--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>--useOldProcessor--validation-port <uint>--validation.tls.caCertificates <string>--validation.tls.clientCertificate <string>--validation.tls.privateKey <string>--watchConfigFiles--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>galley comma
1m0sMCP_SOURCE_REQ_BURST_SIZE100MCP_SOURCE_REQ_FREQ1sSOURCE_SERVER_STREAM_BURST_SIZE100SOURCE_SERVER_STREAM_FREQ1sgalley comma
galley_source_kube_event_success_totalCountgalley_validation_cert_key_update_errorsCountgalley_validation_cert_key_updatesCountgalley_validation_config_delete_errorCountgalley_validation_config_loadCountgalley_validation_config_load_errorCountgalley_validation_config_update_errorCount--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>--log_caller <string>--log_output_level <string>--log_rotate <string>--log_stacktrace_level <string>--log_target <stringArray>istio_ca com
JWT_POLICYthird-party-jwtNAMESPACE--log_output_level <string>--namespace <string>--all-namespaces-A--discovery-d--failure-threshold <Level>--log_output_level <string>--meshConfigFile <string>--suppress <stringArray>-S--timeout <duration>--use-kube-k--verbose
-# Analyze yaml files
-istioctl analyze a.yaml b.yaml
-
# Analyze the current live cluster
-istioctl analyze -k
+istioctl analyze
# Analyze the current live cluster, simulating the effect of applying additional yaml files
-istioctl analyze -k a.yaml b.yaml
+istioctl analyze a.yaml b.yaml
-# Analyze yaml files, overriding service discovery to enabled
-istioctl analyze -d true a.yaml b.yaml services.yaml
+# Analyze yaml files without connecting to a live cluster
+istioctl analyze --use-kube=false a.yaml b.yaml
-# Analyze the current live cluster, overriding service discovery to disabled
-istioctl analyze -k -d false
+# Analyze the current live cluster and suppress PodMissingProxy for pod mypod in namespace 'testing'.
+istioctl analyze -S "IST0103=Pod mypod.testing"
+
+# Analyze the current live cluster and suppress PodMissingProxy for all pods in namespace 'testing',
+# and suppress MisplacedAnnotation on deployment foobar in namespace default.
+istioctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment foobar.default"
# List available analyzers
istioctl analyze -L
@@ -190,7 +196,7 @@ A group of commands used to interact with Istio authentication policies.
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>The name of the kubeconfig context to use (default ``)
+--injectConfigFile <string>injection configuration filename. Cannot be used with --injectConfigMapName (default ``)
+
+
+--injectConfigMapName <string>ConfigMap name for Istio sidecar injection, key should be "config". (default `istio-sidecar-injector`)
+
+
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
@@ -825,15 +841,103 @@ istioctl deregister my-svc 172.17.0.2
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
+
+
+--meshConfigFile <string>mesh configuration filename. Takes precedence over --meshConfigMapName if set (default ``)
+
+
+--meshConfigMapName <string>ConfigMap name for Istio mesh configuration, key should be "mesh" (default `istio`)
--namespace <string>-nConfig namespace (default ``)
+
+--valuesFile <string>injection values configuration filename. (default ``)
+
istioctl experimental add-to-mesh deployment restarts pods with the Istio sidecar. Use 'add-to-mesh' +to test deployments for compatibility with Istio. If your deployment does not function after +using 'add-to-mesh' you must re-deploy it and troubleshoot it for Istio compatibility. +See https://istio.io/docs/setup/kubernetes/additional-setup/requirements/ +THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE. +
+istioctl experimental add-to-mesh deployment [flags]
+| Flags | +Shorthand | +Description | +
|---|---|---|
--context <string> |
++ | The name of the kubeconfig context to use (default ``) | +
--injectConfigFile <string> |
++ | injection configuration filename. Cannot be used with --injectConfigMapName (default ``) | +
--injectConfigMapName <string> |
++ | ConfigMap name for Istio sidecar injection, key should be "config". (default `istio-sidecar-injector`) | +
--istioNamespace <string> |
+-i |
+Istio system namespace (default `istio-system`) | +
--kubeconfig <string> |
+-c |
+Kubernetes configuration file (default ``) | +
--log_output_level <string> |
++ | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`) | +
--meshConfigFile <string> |
++ | mesh configuration filename. Takes precedence over --meshConfigMapName if set (default ``) | +
--meshConfigMapName <string> |
++ | ConfigMap name for Istio mesh configuration, key should be "mesh" (default `istio`) | +
--namespace <string> |
+-n |
+Config namespace (default ``) | +
--valuesFile <string> |
++ | injection values configuration filename. (default ``) | +
istioctl experimental add-to-mesh deployment productpage-v1
+istioctl experimental add-to-mesh external-service create a ServiceEntry and\ a Service without selector for the specified external service in Istio service mesh. @@ -862,6 +966,16 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--injectConfigFile <string>--injectConfigMapName <string>--istioNamespace <string>-i--log_output_level <string>--meshConfigFile <string>--meshConfigMapName <string>--namespace <string>-s--valuesFile <string>--log_output_level <string>--meshConfigFile <string>--all-namespaces-A--discovery-d--failure-threshold <Level>--log_output_level <string>--meshConfigFile <string>--output <string>-o--output-threshold <Level>--suppress <stringArray>-S--timeout <duration>--use-kube-k--verbose
-# Analyze yaml files
-istioctl analyze a.yaml b.yaml
-
# Analyze the current live cluster
-istioctl analyze -k
+istioctl analyze
# Analyze the current live cluster, simulating the effect of applying additional yaml files
-istioctl analyze -k a.yaml b.yaml
+istioctl analyze a.yaml b.yaml
-# Analyze yaml files, overriding service discovery to enabled
-istioctl analyze -d true a.yaml b.yaml services.yaml
+# Analyze yaml files without connecting to a live cluster
+istioctl analyze --use-kube=false a.yaml b.yaml
-# Analyze the current live cluster, overriding service discovery to disabled
-istioctl analyze -k -d false
+# Analyze the current live cluster and suppress PodMissingProxy for pod mypod in namespace 'testing'.
