |
string |
|
No
|
MeshConfig
MeshConfig defines mesh-wide variables shared by all Envoy instances in the
Istio service mesh.
NOTE: This configuration type should be used for the low-level global
configuration, such as component addresses and port numbers. It should not
be used for the features of the mesh that can be scoped by service or by
namespace. Some of the fields in the mesh config are going to be deprecated
and replaced with several individual configuration types (for example,
tracing configuration).
| Field |
Type |
Description |
Required |
mixerCheckServer |
string |
Address of the server that will be used by the proxies for policy
check calls. By using different names for mixerCheckServer and
mixerReportServer, it is possible to have one set of Mixer servers handle
policy check calls while another set of Mixer servers handle telemetry
calls.
NOTE: Omitting mixerCheckServer while specifying mixerReportServer is
equivalent to setting disablePolicyChecks to true.
|
No
|
mixerReportServer |
string |
Address of the server that will be used by the proxies for policy report
calls.
|
No
|
disablePolicyChecks |
bool |
Disable policy checks by the Mixer service. Default
is false, i.e. Mixer policy check is enabled by default.
|
No
|
policyCheckFailOpen |
bool |
Allow all traffic in cases when the Mixer policy service cannot be reached.
Default is false which means the traffic is denied when the client is unable
to connect to Mixer.
|
No
|
sidecarToTelemetrySessionAffinity |
bool |
Enable session affinity for Envoy Mixer reports so that calls from a proxy will
always target the same Mixer instance.
|
No
|
proxyListenPort |
int32 |
Port on which Envoy should listen for incoming connections from
other services.
|
No
|
proxyHttpPort |
int32 |
Port on which Envoy should listen for HTTP PROXY requests if set.
|
No
|
connectTimeout |
Duration |
Connection timeout used by Envoy. (MUST BE >=1ms)
|
No
|
protocolDetectionTimeout |
Duration |
Automatic protocol detection uses a set of heuristics to
determine whether the connection is using TLS or not (on the
server side), as well as the application protocol being used
(e.g., http vs tcp). These heuristics rely on the client sending
the first bits of data. For server first protocols like MySQL,
MongoDB, etc., Envoy will timeout on the protocol detection after
the specified period, defaulting to non mTLS plain TCP
traffic. Set this field to tweak the period that Envoy will wait
for the client to send the first bits of data. (MUST BE >=1ms)
|
No
|
tcpKeepalive |
TcpKeepalive |
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
|
No
|
ingressClass |
string |
Class of ingress resources to be processed by Istio ingress
controller. This corresponds to the value of
“kubernetes.io/ingress.class” annotation.
|
No
|
ingressService |
string |
Name of theKubernetes service used for the istio ingress controller.
|
No
|
ingressControllerMode |
IngressControllerMode |
Defines whether to use Istio ingress controller for annotated or all ingress resources.
|
No
|
enableTracing |
bool |
Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.
|
No
|
accessLogFile |
string |
File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.
|
No
|
accessLogFormat |
string |
Format for the proxy access log
Empty value results in proxy’s default access log format
|
No
|
accessLogEncoding |
AccessLogEncoding |
Encoding for the proxy access log (text or json).
Default value is text.
|
No
|
enableEnvoyAccessLogService |
bool |
This flag enables Envoy’s gRPC Access Log Service.
See Access Log Service
for details about Envoy’s gRPC Access Log Service API.
|
No
|
defaultConfig |
ProxyConfig |
Default proxy config used by the proxy injection mechanism operating in the mesh
(e.g. Kubernetes admission controller)
In case of Kubernetes, the proxy config is applied once during the injection process,
and remain constant for the duration of the pod. The rest of the mesh config can be changed
at runtime and config gets distributed dynamically.
|
No
|
outboundTrafficPolicy |
OutboundTrafficPolicy |
Set the default behavior of the sidecar for handling outbound traffic
from the application. If your application uses one or more external
services that are not known apriori, setting the policy to ALLOWANY
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use ServiceEntries to explicitly declare any external
dependencies, instead of using allowany, so that traffic to these
services can be monitored.
|
No
|
enableClientSidePolicyCheck |
bool |
Enables client side policy checks.
|
No
|
configSources |
ConfigSource[] |
ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.
|
No
|
enableAutoMtls |
BoolValue |
This flag is used to enable mutual TLS automatically for service to service communication
within the mesh, default false.
If set to true, and a given service does not have a corresponding DestinationRule configured,
or its DestinationRule does not have TLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
for mutual TLS to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual TLS when server sides are capable of accepting mutual TLS traffic.
