istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@master reference docs (#6366)

This commit is contained in:
Istio Automation 2020-01-27 18:31:13 -08:00 committed by GitHub
parent 8ecd686fc7
commit 04b9b245c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 1363 additions and 880 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
content/en/docs/reference/commands/galley/index.html
View File

@ -31,12 +31,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -61,7 +61,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -101,12 +101,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -131,7 +131,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -271,12 +271,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -301,7 +301,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -384,11 +384,6 @@ remove_toc_prefix: 'galley '
<td>File containing the x509 private key matching --tlsCertFile. (default `/etc/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--useOldProcessor</code></td>
<td></td>
<td>Use the old processing pipeline for config processing </td>
</tr>
<tr>
<td><code>--validation-port &lt;uint&gt;</code></td>
<td></td>
<td>HTTPS port of the validation service. (default `9443`)</td>
@ -401,17 +396,17 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--validation.tls.caCertificates &lt;string&gt;</code></td>
<td></td>
<td>File containing the caBundle that signed the cert/key specified by --validation.tls.clientCertificate and --validation.tls.privateKey. (default ``)</td>
<td>File containing the caBundle that signed the cert/key specified by --validation.tls.clientCertificate and --validation.tls.privateKey. (default `/etc/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--validation.tls.clientCertificate &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 Certificate for HTTPS validation. (default ``)</td>
<td>File containing the x509 Certificate for HTTPS validation. (default `/etc/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--validation.tls.privateKey &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 private key matching --validation.tls.clientCertificate. (default ``)</td>
<td>File containing the x509 private key matching --validation.tls.clientCertificate. (default `/etc/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--watchConfigFiles</code></td>
@ -478,12 +473,12 @@ validation:
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -508,7 +503,7 @@ validation:
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -551,6 +546,30 @@ These environment variables affect the behavior of the <code>galley</code> comma
<td><code>1m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>MCP_SOURCE_REQ_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>MCP_SOURCE_REQ_FREQ</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td></td>
</tr>
<tr>
<td><code>SOURCE_SERVER_STREAM_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>SOURCE_SERVER_STREAM_FREQ</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
@ -575,6 +594,7 @@ These environment variables affect the behavior of the <code>galley</code> comma
<tr><td><code>galley_source_kube_event_success_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source successfully handled an event</td></tr>
<tr><td><code>galley_validation_cert_key_update_errors</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates errors</td></tr>
<tr><td><code>galley_validation_cert_key_updates</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates</td></tr>
<tr><td><code>galley_validation_config_delete_error</code></td><td><code>Count</code></td><td>k8s webhook configuration delete error</td></tr>
<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>

24
content/en/docs/reference/commands/istio_ca/index.html
View File

@ -85,11 +85,11 @@ remove_toc_prefix: 'istio_ca '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -109,7 +109,7 @@ remove_toc_prefix: 'istio_ca '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -219,11 +219,11 @@ remove_toc_prefix: 'istio_ca '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -243,7 +243,7 @@ remove_toc_prefix: 'istio_ca '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -286,12 +286,12 @@ remove_toc_prefix: 'istio_ca '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -316,7 +316,7 @@ remove_toc_prefix: 'istio_ca '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, configmapcontroller, default, monitor, pkica, rootcertrotator, secretcontroller, serverca] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -384,6 +384,12 @@ These environment variables affect the behavior of the <code>istio_ca</code> com
<td>The minimum workload certificate rotation grace period.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code></code></td>

843
content/en/docs/reference/commands/istioctl/index.html
View File

File diff suppressed because it is too large Load Diff

12
content/en/docs/reference/commands/mixs/index.html
View File

@ -32,11 +32,11 @@ nexus for policy evaluation and telemetry reporting.</p>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -56,7 +56,7 @@ nexus for policy evaluation and telemetry reporting.</p>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -184,12 +184,12 @@ nexus for policy evaluation and telemetry reporting.</p>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -214,7 +214,7 @@ nexus for policy evaluation and telemetry reporting.</p>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>

4
content/en/docs/reference/commands/operator/index.html
View File

@ -41,7 +41,7 @@ remove_toc_prefix: 'operator '
<tbody>
<tr>
<td><code>--base-chart-path &lt;string&gt;</code></td>
<td>The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm. This will be used as the base path for any IstioControlPlane instances specifying a relative ChartPath. (default ``)</td>
<td>The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm. This will be used as the base path for any IstioOperator instances specifying a relative ChartPath. (default ``)</td>
</tr>
<tr>
<td><code>--ctrlz_address &lt;string&gt;</code></td>
@ -53,7 +53,7 @@ remove_toc_prefix: 'operator '
</tr>
<tr>
<td><code>--default-chart-path &lt;string&gt;</code></td>
<td>A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioControlPlane resource, e.g. 1.1.0/istio (default ``)</td>
<td>A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioOperator resource, e.g. 1.1.0/istio (default ``)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>