+istioctl analyze -S "IST0103=Pod mypod.testing"
+
+# Analyze the current live cluster and suppress PodMissingProxy for all pods in namespace 'testing',
+# and suppress MisplacedAnnotation on deployment foobar in namespace default.
+istioctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment foobar.default"
# List available analyzers
istioctl analyze -L
@@ -1113,7 +1248,7 @@ istioctl analyze -L
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string> # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
istioctl x authz check httpbin-88ddbcfdd-nt5jb
- # Convert the v1alpha1 RBAC policies in the current cluster to v1beta1 authorization policies:
- istioctl x authz convert > v1beta1-authz.yaml
+ # Convert the v1alpha1 RBAC policies in the current cluster:
+ istioctl x authz convert > authorization-policies.yaml
+
+ # Convert the v1alpha1 RBAC policies in the file with the given services and root namespace:
+ istioctl x authz convert -f rbac-policies.yaml -s my-service.yaml -r istio-system > authorization-policies.yaml
istioctl experimental authz check
@@ -1162,7 +1300,7 @@ with authorization and the rules used in the authorization.
--file <string>-fCheck the Envoy config dump from a file (default ``)
+The json file with Envoy config dump to be checked (default ``)
--istioNamespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>istioctl experimental authz convert
-Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
-API server to get all the information needed to complete the conversion, including the v1alpha1 RBAC policies in the current
-cluster, the Istio config-map for root namespace configuration and the k8s Service translating the
+
Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. By default,
+The command talks to Istio Pilot and Kubernetes API server to get all the information
+needed for the conversion, including the v1alpha1 RBAC policies in the current cluster,
+the value of the root namespace and the Kubernetes services that provide the mapping from the
service name to workload selector.
-The tool can also be used in offline mode without talking to the Kubernetes API server. In this mode,
-all needed information is provided through the command line.
-Note: The converter tool makes a best effort attempt to keep the syntax unchanged when
-converting v1alph1 RBAC policy to v1beta1 policy. However, in some cases, strict
-mapping with equivalent syntax is not possible (e.g., constraints no longer valid
-in the new workload oriented model, converting a service name containing a wildcard
-to workload selector).
-Please always review the converted policies, and remove the "===PLEASE REVIEW THE GENERATED POLICY AND REMOVE THIS LINE BEFORE APPLYING IT==="
-string on top of the converted policies before apply them.
-THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
+
The tool can also be used in an offline mode when specified with flag -f. In this mode,
+the tool doesn't access the network and all needed information is provided
+through the command line.
+Note: The converter tool makes a best effort attempt to keep the syntax unchanged during
+the conversion. However, in some cases, strict mapping with equivalent syntax is not
+possible (e.g., constraints no longer supported in the new workload oriented model).
+PLEASE ALWAYS REVIEW THE CONVERTED POLICIES BEFORE APPLYING.
istioctl experimental authz convert [flags]
@@ -1221,6 +1357,11 @@ string on top of the converted policies before apply them.
+--allowNoClusterRbacConfigContinue the conversion even if there is no ClusterRbacConfig in the cluster
+
+
--context <string>The name of the kubeconfig context to use (default ``)
@@ -1228,7 +1369,7 @@ string on top of the converted policies before apply them.