If service DestinationRule exists and has TLSSettings specified, that is always used instead.
|
No
|
trustDomain |
string |
The trust domain corresponds to the trust root of a system.
Refer to SPIFFE-ID
|
No
|
trustDomainAliases |
string[] |
The trust domain aliases represent the aliases of trust_domain.
For example, if we have
trustDomain: td1
trustDomainAliases: ["td2", "td3"]
Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.
|
No
|
defaultServiceExportTo |
string[] |
The default value for the ServiceEntry.export_to field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
- - All Namespaces
. - Current Namespace
~ - No Namespace
If not set the system will use “*” as the default value which implies that
services are exported to all namespaces.
‘All namespaces’ is a reasonable default for implementations that don’t
need to restrict access or visibility of services across namespace
boundaries. If that requirement is present it is generally good practice to
make the default ‘Current namespace’ so that services are only visible
within their own namespaces by default. Operators can then expand the
visibility of services to other namespaces as needed. Use of ‘No Namespace’
is expected to be rare but can have utility for deployments where
dependency management needs to be precise even within the scope of a single
namespace.
For further discussion see the reference documentation for ServiceEntry,
Sidecar, and Gateway.
|
No
|
defaultVirtualServiceExportTo |
string[] |
The default value for the VirtualService.exportto field. Has the same
syntax as ‘defaultserviceexportto’.
If not set the system will use “*” as the default value which implies that
virtual services are exported to all namespaces
|
No
|
defaultDestinationRuleExportTo |
string[] |
The default value for the DestinationRule.exportto field. Has the same
syntax as ‘defaultserviceexportto’.
If not set the system will use “*” as the default value which implies that
destination rules are exported to all namespaces
|
No
|
rootNamespace |
string |
The namespace to treat as the administrative root namespace for
Istio configuration. When processing a leaf namespace Istio will search for
declarations in that namespace first and if none are found it will
search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.
The precise semantics of this processing are documented on each resource
type.
|
No
|
localityLbSetting |
LocalityLoadBalancerSetting |
Locality based load balancing distribution or failover settings.
|
No
|
dnsRefreshRate |
Duration |
Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
|
No
|
disableReportBatch |
bool |
The flag to disable report batch.
|
No
|
reportBatchMaxEntries |
uint32 |
When disablereportbatch is false, this value specifies the maximum number
of requests that are batched in report. If left unspecified, the default value
of reportbatchmax_entries == 0 will use the hardcoded defaults of
istio::mixerclient::ReportOptions.
|
No
|
reportBatchMaxTime |
Duration |
When disablereportbatch is false, this value specifies the maximum elapsed
time a batched report will be sent after a user request is processed. If left
unspecified, the default reportbatchmax_time == 0 will use the hardcoded
defaults of istio::mixerclient::ReportOptions.
|
No
|
h2UpgradePolicy |
H2UpgradePolicy |
Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
If one or more services or namespaces do not have sidecar(s), then this should be set to DONOTUPGRADE.
It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.
|
No
|
inboundClusterStatName |
string |
Name to be used while emitting statistics for inbound clusters.
By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.
A Pattern can be composed of various pre-defined variables. The following variables are supported.
%SERVICE% - Will be substituted with name of the service.%SERVICE_FQDN% - Will be substituted with FQDN of the service.%SERVICE_PORT% - Will be substituted with port of the service.%SERVICE_PORT_NAME% - Will be substituted with port name of the service.
Following are some examples of supported patterns for reviews:
%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.%SERVICE% will use reviews.prod as the stats name.
|
No
|
outboundClusterStatName |
string |
Name to be used while emitting statistics for outbound clusters.
By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
A Pattern can be composed of various pre-defined variables. The following variables are supported.
%SERVICE% - Will be substituted with name of the service.%SERVICE_FQDN% - Will be substituted with FQDN of the service.%SERVICE_PORT% - Will be substituted with port of the service.%SERVICE_PORT_NAME% - Will be substituted with port name of the service.%SUBSET_NAME% - Will be substituted with subset.