84
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -157,11 +157,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -181,7 +181,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -221,7 +221,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--serviceregistry &lt;string&gt;</code></td>
<td>Select the platform for service registry, options are {Kubernetes, Consul, MCP, Mock} (default `Kubernetes`)</td>
<td>Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`)</td>
</tr>
<tr>
<td><code>--statsdUdpAddress &lt;string&gt;</code></td>
@ -232,10 +232,18 @@ remove_toc_prefix: 'pilot-agent '
<td>HTTP Port on which to serve pilot agent status. If zero, agent status will not be provided. (default `0`)</td>
</tr>
<tr>
<td><code>--stsPort &lt;int&gt;</code></td>
<td>HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`)</td>
</tr>
<tr>
<td><code>--templateFile &lt;string&gt;</code></td>
<td>Go template bootstrap config (default ``)</td>
</tr>
<tr>
<td><code>--tokenManagerPlugin &lt;string&gt;</code></td>
<td>Token provider specific plugin name. (default ``)</td>
</tr>
<tr>
<td><code>--trust-domain &lt;string&gt;</code></td>
<td>The domain to use for identities (default ``)</td>
</tr>
@ -263,11 +271,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -287,7 +295,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -316,12 +324,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -346,7 +354,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -416,7 +424,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr>
<td><code>INITIAL_BACKOFF_MSEC</code></td>
<td>Integer</td>
<td><code>10</code></td>
<td><code>2000</code></td>
<td></td>
</tr>
<tr>
@ -450,6 +458,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
@ -504,6 +518,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
@ -522,6 +542,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>citadel</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
@ -570,6 +596,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -606,10 +638,16 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_UNSAFE_REGEX</code></td>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.</td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
@ -678,6 +716,18 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>PKCS8_KEY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Whether to generate PKCS#8 private keys</td>
</tr>
<tr>
<td><code>PLUGINS</code></td>
<td>String</td>
<td><code></code></td>
@ -710,7 +760,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr>
<td><code>SECRET_GRACE_DURATION</code></td>
<td>Time Duration</td>
<td><code>1h0m0s</code></td>
<td><code>12h0m0s</code></td>
<td></td>
</tr>
<tr>

123
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -67,7 +67,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -119,11 +119,6 @@ remove_toc_prefix: 'pilot-discovery '
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
</tr>
<tr>
<td><code>--disable-install-crds</code></td>
<td></td>
<td>Disable discovery service from verifying the existence of CRDs at startup and then installing if not detected. It is recommended to be disable for highly available setups. </td>
</tr>
<tr>
<td><code>--domain &lt;string&gt;</code></td>
<td></td>
<td>DNS domain suffix (default `cluster.local`)</td>
@ -139,6 +134,11 @@ remove_toc_prefix: 'pilot-discovery '
<td>Discovery service HTTP address (default `:8080`)</td>
</tr>
<tr>
<td><code>--httpsAddr &lt;string&gt;</code></td>
<td></td>
<td>Injection and validation service HTTPS address (default `:15017`)</td>
</tr>
<tr>
<td><code>--keepaliveInterval &lt;duration&gt;</code></td>
<td></td>
<td>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)</td>
@ -166,12 +166,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -196,7 +196,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -251,7 +251,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--registries &lt;stringSlice&gt;</code></td>
<td></td>
<td>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, MCP, Mock}) (default `[Kubernetes]`)</td>
<td>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, Mock}) (default `[Kubernetes]`)</td>
</tr>
<tr>
<td><code>--resync &lt;duration&gt;</code></td>
@ -308,11 +308,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -332,7 +332,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -386,12 +386,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -416,7 +416,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -454,18 +454,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Expected audience in the tokens. </td>
</tr>
<tr>
<td><code>AUTHZ_FAILURE_LOG_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>1</code></td>
<td></td>
</tr>
<tr>
<td><code>AUTHZ_FAILURE_LOG_FREQ</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>BYPASS_OOP_MTLS_SAN_VERIFICATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -496,12 +484,30 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Grace period percentile for self-signed root cert.</td>
</tr>
<tr>
<td><code>DEFER_VALIDATION_TO_DEPLOYMENT</code></td>
<td>String</td>
<td><code></code></td>
<td>When set, the controller defers reconciling the validatingwebhookconfiguration to the named deployment.</td>
</tr>
<tr>
<td><code>INJECTION_WEBHOOK_CONFIG_NAME</code></td>
<td>String</td>
<td><code>istio-sidecar-injector</code></td>
<td>Name of the mutatingwebhookconfiguration to patch, if istioctl is not used.</td>
</tr>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
@ -514,6 +520,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>K8S_INGRESS_NS</code></td>
<td>String</td>
<td><code></code></td>
@ -544,6 +556,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>citadel</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
@ -592,6 +610,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -628,10 +652,16 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_UNSAFE_REGEX</code></td>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.</td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
@ -700,6 +730,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>POD_NAME</code></td>
<td>String</td>
<td><code></code></td>
@ -736,10 +772,10 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>WEBHOOK</code></td>
<td><code>VALIDATION_WEBHOOK_CONFIG_NAME</code></td>
<td>String</td>
<td><code></code></td>
<td>Name of webhook config to patch, if istioctl is not used.</td>
<td><code>istiod-${namespace}</code></td>
<td>Name of validatingwegbhookconfiguration to patch, if istioctl is not used.</td>
</tr>
<tr>
<td><code>WORKLOAD_CERT_TTL</code></td>
@ -768,22 +804,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.</td></tr>
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>galley_runtime_processor_event_span_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration between each incoming event</td></tr>
<tr><td><code>galley_runtime_processor_events_processed_total</code></td><td><code>Count</code></td><td>The number of events that have been processed</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_events_total</code></td><td><code>Distribution</code></td><td>The number of events per snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_lifetime_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration of each snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshots_published_total</code></td><td><code>Count</code></td><td>The number of snapshots that have been published</td></tr>
<tr><td><code>galley_runtime_state_type_instances_total</code></td><td><code>LastValue</code></td><td>The number of type instances per type URL</td></tr>
<tr><td><code>galley_runtime_strategy_on_change_total</code></td><td><code>Count</code></td><td>The number of times the strategy's onChange has been called</td></tr>
<tr><td><code>galley_runtime_strategy_timer_max_time_reached_total</code></td><td><code>Count</code></td><td>The number of times the max time has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_quiesce_reached_total</code></td><td><code>Count</code></td><td>The number of times a quiesce has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_resets_total</code></td><td><code>Count</code></td><td>The number of times the timer has been reset</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_failure_total</code></td><td><code>Count</code></td><td>The number of times a dynamnic kubernetes source failed converting a resources</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_success_total</code></td><td><code>Count</code></td><td>The number of times a dynamic kubernetes source successfully converted a resource</td></tr>
<tr><td><code>galley_source_kube_event_error_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source encountered errored while handling an event</td></tr>
<tr><td><code>galley_source_kube_event_success_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source successfully handled an event</td></tr>
<tr><td><code>galley_validation_cert_key_update_errors</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates errors</td></tr>
<tr><td><code>galley_validation_cert_key_updates</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates</td></tr>
<tr><td><code>galley_validation_config_delete_error</code></td><td><code>Count</code></td><td>k8s webhook configuration delete error</td></tr>
<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>
@ -844,8 +867,10 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_proxy_convergence_time</code></td><td><code>Distribution</code></td><td>Delay in seconds between config change and a proxy receiving all required configuration.</td></tr>
<tr><td><code>pilot_proxy_queue_time</code></td><td><code>Distribution</code></td><td>Time in seconds, a proxy is in the push queue before being dequeued.</td></tr>
<tr><td><code>pilot_push_triggers</code></td><td><code>Sum</code></td><td>Total number of times a push was triggered, labeled by reason for the push.</td></tr>
<tr><td><code>pilot_rds_expired_nonce</code></td><td><code>Sum</code></td><td>Total number of RDS messages with an expired nonce.</td></tr>
<tr><td><code>pilot_services</code></td><td><code>LastValue</code></td><td>Total services known to pilot.</td></tr>
<tr><td><code>pilot_total_k8s_object_errors</code></td><td><code>Sum</code></td><td>Total Errors converting k8s CRDs</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_total_xds_internal_errors</code></td><td><code>Sum</code></td><td>Total number of internal XDS errors in pilot.</td></tr>
<tr><td><code>pilot_total_xds_rejects</code></td><td><code>Sum</code></td><td>Total number of XDS responses from pilot rejected by proxy.</td></tr>