--file <stringSlice>-fv1alpha1 RBAC policy that needs to be converted to v1beta1 authorization policy (default `[]`)
+The yaml file with v1alpha1 RBAC policies to be converted (default `[]`)
--istioNamespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
-
-
---meshConfigFile <string>-mIstio MeshConfig file that provides the root namespace value (default ``)
-
-
---meshConfigMapName <string>ConfigMap name for Istio mesh configuration (default `istio`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>Config namespace (default ``)
+--rootNamespace <string>-rOverride the root namespace used in the conversion (default `istio-system`)
+
+
--service <stringSlice>-sKubernetes Service resource that provides the mapping between service and workload (default `[]`)
+The yaml file with Kubernetes services for the mapping from the service name to workload selector, used with -f (default `[]`)
Examples
# Convert the v1alpha1 RBAC policy in the current cluster:
- istioctl x authz convert > v1beta1-authz.yaml
+ istioctl x authz convert > authorization-policies.yaml
- # Convert the v1alpha1 RBAC policy provided through command line:
+ # Convert the v1alpha1 RBAC policy in the given file:
istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
- --service services.yaml --meshConfigFile meshConfig.yaml > v1beta1-authz.yaml
+ -s my-services.yaml -r my-root-namespace > authorization-policies.yaml
istioctl experimental convert-ingress
@@ -1307,7 +1443,7 @@ string on top of the converted policies before apply them.
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--injection-service <string>The service name of the injection webhook to manage. (default `istio-sidecar-injector`)
+The service name of the injection webhook to manage. (default `istio-pilot`)
--istioNamespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
istioctl experimental remove-from-mesh deployment restarts pods with the Istio sidecar un-injected. +THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE. +
+istioctl experimental remove-from-mesh deployment [flags]
+| Flags | +Shorthand | +Description | +
|---|---|---|
--context <string> |
++ | The name of the kubeconfig context to use (default ``) | +
--istioNamespace <string> |
+-i |
+Istio system namespace (default `istio-system`) | +
--kubeconfig <string> |
+-c |
+Kubernetes configuration file (default ``) | +
--log_output_level <string> |
++ | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`) | +
--namespace <string> |
+-n |
+Config namespace (default ``) | +
istioctl experimental remove-from-mesh deployment productpage-v1
+istioctl experimental remove-from-mesh external-service remove the ServiceEntry and\ the kubernetes Service for the specified external service(eg:services running on VM) from Istio service mesh. @@ -2290,7 +2471,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--filename <string>--filename <stringSlice>-f--force--istioNamespace <string>--log_output_level <string>--logtostderr--skip-confirmation-y--versionsURI <string>-u--wait--log_output_level <string>--namespace <string>--log_output_level <string>--meshConfigFile <string>--log_output_level <string>--logtostderr--filename <string>--filename <stringSlice>-f--force--log_output_level <string>--logtostderr--set <stringSlice>--set <stringArray>-s--skip-confirmation-yistioctl manifest apply # installs the default profile on the current Kubernetes cluster context
+istioctl manifest apply --set values.global.mtls.enabled=true --set values.global.controlPlaneSecurityEnabled=true
+istioctl manifest apply --set profile=demo
+istioctl manifest apply --set installPackagePath=~/istio-releases/istio-1.4.3/install/kubernetes/operator/charts
+The diff subcommand compares manifests from two files or directories.
istioctl manifest diff <file|dir> <file|dir> [flags]
@@ -2794,7 +2983,7 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderrConsole/log output only, make no changes.
---filename <string>--filename <stringSlice>-fPath to file containing IstioControlPlane CustomResource (default ``)
+Path to file containing IstioOperator CustomResource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)
--force
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderrManifest output directory path (default ``)
---set <stringSlice>--set <stringArray>-sSet a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true.
-Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR
-customization file (default `[]`)
+Override an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
+settings (--set values.global.mtls.enabled=true). See documentation for more info:
+https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControlPlaneSpec (default `[]`)
--verboseistioctl manifest migrate
-The migrate subcommand migrates a configuration from Helm values format to IstioControlPlane format.
+The migrate subcommand migrates a configuration from Helm values or IstioControlPlane format to IstioOperator format.
istioctl manifest migrate [<filepath>] [flags]
@@ -2942,7 +3133,7 @@ customization file (default `[]`)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderr
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderr
--versionsURI <string>-uURI for operator versions to Istio versions map (default `https://raw.githubusercontent.com/istio/operator/master/data/versions.yaml`)
+URI for operator versions to Istio versions map (default ``)
+
+
+
+istioctl operator
+The operator subcommand installs, removes and shows the status of the operator controller.
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+
+istioctl operator init
+The init subcommand installs the Istio operator controller in the cluster.
+istioctl operator init [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <string>-fPath to file containing IstioOperator CustomResource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)
+
+
+--hub <string>The hub for the operator controller image (default `unknown`)
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--operatorNamespace <string>The namespace the operator controller is installed into (default `istio-operator`)
+
+
+--readiness-timeout <duration>Maximum seconds to wait for the Istio operator to be ready. The --wait flag must be set for this flag to apply (default `5m0s`)
+
+
+--tag <string>The tag for the operator controller image (default `unknown`)
+
+
+--verboseVerbose output.
+
+
+--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds
+
+
+
+istioctl operator remove
+The remove subcommand removes the Istio operator controller from the cluster.