Following are some examples of supported patterns for reviews:
%SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.%SERVICE% will use reviews.prod as the stats name.
|
No
|
certificates |
Certificate[] |
Configure the provision of certificates.
|
No
|
MeshConfig.AccessLogEncoding
| Name |
Description |
TEXT |
|
JSON |
|
MeshConfig.H2UpgradePolicy
Default Policy for upgrading http1.1 connections to http2.
| Name |
Description |
DO_NOT_UPGRADE |
Do not upgrade connections to http2.
|
UPGRADE |
Upgrade the connections to http2.
|
MeshConfig.IngressControllerMode
| Name |
Description |
OFF |
Disables Istio ingress controller.
|
DEFAULT |
Istio ingress controller will act on ingress resources that do not
contain any annotation or whose annotations match the value
specified in the ingress_class parameter described earlier. Use this
mode if Istio ingress controller will be the default ingress
controller for the entireKubernetes cluster.
|
STRICT |
Istio ingress controller will only act on ingress resources whose
annotations match the value specified in the ingress_class parameter
described earlier. Use this mode if Istio ingress controller will be
a secondary ingress controller (e.g., in addition to a
cloud-provided ingress controller).
|
MeshConfig.OutboundTrafficPolicy
| Field |
Type |
Description |
Required |
mode |
Mode |
|
No
|
MeshConfig.OutboundTrafficPolicy.Mode
| Name |
Description |
REGISTRY_ONLY |
outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries
|
ALLOW_ANY |
outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port
|
MeshNetworks
MeshNetworks (config map) provides information about the set of networks
inside a mesh and how to route to endpoints in each network. For example
MeshNetworks(file/config map):
networks:
network1:
- endpoints:
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
- fromCidr: 192.168.100.0/22 #a VM network for example
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 15443
locality: us-east-1a
- address: 192.168.100.1
port: 15443
locality: us-east-1a
| Field |
Type |
Description |
Required |
networks |
map<string, Network> |
The set of networks inside this mesh. Each network should
have a unique name and information about how to infer the endpoints in
the network as well as the gateways associated with the network.
|
Yes
|
Network
Network provides information about the endpoints in a routable L3
network. A single routable L3 network can have one or more service
registries. Note that the network has no relation to the locality of the
endpoint. The endpoint locality will be obtained from the service
registry.
| Field |
Type |
Description |
Required |
endpoints |
NetworkEndpoints[] |
The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
the network are directly accessible to one another.
|
Yes
|
gateways |
IstioNetworkGateway[] |
Set of gateways associated with the network.
|
Yes
|
Network.IstioNetworkGateway
The gateway associated with this network. Traffic from remote networks
will arrive at the specified gateway:port. All incoming traffic must
use mTLS.
| Field |
Type |
Description |
Required |
registryServiceName |
string (oneof) |
A fully qualified domain name of the gateway service. Pilot will
lookup the service from the service registries in the network and
obtain the endpoint IPs of the gateway from the service
registry. Note that while the service name is a fully qualified
domain name, it need not be resolvable outside the orchestration
platform for the registry. e.g., this could be
istio-ingressgateway.istio-system.svc.cluster.local.
|
Yes
|
address |
string (oneof) |
IP address or externally resolvable DNS address associated with the gateway.
|
Yes
|
port |
uint32 |
The port associated with the gateway.
|
Yes
|
locality |
string |
The locality associated with an explicitly specified gateway (i.e. ip)
|
No
|
Network.NetworkEndpoints
NetworkEndpoints describes how the network associated with an endpoint
should be inferred. An endpoint will be assigned to a network based on
the following rules:
Implicitly: If the registry explicitly provides information about
the network to which the endpoint belongs to. In some cases, its
possible to indicate the network associated with the endpoint by
adding the ISTIO_META_NETWORK environment variable to the sidecar.
Explicitly:
a. By matching the registry name with one of the “fromRegistry”
in the mesh config. A “from_registry” can only be assigned to a
single network.
b. By matching the IP against one of the CIDR ranges in a mesh
config network. The CIDR ranges must not overlap and be assigned to
a single network.
(2) will override (1) if both are present.
| Field |
Type |
Description |
Required |
fromCidr |
string (oneof) |
A CIDR range for the set of endpoints in this network. The CIDR
ranges for endpoints from different networks must not overlap.
|
Yes
|
fromRegistry |
string (oneof) |
Add all endpoints from the specified registry into this network.
