From 10bd9659828df530f219a5083c38f671239f009b Mon Sep 17 00:00:00 2001 From: Frank Budinsky Date: Thu, 28 Jul 2022 10:47:49 -0400 Subject: [PATCH] Document validation disabled by default when using istioctl manifest generate (#11653) * Document validation disabled by default when using istioctl manifest generate * separate changes * improve wording --- content/en/docs/setup/install/istioctl/index.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/en/docs/setup/install/istioctl/index.md b/content/en/docs/setup/install/istioctl/index.md index 0269d10299..9fa3b77262 100644 --- a/content/en/docs/setup/install/istioctl/index.md +++ b/content/en/docs/setup/install/istioctl/index.md @@ -231,6 +231,13 @@ If attempting to install and manage Istio using `istioctl manifest generate`, pl 1. The Istio namespace (`istio-system` by default) must be created manually. +1. Istio validation will not be enabled by default. Unlike `istioctl install`, the `manifest generate` command will +not create the `istiod-default-validator` validating webhook configuration unless `values.defaultRevision` is set: + + {{< text bash >}} + $ istioctl manifest generate --set values.defaultRevision=default + {{< /text >}} + 1. While `istioctl install` will automatically detect environment specific settings from your Kubernetes context, `manifest generate` cannot as it runs offline, which may lead to unexpected results. In particular, you must ensure that you follow [these steps](/docs/ops/best-practices/security/#configure-third-party-service-account-tokens) if your