+istioctl operator remove [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <string>-fPath to file containing IstioOperator CustomResource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)
+
+
+--forceProceed even with errors
+
+
+--hub <string>The hub for the operator controller image (default `unknown`)
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--operatorNamespace <string>The namespace the operator controller is installed into (default `istio-operator`)
+
+
+--readiness-timeout <duration>Maximum seconds to wait for the Istio operator to be ready. The --wait flag must be set for this flag to apply (default `5m0s`)
+
+
+--tag <string>The tag for the operator controller image (default `unknown`)
+
+
+--verboseVerbose output.
+
+
+--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds
@@ -3055,7 +3461,7 @@ customization file (default `[]`)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderr
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderrConsole/log output only, make no changes.
---filename <string>--filename <stringSlice>-fPath to file containing IstioControlPlane CustomResource (default ``)
+Path to file containing IstioOperator CustomResource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)
--helm-values
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderr
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--logtostderr
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--name <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
+istioctl upgrade
+The upgrade command checks for upgrade version eligibility and, if eligible, upgrades the Istio control plane components in-place. Warning: traffic may be disrupted during upgrade. Please ensure PodDisruptionBudgets are defined to maintain service continuity.
+istioctl upgrade [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <stringSlice>-fPath to file containing IstioControlPlane CustomResource (default `[]`)
+
+
+--forceApply the upgrade without eligibility checks
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--skip-confirmation-yIf skip-confirmation is set, skips the prompting confirmation for value changes in this upgrade
+
+
+--verboseVerbose output.
+
+
+--versionsURI <string>-uURI for operator versions to Istio versions map (default ``)
+
+
+--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of 10m0s
+
+
+
istioctl validate
Validate Istio policy and rules (NOTE: validate is deprecated and will be removed in 1.6. Use 'istioctl analyze' to validate configuration.)
istioctl validate -f FILENAME [options] [flags]
@@ -3994,7 +4481,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>istioctl com
Service name of istiod. If empty the istiod listener, certs will be disabled.
+ISTIO_GPRC_MAXRECVMSGSIZEInteger
+4194304Sets the max receive buffer size of gRPC stream in bytes.
+
+
ISTIO_GPRC_MAXSTREAMSInteger
100000istioctl com
Selects the attribute expression language runtime for Mixer.
+JWT_POLICYString
+third-party-jwtThe JWT validation policy.
+
+
K8S_INGRESS_NSString
istioctl com
+PILOT_CERT_PROVIDERString
+citadelthe provider of Pilot DNS certificate.
+
+
PILOT_DEBOUNCE_AFTERTime Duration
100msistioctl com
If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
+PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBoolean
+falseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
+
+
PILOT_ENABLE_FALLTHROUGH_ROUTEBoolean
trueistioctl com
EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
-PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_TCP_METADATA_EXCHANGEBoolean
+trueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
+
+
+PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBoolean
falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.
+
PILOT_HTTP10istioctl com
Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
+PILOT_USE_ENDPOINT_SLICEBoolean
+falseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
+
+
POD_NAMEString
istioctl com
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid. pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration. pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued. pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push. pilot_rds_expired_nonceSumTotal number of RDS messages with an expired nonce. pilot_servicesLastValueTotal services known to pilot. pilot_total_k8s_object_errorsSumTotal Errors converting k8s CRDs pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore. pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot. pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, loadshedding, mcp, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--base-chart-path <string>The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm. This will be used as the base path for any IstioControlPlane instances specifying a relative ChartPath. (default ``)
+The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm. This will be used as the base path for any IstioOperator instances specifying a relative ChartPath. (default ``)
--ctrlz_address <string>
--default-chart-path <string>A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioControlPlane resource, e.g. 1.1.0/istio (default ``)
+A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioOperator resource, e.g. 1.1.0/istio (default ``)
--kubeconfig <string>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--serviceregistry <string>Select the platform for service registry, options are {Kubernetes, Consul, MCP, Mock} (default `Kubernetes`)
+Select the platform for service registry, options are {Kubernetes, Consul, Mock} (default `Kubernetes`)
--statsdUdpAddress <string>HTTP Port on which to serve pilot agent status. If zero, agent status will not be provided. (default `0`)
+--stsPort <int>HTTP Port on which to serve Security Token Service (STS). If zero, STS service will not be provided. (default `0`)
+
+
--templateFile <string>Go template bootstrap config (default ``)
+--tokenManagerPlugin <string>Token provider specific plugin name. (default ``)
+
+
--trust-domain <string>The domain to use for identities (default ``)
@@ -263,11 +271,11 @@ remove_toc_prefix: 'pilot-agent '
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cacheLog, citadelClientLog, configMapController, default, googleCAClientLog, model, rbac, sdsServiceLog, secretFetcherLog, stsClientLog, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>pilot-agent
INITIAL_BACKOFF_MSECInteger
-102000
@@ -450,6 +458,12 @@ These environment variables affect the behavior of the pilot-agent
+ISTIO_GPRC_MAXRECVMSGSIZEInteger
+4194304Sets the max receive buffer size of gRPC stream in bytes.