The names of the registries should correspond to the kubeconfig file name
inside the secret that was used to configure the registry (Kubernetes
multicluster) or supplied by MCP server.
|
Yes
|
NodeAffinity
NodeSelector
NodeSelectorRequirement
| Field |
Type |
Description |
Required |
key |
string |
|
No
|
operator |
string |
|
No
|
values |
string[] |
|
No
|
NodeSelectorTerm
ObjectFieldSelector
| Field |
Type |
Description |
Required |
apiVersion |
string |
|
No
|
fieldPath |
string |
|
No
|
| Field |
Type |
Description |
Required |
name |
string |
From k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.
|
No
|
namespace |
string |
|
No
|
PodAffinity
PodAffinityTerm
| Field |
Type |
Description |
Required |
labelSelector |
LabelSelector |
|
No
|
namespaces |
string[] |
|
No
|
topologyKey |
string |
|
No
|
PodAntiAffinity
PodDisruptionBudgetSpec
Mirrors k8s.io.api.policy.v1beta1.PodDisruptionBudget for unmarshaling.
| Field |
Type |
Description |
Required |
minAvailable |
uint32 |
|
No
|
selector |
LabelSelector |
|
No
|
maxUnavailable |
uint32 |
|
No
|
PreferredSchedulingTerm
ProxyConfig
ProxyConfig defines variables for individual Envoy instances.
| Field |
Type |
Description |
Required |
configPath |
string |
Path to the generated configuration file directory.
Proxy agent generates the actual configuration and stores it in this directory.
|
No
|
binaryPath |
string |
Path to the proxy binary
|
No
|
serviceCluster |
string |
Service cluster defines the name for the service_cluster that is
shared by all Envoy instances. This setting corresponds to
–service-cluster flag in Envoy. In a typical Envoy deployment, the
service-cluster flag is used to identify the caller, for
source-based routing scenarios.
Since Istio does not assign a local service/service version to each
Envoy instance, the name is same for all of them. However, the
source/caller’s identity (e.g., IP address) is encoded in the
–service-node flag when launching Envoy. When the RDS service
receives API calls from Envoy, it uses the value of the service-node
flag to compute routes that are relative to the service instances
located at that IP address.
|
No
|
drainDuration |
Duration |
The time in seconds that Envoy will drain connections during a hot
restart. MUST be >=1s (e.g., 1s/1m/1h)
|
No
|
parentShutdownDuration |
Duration |
The time in seconds that Envoy will wait before shutting down the
parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
MUST BE greater than drainduration_ parameter.
|
No
|
discoveryAddress |
string |
Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.
|
No
|
connectTimeout |
Duration |
Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)
|
No
|
statsdUdpAddress |
string |
IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).
|
No
|
proxyAdminPort |
int32 |
Port on which Envoy should listen for administrative commands.
|
No
|
controlPlaneAuthPolicy |
AuthenticationPolicy |
Authentication policy defines the global switch to control authentication
for Envoy-to-Envoy communication for istio components Mixer and Pilot.
|
No
|
customConfigFile |
string |
File path of custom proxy configuration, currently used by proxies
in front of Mixer and Pilot.
|
No
|
statNameLength |
int32 |
Maximum length of name field in Envoy’s metrics. The length of the name field
is determined by the length of a name field in a service and the set of labels that
comprise a particular version of the service. The default value is set to 189 characters.
Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
Increase the value of this field if you find that the metrics from Envoys are truncated.
|
No
|
concurrency |
int32 |
The number of worker threads to run. Default value is number of cores on the machine.
|
No
|
proxyBootstrapTemplatePath |
string |
Path to the proxy bootstrap template file
|
No
|
interceptionMode |
InboundInterceptionMode |
The mode used to redirect inbound traffic to Envoy.
|
No
|
tracing |
Tracing |
Tracing configuration to be used by the proxy.
|
No
|
sds |
SDS |
secret discovery service(SDS) configuration to be used by the proxy.
|
No
|
envoyAccessLogService |
RemoteService |
Address of the service to which access logs from Envoys should be
sent. (e.g. accesslog-service:15000). See Access Log
Service
for details about Envoy’s gRPC Access Log Service API.
|
No
|
envoyMetricsService |
RemoteService |
Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
See Metric Service
for details about Envoy’s Metrics Service API.
|
No
|
zipkinAddress |
string |
Address of the Zipkin service (e.g. zipkin:9411).
DEPRECATED: Use tracing instead.
|
No
|
ProxyConfig.InboundInterceptionMode
The mode used to redirect inbound traffic to Envoy.