40
content/en/docs/reference/commands/sidecar-injector/index.html
View File

@ -386,12 +386,24 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -404,6 +416,12 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>citadel</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
@ -452,6 +470,12 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -488,10 +512,16 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_UNSAFE_REGEX</code></td>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.</td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
@ -560,6 +590,12 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>

20
content/en/docs/reference/config/annotations/index.html
View File

@ -29,6 +29,16 @@ Istio supports to control its behavior.
<tr>
<td><code>galley.istio.io/analyze-suppress</code></td>
<td>[Any]</td>
<td>A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed.</td>
</tr>
<tr>
<td><code>install.operator.istio.io/chart-owner</code></td>
@ -217,6 +227,16 @@ Istio supports to control its behavior.
<tr>
<td><code>sidecar.istio.io/enableCoreDump</code></td>
<td>[Pod]</td>
<td>Specifies whether or not an Envoy sidecar should enable core dump.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/inject</code></td>

11
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 73
number_of_entries: 74
---
<p>Configuration affecting the service mesh as a whole.</p>
@ -999,7 +999,7 @@ No
</tr>
<tr id="IstioOperatorSpec-values">
<td><code>values</code></td>
<td><code><a href="#TypeMapStringInterface">TypeMapStringInterface</a></code></td>
<td><code><a href="#TypeMapStringInterface2">TypeMapStringInterface2</a></code></td>
<td>
<p>Overrides for default values.yaml. This is a validated pass-through to Helm templates.
See the Helm installation options for schema details: https://istio.io/docs/reference/config/installation-options/.
@ -1013,7 +1013,7 @@ No
</tr>
<tr id="IstioOperatorSpec-unvalidated_values">
<td><code>unvalidatedValues</code></td>
<td><code><a href="#TypeMapStringInterface">TypeMapStringInterface</a></code></td>
<td><code><a href="#TypeMapStringInterface2">TypeMapStringInterface2</a></code></td>
<td>
<p>Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.</p>
@ -4016,6 +4016,11 @@ No
<section>
<p>GOTYPE: map[string]interface&lbrace;}</p>
</section>
<h2 id="TypeMapStringInterface2">TypeMapStringInterface2</h2>
<section>
<p>GOTYPE: map[string]interface&lbrace;}</p>
</section>
<h2 id="WeightedPodAffinityTerm">WeightedPodAffinityTerm</h2>
<section>

4
content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
View File

@ -1,6 +1,6 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/operator' REPO
source_repo: https://github.com/istio/operator
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
source_repo: https://github.com/istio/istio
title: Installation Options (istioctl)
description: Configuration options for Istio control plane installation using istioctl.
location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html

90
content/en/docs/reference/config/networking/destination-rule/index.html
View File