+
+
ISTIO_GPRC_MAXSTREAMSInteger
100000pilot-agent
+JWT_POLICYString
+third-party-jwtThe JWT validation policy.
+
+
NAMESPACEString
istio-systempilot-agent
+PILOT_CERT_PROVIDERString
+citadelthe provider of Pilot DNS certificate.
+
+
PILOT_DEBOUNCE_AFTERTime Duration
100mspilot-agent
If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
+PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBoolean
+falseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
+
+
PILOT_ENABLE_FALLTHROUGH_ROUTEBoolean
truepilot-agent
EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
-PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_TCP_METADATA_EXCHANGEBoolean
+trueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
+
+
+PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBoolean
falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.
+
PILOT_HTTP10pilot-agent
Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
+PILOT_USE_ENDPOINT_SLICEBoolean
+falseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
+
+
+PKCS8_KEYBoolean
+falseWhether to generate PKCS#8 private keys
+
+
PLUGINSString
pilot-agent
SECRET_GRACE_DURATIONTime Duration
-1h0m0s12h0m0s
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index 0c6ab60d44..ff39a5ba80 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The IP port to use for the ControlZ introspection facility (default `9876`)
---disable-install-crdsDisable discovery service from verifying the existence of CRDs at startup and then installing if not detected. It is recommended to be disable for highly available setups.
-
-
--domain <string>DNS domain suffix (default `cluster.local`)
@@ -139,6 +134,11 @@ remove_toc_prefix: 'pilot-discovery '
Discovery service HTTP address (default `:8080`)
+--httpsAddr <string>Injection and validation service HTTPS address (default `:15017`)
+
+
--keepaliveInterval <duration>The time interval if no activity on the connection it pings the peer to see if the transport is alive (default `30s`)
@@ -166,12 +166,12 @@ remove_toc_prefix: 'pilot-discovery '
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--registries <stringSlice>Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, MCP, Mock}) (default `[Kubernetes]`)
+Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, Mock}) (default `[Kubernetes]`)
--resync <duration>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, caSecretController, configMapController, conversions, default, grpcAdapter, k8sController, kube, kube-converter, mcp, meshconfig, model, pkiCaLog, processing, rbac, resource, rootCertRotator, runtime, server, serverCaLog, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, attributes, authn, configmapcontroller, default, grpcAdapter, mcp, model, pkica, rbac, rootcertrotator, secretcontroller, serverca, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>pilot-discoveryExpected audience in the tokens.
-AUTHZ_FAILURE_LOG_BURST_SIZEInteger
-1
-
-AUTHZ_FAILURE_LOG_FREQTime Duration
-1m0s
-
BYPASS_OOP_MTLS_SAN_VERIFICATIONBoolean
falsepilot-discoveryGrace period percentile for self-signed root cert.
+DEFER_VALIDATION_TO_DEPLOYMENTString
+When set, the controller defers reconciling the validatingwebhookconfiguration to the named deployment.
+
+
+INJECTION_WEBHOOK_CONFIG_NAMEString
+istio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
+
+
ISTIOD_ADDRString
Service name of istiod. If empty the istiod listener, certs will be disabled.
+ISTIO_GPRC_MAXRECVMSGSIZEInteger
+4194304Sets the max receive buffer size of gRPC stream in bytes.
+
+
ISTIO_GPRC_MAXSTREAMSInteger
100000pilot-discoverySelects the attribute expression language runtime for Mixer.
+JWT_POLICYString
+third-party-jwtThe JWT validation policy.
+
+
K8S_INGRESS_NSString
pilot-discovery
+PILOT_CERT_PROVIDERString
+citadelthe provider of Pilot DNS certificate.
+
+
PILOT_DEBOUNCE_AFTERTime Duration
100mspilot-discoveryIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
+PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBoolean
+falseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
+
+
PILOT_ENABLE_FALLTHROUGH_ROUTEBoolean
truepilot-discoveryEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
-PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_TCP_METADATA_EXCHANGEBoolean
+trueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
+
+
+PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBoolean
falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.
+
PILOT_HTTP10pilot-discoverySets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
+PILOT_USE_ENDPOINT_SLICEBoolean
+falseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
+
+
POD_NAMEString
pilot-discoveryUse the Istio JWT filter for JWT token verification.
-WEBHOOKVALIDATION_WEBHOOK_CONFIG_NAMEString
-Name of webhook config to patch, if istioctl is not used.
+istiod-${namespace}Name of validatingwegbhookconfiguration to patch, if istioctl is not used.