This setting has no effect on outbound traffic: iptables REDIRECT is always used for
outbound connections.
| Name |
Description |
REDIRECT |
The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
source IP addresses during redirection.
|
TPROXY |
The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
source and destination IP addresses and ports, so that they can be used for advanced
filtering and manipulation. This mode also configures the sidecar to run with the
CAPNETADMIN capability, which is required to use TPROXY.
|
ReadinessProbe
Mirrors k8s.io.api.core.v1.Probe for unmarshaling.
| Field |
Type |
Description |
Required |
exec |
ExecAction |
|
No
|
httpGet |
HTTPGetAction |
|
No
|
tcpSocket |
TCPSocketAction |
|
No
|
initialDelaySeconds |
int32 |
|
No
|
timeoutSeconds |
int32 |
|
No
|
periodSeconds |
int32 |
|
No
|
successThreshold |
int32 |
|
No
|
failureThreshold |
int32 |
|
No
|
RemoteService
| Field |
Type |
Description |
Required |
address |
string |
Address of a remove service used for various purposes (access log
receiver, metrics receiver, etc.). Can be IP address or a fully
qualified DNS name.
|
No
|
tlsSettings |
TLSSettings |
Use the tls_settings to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as ISTIO_MUTUAL.
|
No
|
tcpKeepalive |
TcpKeepalive |
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
|
No
|
Resource
Resource describes the source of configuration
| Name |
Description |
SERVICE_REGISTRY |
Set to only receive service entries that are generated by the platform.
These auto generated service entries are combination of services and endpoints
that are generated by a specific platform e.g. k8
|
ResourceFieldSelector
| Field |
Type |
Description |
Required |
containerName |
string |
|
No
|
resource |
string |
|
No
|
divisor |
Quantity |
|
No
|
Resources
Mirrors k8s.io.api.core.v1.ResourceRequirements for unmarshaling.
| Field |
Type |
Description |
Required |
limits |
map<string, string> |
|
No
|
requests |
map<string, string> |
|
No
|
RollingUpdateDeployment
Mirrors k8s.io.api.apps.v1.RollingUpdateDeployment for unmarshaling.
SDS
SDS defines secret discovery service(SDS) configuration to be used by the proxy.
For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
For pilot/mixer, it’s passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.
| Field |
Type |
Description |
Required |
enabled |
bool |
True if SDS is enabled.
|
No
|
k8sSaJwtPath |
string |
Path of k8s service account JWT path.
|
No
|
SecretKeySelector
| Field |
Type |
Description |
Required |
localObjectReference |
LocalObjectReference |
|
No
|
key |
string |
|
No
|
optional |
bool |
|
No
|
ServicePort
| Field |
Type |
Description |
Required |
name |
string |
|
No
|
protocol |
string |
|
No
|
port |
int32 |
|
No
|
targetPort |
IntOrString |
|
No
|
nodePort |
int32 |
|
No
|
ServiceSpec
| Field |
Type |
Description |
Required |
ports |
ServicePort[] |
|
No
|
selector |
map<string, string> |
|
No
|
clusterIP |
string |
|
No
|
type |
string |
|
No
|
externalIPs |
string[] |
|
No
|
sessionAffinity |
string |
|
No
|
loadBalancerIP |
string |
|
No
|
loadBalancerSourceRanges |
string[] |
|
No
|
externalName |
string |
|
No
|
externalTrafficPolicy |
string |
|
No
|
healthCheckNodePort |
int32 |
|
No
|
publishNotReadyAddresses |
bool |
|
No
|
sessionAffinityConfig |
SessionAffinityConfig |
|
No
|
SessionAffinityConfig
TCPSocketAction
Mirrors k8s.io.api.core.v1.TCPSocketAction for unmarshaling.
Toleration
| Field |
Type |
Description |
Required |
key |
string |
|
No
|
operator |
string |
|
No
|
value |
string |
|
No
|
effect |
string |
|
No
|
tolerationSeconds |
int64 |
|
No
|
Tracing
Tracing defines configuration for the tracing performed by Envoy instances.
Tracing.Datadog
Datadog defines configuration for a Datadog tracer.
| Field |
Type |
Description |
Required |
address |
string |
Address of the Datadog Agent.
|
No
|
Tracing.Lightstep
Defines configuration for a LightStep tracer.
| Field |
Type |
Description |
Required |
address |
string |
Address of the LightStep Satellite pool.
|
No
|
accessToken |
string |
The LightStep access token.
|
No
|
secure |
bool |
True if a secure connection should be used when communicating with the pool.
|
No
|
cacertPath |
string |
Path to the trusted cacert used to authenticate the pool.
|
No
|
Tracing.Stackdriver
Stackdriver defines configuration for a Stackdriver tracer.
