mirror of https://github.com/istio/istio.io.git
update ref docs (#15307)
This commit is contained in:
zirain
GitHub
parent
55175adf84
commit
1e0556d43a
|
|
@ -81,11 +81,11 @@ remove_toc_prefix: 'install-cni '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -105,7 +105,7 @@ remove_toc_prefix: 'install-cni '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -203,11 +203,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -227,7 +227,7 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -272,11 +272,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -296,7 +296,7 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -340,11 +340,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -364,7 +364,7 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -407,11 +407,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -431,7 +431,7 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -481,11 +481,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -505,7 +505,7 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -548,12 +548,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -578,7 +578,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
|
|||
|
|
@ -913,160 +913,6 @@ Istio supports to control its behavior.
|
|||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeInboundPorts">traffic.istio.io/excludeInboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeInboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeInterfaces">traffic.istio.io/excludeInterfaces</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeInterfaces</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of interfaces to be excluded from Istio traffic capture</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeOutboundIPRanges">traffic.istio.io/excludeOutboundIPRanges</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeOutboundIPRanges</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeOutboundPorts">traffic.istio.io/excludeOutboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeOutboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of outbound ports to be excluded from redirection to Envoy.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeInboundPorts">traffic.istio.io/includeInboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeInboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeOutboundIPRanges">traffic.istio.io/includeOutboundIPRanges</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeOutboundIPRanges</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeOutboundPorts">traffic.istio.io/includeOutboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeOutboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficNodeSelector">traffic.istio.io/nodeSelector</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
|
|
|
|||
|
|
@ -3957,7 +3957,7 @@ No
|
|||
<td><code>envoyDebugHeaders</code></td>
|
||||
<td><code><a href="#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">EnvoyDebugHeaders</a></code></td>
|
||||
<td>
|
||||
<p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and `X-Envoy-Upstream-Service-Time. If enabled,
|
||||
<p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and <code>X-Envoy-Upstream-Service-Time</code>. If enabled,
|
||||
these headers will be included.
|
||||
If disabled, these headers will not be set. If they are already present, they will be preserved.
|
||||
See the <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers">Envoy documentation</a> for more details.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ for load balancing, connection pool size from the sidecar, and outlier
|
|||
detection settings to detect and evict unhealthy hosts from the load
|
||||
balancing pool. For example, a simple load balancing policy for the
|
||||
ratings service would look as follows:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -31,7 +31,7 @@ spec:
|
|||
following rule uses a round robin load balancing policy for all traffic
|
||||
going to a subset named testversion that is composed of endpoints (e.g.,
|
||||
pods) with labels (version:v3).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -54,7 +54,7 @@ a route rule explicitly sends traffic to this subset.</p>
|
|||
following rule uses the least connection load balancing policy for all
|
||||
traffic to port 80, while uses a round robin load balancing setting for
|
||||
traffic to the port 9080.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings-port
|
||||
|
|
@ -74,7 +74,7 @@ spec:
|
|||
<p>Destination Rules can be customized to specific workloads as well.