WORKLOAD_CERT_TTLpilot-discoverycitadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded. endpoint_no_podLastValueEndpoints without an associated pod. galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event galley_runtime_processor_events_processed_totalCountThe number of events that have been processed galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL galley_runtime_strategy_on_change_totalCountThe number of times the strategy's onChange has been called galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event galley_validation_cert_key_update_errorsCountGalley validation webhook certificate updates errors galley_validation_cert_key_updatesCountGalley validation webhook certificate updates galley_validation_config_delete_errorCountk8s webhook configuration delete error galley_validation_config_loadCountk8s webhook configuration (re)loads galley_validation_config_load_errorCountk8s webhook configuration (re)load error galley_validation_config_update_errorCountk8s webhook configuration update error pilot-discoverypilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration. pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued. pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push. pilot_rds_expired_nonceSumTotal number of RDS messages with an expired nonce. pilot_servicesLastValueTotal services known to pilot. pilot_total_k8s_object_errorsSumTotal Errors converting k8s CRDs pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore. pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot. pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy. sidecar-injectorService name of istiod. If empty the istiod listener, certs will be disabled.
+ISTIO_GPRC_MAXRECVMSGSIZEInteger
+4194304Sets the max receive buffer size of gRPC stream in bytes.
+
+
ISTIO_GPRC_MAXSTREAMSInteger
100000Sets the maximum number of concurrent grpc streams.
+JWT_POLICYString
+third-party-jwtThe JWT validation policy.
+
+
PILOT_BLOCK_HTTP_ON_443Boolean
truesidecar-injector
+PILOT_CERT_PROVIDERString
+citadelthe provider of Pilot DNS certificate.
+
+
PILOT_DEBOUNCE_AFTERTime Duration
100mssidecar-injectorIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
+PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBoolean
+falseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
+
+
PILOT_ENABLE_FALLTHROUGH_ROUTEBoolean
truesidecar-injectorEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
-PILOT_ENABLE_UNSAFE_REGEXPILOT_ENABLE_TCP_METADATA_EXCHANGEBoolean
+trueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
+
+
+PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBoolean
falseIf enabled, pilot will generate Envoy configuration that does not use safe_regex but the older, deprecated regex field. This should only be enabled to support legacy deployments that have not yet been migrated to the new safe regular expressions.
+
PILOT_HTTP10sidecar-injectorSets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
+PILOT_USE_ENDPOINT_SLICEBoolean
+falseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
+
+
TERMINATION_DRAIN_DURATION_SECONDSInteger
5
+
+ galley.istio.io/analyze-suppress[Any]
+ A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed.
+
+
+
+
+
install.operator.istio.io/chart-owner
+
+ sidecar.istio.io/enableCoreDump[Pod]
+ Specifies whether or not an Envoy sidecar should enable core dump.
+
+
+
+
+
sidecar.istio.io/injectConfiguration affecting the service mesh as a whole.
@@ -999,7 +999,7 @@ No
valuesTypeMapStringInterfaceTypeMapStringInterface2
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
See the Helm installation options for schema details: https://istio.io/docs/reference/config/installation-options/.
@@ -1013,7 +1013,7 @@ No
unvalidatedValuesTypeMapStringInterfaceTypeMapStringInterface2
Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.
@@ -4016,6 +4016,11 @@ No
GOTYPE: map[string]interface{}
+
+TypeMapStringInterface2
+
+GOTYPE: map[string]interface{}
+
WeightedPodAffinityTerm
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
index b82a3ac3f5..1facf08302 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
@@ -1,6 +1,6 @@
---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/operator' REPO
-source_repo: https://github.com/istio/operator
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
+source_repo: https://github.com/istio/istio
title: Installation Options (istioctl)
description: Configuration options for Istio control plane installation using istioctl.
location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index 2038f4ffc4..6dab512ff0 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -8,7 +8,7 @@ layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.DestinationRule
aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
-number_of_entries: 19
+number_of_entries: 20
---
DestinationRule defines policies that apply to traffic intended for a
service after routing has occurred. These rules specify configuration
@@ -804,6 +804,18 @@ Explicitly specify the region traffic will land on when endpoints in local regio
Should be used together with OutlierDetection to detect unhealthy endpoints.
Note: if no OutlierDetection specified, this will not take effect.
+
+
+No
+
+
+
+enabledBoolValue
+enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
+e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
+
No
@@ -952,15 +964,45 @@ spec:
-
-consecutiveErrorsint32
+consecutiveGatewayErrorsUInt32Value
-Number of errors before a host is ejected from the connection
-pool. Defaults to 5. When the upstream host is accessed over HTTP, a
-502, 503, or 504 return code qualifies as an error. When the upstream host
-is accessed over an opaque TCP connection, connect timeouts and
-connection error/failure events qualify as an error.
+Number of gateway errors before a host is ejected from the connection pool.
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
+code qualifies as a gateway error. When the upstream host is accessed over
+an opaque TCP connection, connect timeouts and connection error/failure
+events qualify as a gateway error.
+This feature is disabled by default or when set to the value 0.