See Opencensus trace config for details.
| Field |
Type |
Description |
Required |
Tracing.Zipkin
Zipkin defines configuration for a Zipkin tracer.
| Field |
Type |
Description |
Required |
address |
string |
Address of the Zipkin service (e.g. zipkin:9411).
|
No
|
TypeBoolValueForPB
TypeIntOrStringForPB
GOTYPE: *IntOrStringForPB
TypeInterface
TypeMapStringInterface
GOTYPE: map[string]interface{}
TypeMapStringInterface2
GOTYPE: map[string]interface{}
WeightedPodAffinityTerm
| Field |
Type |
Description |
Required |
weight |
int32 |
|
No
|
podAffinityTerm |
PodAffinityTerm |
|
No
|
k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec
HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
| Field |
Type |
Description |
Required |
scaleTargetRef |
CrossVersionObjectReference |
scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
should be collected, as well as to actually change the replica count.
|
No
|
minReplicas |
int32 |
minReplicas is the lower limit for the number of replicas to which the autoscaler
can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the
alpha feature gate HPAScaleToZero is enabled and at least one Object or External
metric is configured. Scaling is active as long as at least one metric value is
available.
+optional
|
No
|
maxReplicas |
int32 |
maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
It cannot be less that minReplicas.
|
No
|
metrics |
MetricSpec[] |
metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
be used). The desired replica count is calculated multiplying the
ratio between the target value and the current value by the current
number of pods. Ergo, metrics used must decrease as the pod count is
increased, and vice-versa. See the individual metric source types for
more information about how each type of metric must respond.
+optional
|
No
|
k8s.io.apimachinery.pkg.api.resource.Quantity
Quantity is a fixed-point representation of a number.
It provides convenient marshaling/unmarshaling in JSON and YAML,
in addition to String() and Int64() accessors.
The serialization format is:
::=
(Note that may be empty, from the “” case in .)
::= 0 | 1 | … | 9
::= |
::= | . | . | .
::= “+” | “-”
::= |
::= | |
::= Ki | Mi | Gi | Ti | Pi | Ei
(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
::= m | “” | k | M | G | T | P | E
(Note that 1024 = 1Ki but 1000 = 1k; I didn’t choose the capitalization.)
::= “e” | “E”
No matter which of the three exponent forms is used, no quantity may represent
a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
places. Numbers larger or more precise will be capped or rounded up.
(E.g.: 0.1m will rounded up to 1m.)
This may be extended in the future if we require larger or smaller quantities.
When a Quantity is parsed from a string, it will remember the type of suffix
it had, and will use the same type again when it is serialized.
Before serializing, Quantity will be put in “canonical form”.
This means that Exponent/suffix will be adjusted up or down (with a
corresponding increase or decrease in Mantissa) such that:
a. No precision is lost
b. No fractional digits will be emitted
c. The exponent (or suffix) is as large as possible.
The sign will be omitted unless the number is negative.
Examples:
1.5 will be serialized as “1500m”
1.5Gi will be serialized as “1536Mi”
Note that the quantity will NEVER be internally represented by a
floating point number. That is the whole point of this exercise.
Non-canonical values will still parse as long as they are well formed,
but will be re-emitted in their canonical form. (So always use canonical
form, or don’t diff.)
This format is intended to make it difficult to use these numbers without
writing some sort of special handling code in the hopes that that will
cause implementors to also use a fixed point implementation.
+protobuf=true
+protobuf.embed=string
+protobuf.options.marshal=false
+protobuf.options.(gogoproto.goproto_stringer)=false
+k8s:deepcopy-gen=true
+k8s:openapi-gen=true
| Field |
Type |
Description |
Required |
string |
string |
|
No
|
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
| Field |
Type |
Description |
Required |
matchLabels |
map<string, string> |
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is “key”, the
operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+optional
|
No
|
matchExpressions |
LabelSelectorRequirement[] |
matchExpressions is a list of label selector requirements. The requirements are ANDed.
+optional
|
No
|
k8s.io.apimachinery.pkg.util.intstr.IntOrString
IntOrString is a type that can hold an int32 or a string. When used in
JSON or YAML marshalling and unmarshalling, it produces or consumes the
inner type. This allows you to have, for example, a JSON field that can
accept a name or number.
TODO: Rename to Int32OrString
+protobuf=true
+protobuf.options.(gogoproto.goproto_stringer)=false
+k8s:openapi-gen=true
| Field |
Type |
Description |
Required |
type |
int64 |
|
No
|
intVal |
int32 |
|
No
|
strVal |
string |
|
No
|