@ -8,7 +8,7 @@ layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.DestinationRule
aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
number_of_entries: 19
number_of_entries: 20
---
<p><code>DestinationRule</code> defines policies that apply to traffic intended for a
service after routing has occurred. These rules specify configuration
@ -804,6 +804,18 @@ Explicitly specify the region traffic will land on when endpoints in local regio
Should be used together with OutlierDetection to detect unhealthy endpoints.
Note: if no OutlierDetection specified, this will not take effect.</p>
</td>
<td>
No
</td>
</tr>
<tr id="LocalityLoadBalancerSetting-enabled">
<td><code>enabled</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.</p>
</td>
<td>
No
@ -952,15 +964,45 @@ spec:
</tr>
</thead>
<tbody>
<tr id="OutlierDetection-consecutive_errors">
<td><code>consecutiveErrors</code></td>
<td><code>int32</code></td>
<tr id="OutlierDetection-consecutive_gateway_errors">
<td><code>consecutiveGatewayErrors</code></td>
<td><code><a href="#google-protobuf-UInt32Value">UInt32Value</a></code></td>
<td>
<p>Number of errors before a host is ejected from the connection
pool. Defaults to 5. When the upstream host is accessed over HTTP, a
502, 503, or 504 return code qualifies as an error. When the upstream host
is accessed over an opaque TCP connection, connect timeouts and
connection error/failure events qualify as an error.</p>
<p>Number of gateway errors before a host is ejected from the connection pool.
When the upstream host is accessed over HTTP, a 502, 503, or 504 return
code qualifies as a gateway error. When the upstream host is accessed over
an opaque TCP connection, connect timeouts and connection error/failure
events qualify as a gateway error.
This feature is disabled by default or when set to the value 0.</p>
<p>Note that consecutive<em>gateway</em>errors and consecutive<em>5xx</em>errors can be
used separately or together. Because the errors counted by
consecutive<em>gateway</em>errors are also included in consecutive<em>5xx</em>errors,
if the value of consecutive<em>gateway</em>errors is greater than or equal to
the value of consecutive<em>5xx</em>errors, consecutive<em>gateway</em>errors will have
no effect.</p>
</td>
<td>
No
</td>
</tr>
<tr id="OutlierDetection-consecutive_5xx_errors">
<td><code>consecutive5xxErrors</code></td>
<td><code><a href="#google-protobuf-UInt32Value">UInt32Value</a></code></td>
<td>
<p>Number of 5xx errors before a host is ejected from the connection pool.
When the upstream host is accessed over an opaque TCP connection, connect
timeouts, connection error/failure and request failure events qualify as a
5xx error.
This feature defaults to 5 but can be disabled by setting the value to 0.</p>
<p>Note that consecutive<em>gateway</em>errors and consecutive<em>5xx</em>errors can be
used separately or together. Because the errors counted by
consecutive<em>gateway</em>errors are also included in consecutive<em>5xx</em>errors,
if the value of consecutive<em>gateway</em>errors is greater than or equal to
the value of consecutive<em>5xx</em>errors, consecutive<em>gateway</em>errors will have
no effect.</p>
</td>
<td>
@ -1455,3 +1497,33 @@ No
</tbody>
</table>
</section>
<h2 id="google-protobuf-UInt32Value">google.protobuf.UInt32Value</h2>
<section>
<p>Wrapper message for <code>uint32</code>.</p>
<p>The JSON representation for <code>UInt32Value</code> is JSON number.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="google-protobuf-UInt32Value-value">
<td><code>value</code></td>
<td><code>uint32</code></td>
<td>
<p>The uint32 value.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

13
content/en/docs/reference/config/networking/envoy-filter/index.html
View File

@ -1007,6 +1007,19 @@ after the selected filter or sub filter. If no filter is
selected, the specified filter will be inserted at the end
of the list.</p>
</td>
</tr>
<tr id="EnvoyFilter-Patch-Operation-INSERT_FIRST">
<td><code>INSERT_FIRST</code></td>
<td>
<p>Insert operation on an array of named objects. This operation
is typically useful only in the context of filters, where the
order of filters matter. For clusters and virtual hosts,
order of the element in the array does not matter. Insert
first in the list based on the presence of selected filter or not.
This is specifically useful when you want your filter first in the
list based on a match condition specified in Match clause.</p>
</td>
</tr>
</tbody>

106
content/en/docs/reference/config/networking/virtual-service/index.html
View File

@ -142,13 +142,13 @@ spec:
</tr>
</thead>
<tbody>
<tr id="CorsPolicy-allow_origin">
<td><code>allowOrigin</code></td>
<td><code>string[]</code></td>
<tr id="CorsPolicy-allow_origins">
<td><code>allowOrigins</code></td>
<td><code><a href="#StringMatch">StringMatch[]</a></code></td>
<td>
<p>The list of origins that are allowed to perform CORS requests. The
content will be serialized into the Access-Control-Allow-Origin
header. Wildcard * will allow all origins.</p>
<p>String patterns that match allowed origins.
An origin is allowed if any of the string matchers match.
If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.</p>
</td>
<td>
@ -370,9 +370,9 @@ instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpre
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. <em>To avoid
potential misconfigurations, it is recommended to always use fully
qualified domain names over short names.</em></p>
the actual namespace associated with the reviews service. To avoid
potential misconfiguration, it is recommended to always use fully
qualified domain names over short names.</p>
</td>
<td>
@ -513,19 +513,6 @@ Yes
<td>
<p>Percentage of requests to be aborted with the error code provided.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPFaultInjection-Abort-percent" class="deprecated ">
<td><code>percent</code></td>
<td><code>int32</code></td>
<td>
<p>Percentage of requests to be aborted with the error code provided (0-100).
Use of integer <code>percent</code> value is deprecated. Use the double <code>percentage</code>
field instead.</p>
</td>
<td>
No
@ -795,9 +782,22 @@ No
<td>
<p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it must include the reserved gateway
gateways specified in the top-level <code>gateways</code> field, it must include the reserved gateway
<code>mesh</code> for this field to be applicable.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPMatchRequest-gateways">
<td><code>gateways</code></td>
<td><code>string[]</code></td>
<td>
<p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p>
</td>
<td>
No
@ -1352,54 +1352,6 @@ No
<td>
<p>Header manipulation rules</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPRouteDestination-remove_response_headers" class="deprecated ">
<td><code>removeResponseHeaders</code></td>
<td><code>string[]</code></td>
<td>
<p>Use of <code>remove_response_header</code> is deprecated. Use the <code>headers</code>
field instead.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPRouteDestination-append_response_headers" class="deprecated ">
<td><code>appendResponseHeaders</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Use of <code>append_response_headers</code> is deprecated. Use the <code>headers</code>
field instead.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPRouteDestination-remove_request_headers" class="deprecated ">
<td><code>removeRequestHeaders</code></td>
<td><code>string[]</code></td>
<td>
<p>Use of <code>remove_request_headers</code> is deprecated. Use the <code>headers</code>
field instead.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPRouteDestination-append_request_headers" class="deprecated ">
<td><code>appendRequestHeaders</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Use of <code>append_request_headers</code> is deprecated. Use the <code>headers</code>
field instead.</p>
</td>
<td>
No
@ -1579,7 +1531,7 @@ No
<td>
<p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it should include the reserved gateway
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p>
</td>
@ -1591,8 +1543,8 @@ No
<td><code>gateways</code></td>
<td><code>string[]</code></td>
<td>
<p>Names of gateways where the rule should be applied to. Gateway names
at the top of the VirtualService (if any) are overridden. The gateway
<p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p>
</td>
@ -1872,7 +1824,7 @@ No
<td>
<p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it should include the reserved gateway
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p>
</td>
@ -1884,8 +1836,8 @@ No
<td><code>gateways</code></td>
<td><code>string[]</code></td>
<td>
<p>Names of gateways where the rule should be applied to. Gateway names
at the top of the VirtualService (if any) are overridden. The gateway
<p>Names of gateways where the rule should be applied. Gateway names
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p>
</td>