|
||||
The following example shows how a destination rule can be applied to a
|
||||
specific workload using the workloadSelector configuration.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: configure-client-mtls-dr-with-workloadselector
|
||||
|
|
@ -311,7 +311,7 @@ service-level can be overridden at a subset-level. The following rule
|
|||
uses a round robin load balancing policy for all traffic going to a
|
||||
subset named testversion that is composed of endpoints (e.g., pods) with
|
||||
labels (version:v3).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -395,7 +395,7 @@ load balancing
|
|||
for more details.</p>
|
||||
<p>For example, the following rule uses a round robin load balancing policy
|
||||
for all traffic going to the ratings service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -408,7 +408,7 @@ spec:
|
|||
<p>The following example sets up sticky sessions for the ratings service
|
||||
hashing-based load balancer for the same ratings service using the
|
||||
the User cookie as the hash key.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -492,7 +492,7 @@ for more details. Connection pool settings can be applied at the TCP
|
|||
level as well as at HTTP level.</p>
|
||||
<p>For example, the following rule sets a limit of 100 connections to redis
|
||||
service called myredissrv with a connect timeout of 30ms</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-redis
|
||||
|
|
@ -559,7 +559,7 @@ with no more than 10 req/connection to the “reviews” service. In add
|
|||
it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
|
||||
hosts to be scanned every 5 mins so that any host that fails 7 consecutive
|
||||
times with a 502, 503, or 504 error code will be ejected for 15 minutes.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-cb-policy
|
||||
|
|
@ -728,7 +728,7 @@ context</a>
|
|||
for more details. These settings are common to both HTTP and TCP upstreams.</p>
|
||||
<p>For example, the following rule configures a client to use mutual TLS
|
||||
for connections to upstream database cluster.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: db-mtls
|
||||
|
|
@ -743,7 +743,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>The following rule configures a client to use TLS when talking to a
|
||||
foreign service whose domain matches *.foo.com.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: tls-foo
|
||||
|
|
@ -755,7 +755,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>The following rule configures a client to use Istio mutual TLS when talking
|
||||
to rating services.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: ratings-istio-mtls
|
||||
|
|
|
|||
|
|
@ -389,12 +389,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https),
|
|||
applied to the proxy running on a pod with labels <code>app: my-gateway-controller</code>. While Istio will configure the proxy to listen
|
||||
on these ports, it is the responsibility of the user to ensure that
|
||||
external traffic to these ports are allowed into the mesh.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-gateway
|
||||
|
|
@ -84,7 +84,7 @@ in the qa version. The same rule is also applicable inside the mesh for
|
|||
requests to the “reviews.prod.svc.cluster.local” service. This rule is
|
||||
applicable across ports 443, 9080. Note that <code>http://uk.bookinfo.com</code>
|
||||
gets redirected to <code>https://uk.bookinfo.com</code> (i.e. 80 redirects to 443).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-rule
|
||||
|
|
@ -124,7 +124,7 @@ spec:
|
|||
port 27017 to internal Mongo server on port 5555. This rule is not
|
||||
applicable internally in the mesh as the gateway list omits the
|
||||
reserved name <code>mesh</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-mongo
|
||||
|
|
@ -148,7 +148,7 @@ a gateway server using the namespace/hostname syntax in the hosts field.
|
|||
For example, the following Gateway allows any virtual service in the ns1
|
||||
namespace to bind to it, while restricting only the virtual service with
|
||||
foo.bar.com host in the ns2 namespace to bind to it.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-gateway
|
||||
|
|
@ -221,7 +221,7 @@ No
|
|||
<section>
|
||||
<p><code>Server</code> describes the properties of the proxy on a given load balancer
|
||||
port. For example,</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-ingress
|
||||
|
|
@ -237,7 +237,7 @@ spec:
|
|||
- "*"
|
||||
</code></pre>
|
||||
<p>Another example</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-tcp-ingress
|
||||
|
|
@ -253,7 +253,7 @@ spec:
|
|||
- "*"
|
||||
</code></pre>
|
||||
<p>The following is an example of TLS configuration for port 443</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-tls-ingress
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ services.</p>
|
|||
<p>The following example declares a few external APIs accessed by internal
|
||||
applications over HTTPS. The sidecar inspects the SNI value in the
|
||||
ClientHello message to route to the appropriate external service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-https
|
||||
|
|
@ -48,7 +48,7 @@ spec:
|
|||
unmanaged VMs to Istio’s registry, so that these services can be treated
|
||||
as any other service in the mesh. The associated DestinationRule is used
|
||||
to initiate mTLS connections to the database instances.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-mongocluster
|
||||
|
|
@ -68,7 +68,7 @@ spec:
|
|||
- address: 3.3.3.3
|
||||
</code></pre>
|
||||
<p>and the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: mtls-mongocluster
|