+
+Note that consecutivegatewayerrors and consecutive5xxerrors can be
+used separately or together. Because the errors counted by
+consecutivegatewayerrors are also included in consecutive5xxerrors,
+if the value of consecutivegatewayerrors is greater than or equal to
+the value of consecutive5xxerrors, consecutivegatewayerrors will have
+no effect.
+
+
+
+No
+
+
+
+consecutive5xxErrorsUInt32Value
+Number of 5xx errors before a host is ejected from the connection pool.
+When the upstream host is accessed over an opaque TCP connection, connect
+timeouts, connection error/failure and request failure events qualify as a
+5xx error.
+This feature defaults to 5 but can be disabled by setting the value to 0.
+
+Note that consecutivegatewayerrors and consecutive5xxerrors can be
+used separately or together. Because the errors counted by
+consecutivegatewayerrors are also included in consecutive5xxerrors,
+if the value of consecutivegatewayerrors is greater than or equal to
+the value of consecutive5xxerrors, consecutivegatewayerrors will have
+no effect.
@@ -1455,3 +1497,33 @@ No
+google.protobuf.UInt32Value
+
+Wrapper message for uint32.
+
+The JSON representation for UInt32Value is JSON number.
+
+
+
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index b0586b168f..e4407ac5e0 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -1007,6 +1007,19 @@ after the selected filter or sub filter. If no filter is
selected, the specified filter will be inserted at the end
of the list.
+
+
+
+INSERT_FIRST
+Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters, where the
+order of filters matter. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+first in the list based on the presence of selected filter or not.
+This is specifically useful when you want your filter first in the
+list based on a match condition specified in Match clause.
+
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index 130d9d9e42..bf3b896cb5 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -142,13 +142,13 @@ spec:
-
-allowOriginstring[]
+allowOriginsStringMatch[]
-The list of origins that are allowed to perform CORS requests. The
-content will be serialized into the Access-Control-Allow-Origin
-header. Wildcard * will allow all origins.
+String patterns that match allowed origins.
+An origin is allowed if any of the string matchers match.
+If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
@@ -370,9 +370,9 @@ instead of “reviews.default.svc.cluster.local”), Istio will interpre
the short name based on the namespace of the rule, not the service. A
rule in the “default” namespace containing a host “reviews will be
interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.
+the actual namespace associated with the reviews service. To avoid
+potential misconfiguration, it is recommended to always use fully
+qualified domain names over short names.
@@ -513,19 +513,6 @@ Yes
Percentage of requests to be aborted with the error code provided.
-
-
-No
-
-
-
-percentint32
-Percentage of requests to be aborted with the error code provided (0-100).
-Use of integer percent value is deprecated. Use the double percentage
-field instead.
-
No
@@ -795,9 +782,22 @@ No
One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it must include the reserved gateway
+gateways specified in the top-level gateways field, it must include the reserved gateway
mesh for this field to be applicable.
+
+
+No
+
+
+
+gatewaysstring[]
+Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+match is independent of sourceLabels.
+
No
@@ -1352,54 +1352,6 @@ No
Header manipulation rules
-
-
-No
-
-
-
-removeResponseHeadersstring[]
-Use of remove_response_header is deprecated. Use the headers
-field instead.
-
-
-
-No
-
-
-
-appendResponseHeadersmap<string, string>
-Use of append_response_headers is deprecated. Use the headers
-field instead.
-
-
-
-No
-
-
-
-removeRequestHeadersstring[]
-Use of remove_request_headers is deprecated. Use the headers
-field instead.
-
-
-
-No
-
-
-
-appendRequestHeadersmap<string, string>
-Use of append_request_headers is deprecated. Use the headers
-field instead.
-
No
@@ -1579,7 +1531,7 @@ No
One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it should include the reserved gateway
+gateways specified in the top-level gateways field, it should include the reserved gateway
mesh in order for this field to be applicable.
@@ -1591,8 +1543,8 @@ No
gatewaysstring[]
-Names of gateways where the rule should be applied to. Gateway names
-at the top of the VirtualService (if any) are overridden. The gateway
+
Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.
@@ -1872,7 +1824,7 @@ No
One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
-gateways specified at the top, it should include the reserved gateway
+gateways specified in the top-level gateways field, it should include the reserved gateway
mesh in order for this field to be applicable.
@@ -1884,8 +1836,8 @@ No
gatewaysstring[]
-Names of gateways where the rule should be applied to. Gateway names
-at the top of the VirtualService (if any) are overridden. The gateway
+
Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index ff94ebaae1..8a89f46cd8 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -9,22 +9,42 @@ generator: protoc-gen-docs
schema: istio.security.v1beta1.AuthorizationPolicy
weight: 20
aliases: [/docs/reference/config/authorization/authorization-policy]
-number_of_entries: 7
+number_of_entries: 8
---
Istio Authorization Policy enables access control on workloads in the mesh.