281
content/en/docs/reference/config/security/authorization-policy/index.html
View File

@ -9,22 +9,42 @@ generator: protoc-gen-docs
schema: istio.security.v1beta1.AuthorizationPolicy
weight: 20
aliases: [/docs/reference/config/authorization/authorization-policy]
number_of_entries: 7
number_of_entries: 8
---
<p>Istio Authorization Policy enables access control on workloads in the mesh.</p>
<p>For example, the following authorization policy applies to workloads matched with
label selector &ldquo;app: httpbin, version: v1&rdquo;.</p>
<p>Authorization policy supports both allow and deny policies. When allow and
deny policies are used for a workload at the same time, the deny policies are
evaluated first. The evaluation is determined by the following rules:</p>
<p>It allows requests from:
- service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or
- namespace &ldquo;test&rdquo;
to access the workload with:
- &ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,
- &ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.
when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<ol>
<li>If there are any DENY policies that match the request, deny the request.</li>
<li>If there are no ALLOW policies for the workload, allow the request.</li>
<li>If any of the ALLOW policies match the request, allow the request.</li>
<li>Deny the request.</li>
</ol>
<p>Any other requests will be rejected.</p>
<p>For example, the following authorization policy sets the <code>action</code> to &ldquo;ALLOW&rdquo;
to create an allow policy. The default action is &ldquo;ALLOW&rdquo; but it is useful
to be explicit in the policy.</p>
<p>It allows requests from:</p>
<ul>
<li>service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or</li>
<li>namespace &ldquo;test&rdquo;</li>
</ul>
<p>to access the workload with:</p>
<ul>
<li>&ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,</li>
<li>&ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.</li>
</ul>
<p>when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<p>Any other requests will be denied.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
@ -32,10 +52,7 @@ metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
action: ALLOW
rules:
- from:
- source:
@ -54,19 +71,34 @@ spec:
values: [&quot;https://accounts.google.com&quot;]
</code></pre>
<p>Access control is enabled on a workload if there is any authorization policies selecting
the workload. When access control is enabled, the default behavior is deny (deny-by-default)
which means requests to the workload will be rejected if the request is not allowed by any of
the authorization policies selecting the workload.</p>
<p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
in the &ldquo;foo&rdquo; namespace.</p>
<p>Currently AuthorizationPolicy only supports &ldquo;ALLOW&rdquo; action. This means that
if multiple authorization policies apply to the same workload, the effect is additive.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
action: DENY
rules:
- from:
- source:
namespaces: [&quot;dev&quot;]
to:
- operation:
methods: [&quot;POST&quot;]
</code></pre>
<p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
an optional &ldquo;selector&rdquo;.
- &ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.
- workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</p>
an optional &ldquo;selector&rdquo;.</p>
<ul>
<li>&ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.</li>
<li>workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</li>
</ul>
<p>For example,</p>
@ -92,6 +124,7 @@ metadata:
name: policy
namespace: foo
spec:
&lbrace;}
</code></pre>
<p>The following authorization policy applies to workloads containing label
@ -122,6 +155,7 @@ metadata:
name: deny-all
namespace: foo
spec:
&lbrace;}
</code></pre>
<p>The following authorization policy allows all requests to workloads in namespace
@ -164,13 +198,55 @@ No
<td><code>rules</code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td>
<p>Optional. A list of rules to specify the allowed access to the workload.</p>
<p>Optional. A list of rules to match the request. A match occurs when at least
one rule matches the request.</p>
<p>If not set, access is denied unless explicitly allowed by other authorization policy.</p>
<p>If not set, the match will never occur. This is equivalent to setting a
default of deny for the target workloads.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-action">
<td><code>action</code></td>
<td><code><a href="#AuthorizationPolicy-Action">Action</a></code></td>
<td>
<p>Optional. The action to take if the request is matched with the rules.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthorizationPolicy-Action">AuthorizationPolicy.Action</h2>
<section>
<p>Action specifies the operation to take.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-Action-ALLOW">
<td><code>ALLOW</code></td>
<td>
<p>Allow a request only if it matches the rules. This is the default type.</p>
</td>
</tr>
<tr id="AuthorizationPolicy-Action-DENY">
<td><code>DENY</code></td>
<td>
<p>Deny a request if it matches any of the rules.</p>
</td>
</tr>
</tbody>
@ -195,7 +271,7 @@ No
<td><code>string</code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="/docs/reference/config/">full list of supported attributes</a>.</p>
See the <a href="/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
<td>
@ -206,11 +282,24 @@ Yes
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>The allowed values for the attribute.</p>
<p>Optional. A list of allowed values for the attribute.
Note: at least one of values or not_values must be set.</p>
</td>
<td>
Yes
No
</td>
</tr>
<tr id="Condition-not_values">
<td><code>notValues</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of values for the attribute.
Note: at least one of values or not_values must be set.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -218,7 +307,16 @@ Yes
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request.</p>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix &ldquo;.example.com&rdquo;
and the method is &ldquo;GET&rdquo; or &ldquo;HEAD&rdquo; and the path doesn&rsquo;t have prefix &ldquo;/admin&rdquo;.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
not_paths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
@ -238,6 +336,17 @@ Yes
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_hosts">
<td><code>notHosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of hosts.</p>
</td>
<td>
No
@ -251,6 +360,17 @@ No
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_ports">
<td><code>notPorts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of ports.</p>
</td>
<td>
No
@ -266,6 +386,17 @@ For gRPC service, this should be the fully-qualified name in the form of
<p>If not set, any method is allowed. Must be used only with HTTP or gRPC.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_methods">
<td><code>notMethods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of methods.</p>
</td>
<td>
No
@ -279,6 +410,17 @@ No
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_paths">
<td><code>notPaths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of paths.</p>
</td>
<td>
No
@ -289,14 +431,18 @@ No
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule allows access from a list of sources to perform a list of operations when
the condition is matched.</p>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, operation and condition
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.
- Prefix match: &ldquo;abc<em>&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.
- Suffix match: &ldquo;</em>abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.
- Presence match: &ldquo;*&rdquo; will match when value is not empty.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
<li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
<li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li>
<li>Presence match: &ldquo;*&rdquo; will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
@ -408,7 +554,16 @@ No
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request.</p>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is &ldquo;admin&rdquo; or &ldquo;dev&rdquo;
and the namespace is &ldquo;prod&rdquo; or &ldquo;test&rdquo; and the ip is not &ldquo;1.2.3.4&rdquo;.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
not_ipblocks: [&quot;1.2.3.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
@ -425,10 +580,21 @@ No
<td><code>string[]</code></td>
<td>
<p>Optional. A list of source peer identities (i.e. service account), which
matches to the &ldquo;source.principal&rdquo; attribute.</p>
matches to the &ldquo;source.principal&rdquo; attribute. This field requires mTLS enabled.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_principals">
<td><code>notPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of source peer identities.</p>
</td>
<td>
No
@ -443,6 +609,17 @@ matches to the &ldquo;request.auth.principal&rdquo; attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_request_principals">
<td><code>notRequestPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of request identities.</p>
</td>
<td>
No
@ -453,10 +630,21 @@ No
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces, which matches to the &ldquo;source.namespace&rdquo;
attribute.</p>
attribute. This field requires mTLS enabled.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_namespaces">
<td><code>notNamespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of namespaces.</p>
</td>
<td>
No
@ -471,6 +659,17 @@ Single IP (e.g. &ldquo;1.2.3.4&rdquo;) and CIDR (e.g. &ldquo;1.2.3.0/24&rdquo;)
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><code>notIpBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of IP blocks.</p>
</td>
<td>
No