||||
|
|
@ -84,7 +84,7 @@ spec:
|
|||
<p>The following example uses a combination of service entry and TLS
|
||||
routing in a virtual service to steer traffic based on the SNI value to
|
||||
an internal egress firewall.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-redirect
|
||||
|
|
@ -100,7 +100,7 @@ spec:
|
|||
resolution: NONE
|
||||
</code></pre>
|
||||
<p>And the associated VirtualService to route based on the SNI value.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: tls-routing
|
||||
|
|
@ -127,7 +127,7 @@ declaration to other namespaces in the mesh. By default, a service is exported
|
|||
to all namespaces. The following example restricts the visibility to the
|
||||
current namespace, represented by “.”, so that it cannot be used by other
|
||||
namespaces.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-httpbin
|
||||
|
|
@ -145,7 +145,7 @@ spec:
|
|||
resolution: DNS
|
||||
</code></pre>
|
||||
<p>Define a gateway to handle all egress traffic.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-egressgateway
|
||||
|
|
@ -167,7 +167,7 @@ well as route from the gateway to the external service. Note that the
|
|||
virtual service is exported to all namespaces enabling them to route traffic
|
||||
through the gateway to the external service. Forcing traffic to go through
|
||||
a managed middle proxy like this is a common practice.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: gateway-routing
|
||||
|
|
@ -200,7 +200,7 @@ spec:
|
|||
external services. If the connection has to be routed to the IP address
|
||||
requested by the application (i.e. application resolves DNS and attempts
|
||||
to connect to a specific IP), the resolution mode must be set to <code>NONE</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-wildcard-example
|
||||
|
|
@ -217,7 +217,7 @@ spec:
|
|||
<p>The following example demonstrates a service that is available via a
|
||||
Unix Domain Socket on the host of the client. The resolution must be
|
||||
set to STATIC to use Unix address endpoints.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: unix-domain-socket-example
|
||||
|
|
@ -240,7 +240,7 @@ reroute API calls for the <code>VirtualService</code> to a chosen backend. For
|
|||
example, the following configuration creates a non-existent external
|
||||
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
|
||||
uk.foo.bar.com:9080, and in.foo.bar.com:7080</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-dns
|
||||
|
|
@ -271,7 +271,7 @@ be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
|
|||
<p>The following example illustrates the usage of a <code>ServiceEntry</code>
|
||||
containing a subject alternate name
|
||||
whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">SPIFFE standard</a>:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -298,7 +298,7 @@ VM-based instances with sidecars as well as a set of Kubernetes
|
|||
pods managed by a standard deployment object. Consumers of this
|
||||
service in the mesh will be automatically load balanced across the
|
||||
VMs and Kubernetes.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-vm-1
|
||||
|
|
@ -309,7 +309,7 @@ spec:
|
|||
app: details
|
||||
instance-id: vm1
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-vm-2
|
||||
|
|
@ -324,7 +324,7 @@ spec:
|
|||
<code>app: details</code> using the same service account <code>details</code>, the
|
||||
following service entry declares a service spanning both VMs and
|
||||
Kubernetes:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ in the root namespace called <code>istio-config</code>, that configures
|
|||
sidecars in all namespaces to allow egress traffic only to other
|
||||
workloads in the same namespace as well as to services in the
|
||||
<code>istio-system</code> namespace.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -64,7 +64,7 @@ spec:
|
|||
above, and configures the sidecars in the namespace to allow egress
|
||||
traffic to public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the
|
||||
<code>istio-system</code> namespaces.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -84,7 +84,7 @@ the attached workload instance listening on a Unix domain
|
|||
socket. In the egress direction, in addition to the <code>istio-system</code>
|
||||
namespace, the sidecar proxies only HTTP traffic bound for port
|
||||
9080 for services in the <code>prod-us1</code> namespace.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: ratings
|
||||
|
|
@ -123,7 +123,7 @@ it to the application listening on <code>127.0.0.1:8080</code>. It also allows
|
|||
the application to communicate with a backing MySQL database on
|
||||
<code>127.0.0.1:3306</code>, that then gets proxied to the externally hosted
|
||||
MySQL service at <code>mysql.foo.com:3306</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: no-ip-tables
|
||||
|
|
@ -150,7 +150,7 @@ spec:
|
|||
- "*/mysql.foo.com"
|
||||
</code></pre>
|
||||
<p>And the associated service entry for routing to <code>mysql.foo.com:3306</code></p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-mysql
|
||||
|
|
@ -176,7 +176,7 @@ listener on <code>172.16.1.32:80</code> (the VM’s IP) for traffic arriving
|
|||
<p><strong>NOTE</strong>: The <code>ISTIO_META_INTERCEPTION_MODE</code> metadata on the
|
||||
proxy in the VM should contain <code>REDIRECT</code> or <code>TPROXY</code> as its value,
|
||||
implying that IP tables based traffic capture is active.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: partial-ip-tables
|
||||
|
|
@ -214,7 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
|
|||
ports.