-For example, the following authorization policy applies to workloads matched with
-label selector “app: httpbin, version: v1”.
+Authorization policy supports both allow and deny policies. When allow and
+deny policies are used for a workload at the same time, the deny policies are
+evaluated first. The evaluation is determined by the following rules:
-It allows requests from:
-- service account “cluster.local/ns/default/sa/sleep” or
-- namespace “test”
-to access the workload with:
-- “GET” method at paths of prefix “/info” or,
-- “POST” method at path “/data”.
-when the request has a valid JWT token issued by “https://accounts.google.com”.
+
+- If there are any DENY policies that match the request, deny the request.
+- If there are no ALLOW policies for the workload, allow the request.
+- If any of the ALLOW policies match the request, allow the request.
+- Deny the request.
+
-Any other requests will be rejected.
+For example, the following authorization policy sets the action to “ALLOW”
+to create an allow policy. The default action is “ALLOW” but it is useful
+to be explicit in the policy.
+
+It allows requests from:
+
+
+- service account “cluster.local/ns/default/sa/sleep” or
+- namespace “test”
+
+
+to access the workload with:
+
+
+- “GET” method at paths of prefix “/info” or,
+- “POST” method at path “/data”.
+
+
+when the request has a valid JWT token issued by “https://accounts.google.com”.
+
+Any other requests will be denied.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
@@ -32,10 +52,7 @@ metadata:
name: httpbin
namespace: foo
spec:
- selector:
- matchLabels:
- app: httpbin
- version: v1
+ action: ALLOW
rules:
- from:
- source:
@@ -54,19 +71,34 @@ spec:
values: ["https://accounts.google.com"]
-Access control is enabled on a workload if there is any authorization policies selecting
-the workload. When access control is enabled, the default behavior is deny (deny-by-default)
-which means requests to the workload will be rejected if the request is not allowed by any of
-the authorization policies selecting the workload.
+The following is another example that sets action to “DENY” to create a deny policy.
+It denies requests from the “dev” namespace to the “POST” method on all workloads
+in the “foo” namespace.
-Currently AuthorizationPolicy only supports “ALLOW” action. This means that
-if multiple authorization policies apply to the same workload, the effect is additive.
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: httpbin
+ namespace: foo
+spec:
+ action: DENY
+ rules:
+ - from:
+ - source:
+ namespaces: ["dev"]
+ to:
+ - operation:
+ methods: ["POST"]
+
Authorization Policy scope (target) is determined by “metadata/namespace” and
-an optional “selector”.
-- “metadata/namespace” tells which namespace the policy applies. If set to root
-namespace, the policy applies to all namespaces in a mesh.
-- workload “selector” can be used to further restrict where a policy applies.
+an optional “selector”.
+
+
+- “metadata/namespace” tells which namespace the policy applies. If set to root
+namespace, the policy applies to all namespaces in a mesh.
+- workload “selector” can be used to further restrict where a policy applies.
+
For example,
@@ -92,6 +124,7 @@ metadata:
name: policy
namespace: foo
spec:
+ {}
The following authorization policy applies to workloads containing label
@@ -122,6 +155,7 @@ metadata:
name: deny-all
namespace: foo
spec:
+ {}
The following authorization policy allows all requests to workloads in namespace
@@ -164,13 +198,55 @@ No
rulesRule[]
-Optional. A list of rules to specify the allowed access to the workload.
+Optional. A list of rules to match the request. A match occurs when at least
+one rule matches the request.
-If not set, access is denied unless explicitly allowed by other authorization policy.
+If not set, the match will never occur. This is equivalent to setting a
+default of deny for the target workloads.
No
+
+
+
+actionAction
+Optional. The action to take if the request is matched with the rules.
+
+
+
+No
+
+
+
+
+
+AuthorizationPolicy.Action
+
+Action specifies the operation to take.
+
+
+
+
+Name
+Description
+
+
+
+
+ALLOW
+Allow a request only if it matches the rules. This is the default type.
+
+
+
+
+DENY
+Deny a request if it matches any of the rules.
+
@@ -195,7 +271,7 @@ No
string
The name of an Istio attribute.
-See the full list of supported attributes.
+See the full list of supported attributes.
@@ -206,11 +282,24 @@ Yes
valuesstring[]
-The allowed values for the attribute.
+Optional. A list of allowed values for the attribute.
+Note: at least one of values or not_values must be set.
-Yes
+No
+
+
+
+notValuesstring[]
+Optional. A list of negative match of values for the attribute.
+Note: at least one of values or not_values must be set.
+
+
+
+No
@@ -218,7 +307,16 @@ Yes
Operation
-Operation specifies the operations of a request.
+Operation specifies the operations of a request. Fields in the operation are
+ANDed together.
+
+For example, the following operation matches if the host has suffix “.example.com”
+and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
+
+hosts: ["*.example.com"]
+methods: ["GET", "HEAD"]
+not_paths: ["/admin*"]
+