526
content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
View File

@ -9,238 +9,10 @@ generator: protoc-gen-docs
schema: istio.authentication.v1alpha1.Policy
weight: 10
aliases: [/docs/reference/config/istio.authentication.v1alpha1]
number_of_entries: 11
number_of_entries: 4
---
<p>This package defines user-facing authentication policy.</p>
<h2 id="Jwt">Jwt</h2>
<section>
<p>JSON Web Token (JWT) token format for authentication as defined by
<a href="https://tools.ietf.org/html/rfc7519">RFC 7519</a>. See <a href="https://tools.ietf.org/html/rfc6749">OAuth 2.0</a> and
<a href="http://openid.net/connect">OIDC 1.0</a> for how this is used in the whole
authentication flow.</p>
<p>For example:</p>
<p>A JWT for any requests:</p>
<pre><code class="language-yaml">issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
bookstore_web.apps.googleusercontent.com
jwksUri: https://example.com/.well-known/jwks.json
</code></pre>
<p>A JWT for all requests except request at path <code>/health_check</code> and path with
prefix <code>/status/</code>. This is useful to expose some paths for public access but
keep others JWT validated.</p>
<pre><code class="language-yaml">issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
triggerRules:
- excludedPaths:
- exact: /health_check
- prefix: /status/
</code></pre>
<p>A JWT only for requests at path <code>/admin</code>. This is useful to only require JWT
validation on a specific set of paths but keep others public accessible.</p>
<pre><code class="language-yaml">issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
triggerRules:
- includedPaths:
- prefix: /admin
</code></pre>
<p>A JWT only for requests at path of prefix <code>/status/</code> but except the path of
<code>/status/version</code>. This means for any request path with prefix <code>/status/</code> except
<code>/status/version</code> will require a valid JWT to proceed.</p>
<pre><code class="language-yaml">issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
triggerRules:
- excludedPaths:
- exact: /status/version
includedPaths:
- prefix: /status/
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Jwt-issuer">
<td><code>issuer</code></td>
<td><code>string</code></td>
<td>
<p>Identifies the issuer that issued the JWT. See
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">issuer</a>
Usually a URL or an email address.</p>
<p>Example: https://securetoken.google.com
Example: 1234567-compute@developer.gserviceaccount.com</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-audiences">
<td><code>audiences</code></td>
<td><code>string[]</code></td>
<td>
<p>The list of JWT
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.3">audiences</a>.
that are allowed to access. A JWT containing any of these
audiences will be accepted.</p>
<p>The service name will be accepted if audiences is empty.</p>
<p>Example:</p>
<pre><code class="language-yaml">audiences:
- bookstore_android.apps.googleusercontent.com
bookstore_web.apps.googleusercontent.com
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-jwks_uri">
<td><code>jwksUri</code></td>
<td><code>string</code></td>
<td>
<p>URL of the provider&rsquo;s public key set to validate signature of the
JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
<p>Optional if the key set document can either (a) be retrieved from
<a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID
Discovery</a> of
the issuer or (b) inferred from the email domain of the issuer (e.g. a
Google service account).</p>
<p>Example: <code>https://www.googleapis.com/oauth2/v1/certs</code></p>
<p>Note: Only one of jwks_uri and jwks should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-jwks">
<td><code>jwks</code></td>
<td><code>string</code></td>
<td>
<p>JSON Web Key Set of public keys to validate signature of the JWT.
See https://auth0.com/docs/jwks.</p>
<p>Note: Only one of jwks_uri and jwks should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-jwt_headers">
<td><code>jwtHeaders</code></td>
<td><code>string[]</code></td>
<td>
<p>JWT is sent in a request header. <code>header</code> represents the
header name.</p>
<p>For example, if <code>header=x-goog-iap-jwt-assertion</code>, the header
format will be <code>x-goog-iap-jwt-assertion: &lt;JWT&gt;</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-jwt_params">
<td><code>jwtParams</code></td>
<td><code>string[]</code></td>
<td>
<p>JWT is sent in a query parameter. <code>query</code> represents the
query parameter name.</p>
<p>For example, <code>query=jwt_token</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-trigger_rules">
<td><code>triggerRules</code></td>
<td><code><a href="#Jwt-TriggerRule">TriggerRule[]</a></code></td>
<td>
<p>List of trigger rules to decide if this JWT should be used to validate the
request. The JWT validation happens if any one of the rules matched.
If the list is not empty and none of the rules matched, authentication will
skip the JWT validation.
Leave this empty to always trigger the JWT validation.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Jwt-TriggerRule">Jwt.TriggerRule</h2>
<section>
<p>Trigger rule to match against a request. The trigger rule is satisfied if
and only if both rules, excluded<em>paths and include</em>paths are satisfied.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Jwt-TriggerRule-excluded_paths">
<td><code>excludedPaths</code></td>
<td><code><a href="#StringMatch">StringMatch[]</a></code></td>
<td>
<p>List of paths to be excluded from the request. The rule is satisfied if
request path does not match to any of the path in this list.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Jwt-TriggerRule-included_paths">
<td><code>includedPaths</code></td>
<td><code><a href="#StringMatch">StringMatch[]</a></code></td>
<td>
<p>List of paths that the request must include. If the list is not empty, the
rule is satisfied if request path matches at least one of the path in the list.
If the list is empty, the rule is ignored, in other words the rule is always satisfied.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MutualTls">MutualTls</h2>
<section>
<p>TLS authentication params.</p>
@ -255,27 +27,28 @@ No
</tr>
</thead>
<tbody>
<tr id="MutualTls-allow_tls">
<td><code>allowTls</code></td>
<td><code>bool</code></td>
<tr id="MutualTls-mode">
<td><code>mode</code></td>
<td><code><a href="#MutualTls-Mode">Mode</a></code></td>
<td>
<p>WILL BE DEPRECATED, if set, will translates to <code>TLS_PERMISSIVE</code> mode.
Set this flag to true to allow regular TLS (i.e without client x509
certificate). If request carries client certificate, identity will be
extracted and used (set to peer identity). Otherwise, peer identity will
be left unset.
When the flag is false (default), request must have client certificate.</p>
<p>Defines the mode of mTLS authentication.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MutualTls-mode">
<td><code>mode</code></td>
<td><code><a href="#MutualTls-Mode">Mode</a></code></td>
<tr id="MutualTls-allow_tls" class="deprecated ">
<td><code>allowTls</code></td>
<td><code>bool</code></td>
<td>
<p>Defines the mode of mTLS authentication.</p>
<p>Deprecated. Please use mode = PERMISSIVE instead.
If set, will translate to <code>TLS_PERMISSIVE</code> mode.
Set this flag to true to allow regular TLS (i.e without client x509
certificate). If request carries client certificate, identity will be
extracted and used (set to peer identity). Otherwise, peer identity will
be left unset.
When the flag is false (default), request must have client certificate.</p>
</td>
<td>
@ -309,36 +82,6 @@ No
<td>
<p>Connection can be either plaintext or TLS with Client cert.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OriginAuthenticationMethod">OriginAuthenticationMethod</h2>
<section>
<p>OriginAuthenticationMethod defines authentication method/params for origin
authentication. Origin could be end-user, device, delegate service etc.
Currently, only JWT is supported for origin authentication.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="OriginAuthenticationMethod-jwt">
<td><code>jwt</code></td>
<td><code><a href="#Jwt">Jwt</a></code></td>
<td>
<p>Jwt params for the method.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -346,9 +89,8 @@ No
</section>
<h2 id="PeerAuthenticationMethod">PeerAuthenticationMethod</h2>
<section>
<p>PeerAuthenticationMethod defines one particular type of authentication, e.g
mutual TLS, JWT etc, (no authentication is one type by itself) that can
be used for peer authentication.
<p>PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
at the moment.
The type can be progammatically determine by checking the type of the
&ldquo;params&rdquo; field.</p>
@ -459,18 +201,6 @@ spec:
</tr>
</thead>
<tbody>
<tr id="Policy-targets">
<td><code>targets</code></td>
<td><code><a href="#TargetSelector">TargetSelector[]</a></code></td>
<td>
<p>List rules to select workloads that the policy should be applied on.
If empty, policy will be used on all workloads in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-peers">
<td><code>peers</code></td>
<td><code><a href="#PeerAuthenticationMethod">PeerAuthenticationMethod[]</a></code></td>
@ -486,11 +216,25 @@ Leave the list empty if peer authentication is not required</p>
No
</td>
</tr>
<tr id="Policy-peer_is_optional">
<tr id="Policy-targets" class="deprecated ">
<td><code>targets</code></td>
<td><code><a href="#TargetSelector">TargetSelector[]</a></code></td>
<td>
<p>Deprecated. Only mesh-level and namespace-level policies are supported.
List rules to select workloads that the policy should be applied on.
If empty, policy will be used on all workloads in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-peer_is_optional" class="deprecated ">
<td><code>peerIsOptional</code></td>
<td><code>bool</code></td>
<td>
<p>Set this flag to true to accept request (for peer authentication perspective),
<p>Deprecated. Should set mTLS to PERMISSIVE instead.
Set this flag to true to accept request (for peer authentication perspective),
even when none of the peer authentication methods defined above satisfied.
Typically, this is used to delay the rejection decision to next layer (e.g
authorization).
@ -501,11 +245,12 @@ This flag is ignored if no authentication defined for peer (peers field is empty
No
</td>
</tr>
<tr id="Policy-origins">
<tr id="Policy-origins" class="deprecated ">
<td><code>origins</code></td>
<td><code><a href="#OriginAuthenticationMethod">OriginAuthenticationMethod[]</a></code></td>
<td>
<p>List of authentication methods that can be used for origin authentication.
<p>Deprecated. Please use security/v1beta1/RequestAuthentication instead.
List of authentication methods that can be used for origin authentication.
Similar to peers, these will be evaluated in order; the first validate one
will be used to set origin identity and attributes (i.e request.auth.user,
request.auth.issuer etc). If none of these methods pass, request will be
@ -519,11 +264,12 @@ Leave the list empty if origin authentication is not required.</p>
No
</td>
</tr>
<tr id="Policy-origin_is_optional">
<tr id="Policy-origin_is_optional" class="deprecated ">
<td><code>originIsOptional</code></td>
<td><code>bool</code></td>
<td>
<p>Set this flag to true to accept request (for origin authentication perspective),
<p>Deprecated. Please use security/v1beta1/RequestAuthentication instead.
Set this flag to true to accept request (for origin authentication perspective),
even when none of the origin authentication methods defined above satisfied.
Typically, this is used to delay the rejection decision to next layer (e.g
authorization).
@ -534,11 +280,13 @@ This flag is ignored if no authentication defined for origin (origins field is e
No
</td>
</tr>
<tr id="Policy-principal_binding">
<tr id="Policy-principal_binding" class="deprecated ">
<td><code>principalBinding</code></td>
<td><code><a href="#PrincipalBinding">PrincipalBinding</a></code></td>
<td>
<p>Define whether peer or origin identity should be use for principal. Default
<p>Deprecated. Source principal is always from peer, and request principal is always from
RequestAuthentication.
Define whether peer or origin identity should be use for principal. Default
value is USE_PEER.
If peer (or origin) identity is not available, either because of peer/origin
authentication is not defined, or failed, principal will be left unset.
@ -553,191 +301,3 @@ No
</tbody>
</table>
</section>
<h2 id="PortSelector">PortSelector</h2>
<section>
<p>PortSelector specifies the name or number of a port to be used for
matching targets for authentication policy. This is copied from
networking API to avoid dependency.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PortSelector-number" class="oneof oneof-start">
<td><code>number</code></td>
<td><code>uint32 (oneof)</code></td>
<td>
<p>Valid port number</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="PortSelector-name" class="oneof">
<td><code>name</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Port name</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PrincipalBinding">PrincipalBinding</h2>
<section>
<p>Associates authentication with request principal.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="PrincipalBinding-USE_PEER">
<td><code>USE_PEER</code></td>
<td>
<p>Principal will be set to the identity from peer authentication.</p>
</td>
</tr>
<tr id="PrincipalBinding-USE_ORIGIN">
<td><code>USE_ORIGIN</code></td>
<td>
<p>Principal will be set to the identity from origin authentication.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="StringMatch">StringMatch</h2>
<section>
<p>Describes how to match a given string. Match is case-sensitive.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="StringMatch-exact" class="oneof oneof-start">
<td><code>exact</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>exact string match.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="StringMatch-prefix" class="oneof">
<td><code>prefix</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>prefix-based match.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="StringMatch-suffix" class="oneof">
<td><code>suffix</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>suffix-based match.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="StringMatch-regex" class="oneof">
<td><code>regex</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>ECMAscript style regex-based match as defined by <a href="http://en.cppreference.com/w/cpp/regex/ecmascript">EDCA-262</a>.
Example: &ldquo;^/pets/(.*?)?&rdquo;</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="TargetSelector">TargetSelector</h2>
<section>
<p>TargetSelector defines a matching rule to a workload. A workload is selected
if it is associated with the service name and service port(s) specified in the selector rule.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="TargetSelector-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>The name must be a short name from the service registry. The
fully qualified domain name will be resolved in a platform specific manner.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="TargetSelector-ports">
<td><code>ports</code></td>
<td><code><a href="#PortSelector">PortSelector[]</a></code></td>
<td>
<p>Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
For example, if a service is defined as below, then <code>8000</code> should be used, not <code>9000</code>.</p>
<pre><code class="language-yaml">kind: Service
metadata:
...
spec:
ports:
- name: http
port: 8000
targetPort: 9000
selector:
app: backend
</code></pre>
<p>Leave empty to match all ports that are exposed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

2
content/en/docs/reference/config/security/istio.rbac.v1alpha1/index.html
View File

@ -24,7 +24,7 @@ the following standard fields:</p>
<ul>
<li>services: a list of services.</li>
<li>methods: A list of HTTP methods. You can set the value to <code>\*</code> to include all HTTP methods.
<li>methods: A list of HTTP methods. You can set the value to <code>[&quot;*&quot;]</code> to include all HTTP methods.
This field should not be set for TCP services. The policy will be ignored.
For gRPC services, only <code>POST</code> is allowed; other methods will result in denying services.</li>
<li>paths: HTTP paths or gRPC methods. Note that gRPC methods should be