|
||||
In this example, the mTLS mode is disabled on PORT 80.
|
||||
This feature is currently experimental.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: ratings
|
||||
|
|
@ -249,7 +249,7 @@ spec:
|
|||
selector:
|
||||
app: ratings
|
||||
---
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: ratings-peer-auth
|
||||
|
|
@ -271,7 +271,7 @@ connections to the service) as well as servers (for inbound connections to a ser
|
|||
instance). Using the <code>InboundConnectionPool</code> and per-port <code>ConnectionPool</code> settings
|
||||
in a <code>Sidecar</code> allow you to control those connection pools for the server separately
|
||||
from the settings pushed to all clients.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: connection-pool-settings
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ to be customized for specific client contexts.</p>
|
|||
pods of the reviews service with label “version: v1”. In addition,
|
||||
HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
|
||||
be rewritten to /newcatalog and sent to pods with label “version: v2”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -72,7 +72,7 @@ spec:
|
|||
<p>A subset/version of a route destination is identified with a reference
|
||||
to a named service subset which must be declared in a corresponding
|
||||
<code>DestinationRule</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -249,7 +249,7 @@ domain names over short names.</em></p>
|
|||
<p>The following Kubernetes example routes all traffic by default to pods
|
||||
of the reviews service with label “version: v1” (i.e., subset v1), and
|
||||
some to subset v2, in a Kubernetes environment.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -275,7 +275,7 @@ spec:
|
|||
subset: v1
|
||||
</code></pre>
|
||||
<p>And the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -299,7 +299,7 @@ that this rule is set in the istio-system namespace but uses the fully
|
|||
qualified domain name of the productpage service,
|
||||
productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
|
||||
not have an impact in resolving the name of the productpage service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: my-productpage-rule
|
||||
|
|
@ -318,7 +318,7 @@ services must first be added to Istio’s internal service registry using th
|
|||
ServiceEntry resource. VirtualServices can then be defined to control traffic
|
||||
bound to these external services. For example, the following rules define a
|
||||
Service for wikipedia.org and set a timeout of 5s for HTTP requests.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-wikipedia
|
||||
|
|
@ -332,7 +332,7 @@ spec:
|
|||
protocol: HTTP
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: my-wiki-rule
|
||||
|
|
@ -638,7 +638,7 @@ No
|
|||
<p>Describes the delegate VirtualService.
|
||||
The following routing rules forward the traffic to <code>/productpage</code> by a delegate VirtualService named <code>productpage</code>,
|
||||
forward the traffic to <code>/reviews</code> by a delegate VirtualService named <code>reviews</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo
|
||||
|
|
@ -661,7 +661,7 @@ spec:
|
|||
name: reviews
|
||||
namespace: nsB
|
||||
</code></pre>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: productpage
|
||||
|
|
@ -678,7 +678,7 @@ spec:
|
|||
- destination:
|
||||
host: productpage.nsA.svc.cluster.local
|
||||
</code></pre>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews
|
||||
|
|
@ -735,7 +735,7 @@ The following VirtualService adds a <code>test</code> header with the value <cod
|
|||
to requests that are routed to any <code>reviews</code> service destination.
|
||||
It also removes the <code>foo</code> response header, but only from responses
|
||||
coming from the <code>v1</code> subset (version) of the <code>reviews</code> service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -805,7 +805,7 @@ No
|
|||
traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
|
||||
traffic arriving at port 443 of gateway called “mygateway” to internal
|
||||
services in the mesh based on the SNI value.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-sni
|
||||
|
|
@ -874,7 +874,7 @@ No
|
|||
<p>Describes match conditions and actions for routing TCP traffic. The
|
||||
following routing rule forwards traffic arriving at port 27017 for
|
||||
mongo.prod.svc.cluster.local to another Mongo server on port 5555.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-mongo
|
||||
|
|
@ -936,7 +936,7 @@ rule to be applied to the HTTP request. For example, the following
|
|||
restricts the rule to match only requests where the URL path
|
||||
starts with /ratings/v2/ and the request contains a custom <code>end-user</code> header
|
||||
with value <code>jason</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1246,7 +1246,7 @@ determine the proportion of traffic it receives. For example, the
|
|||
following rule will route 25% of traffic for the “reviews” service to
|
||||
instances with the “v2” tag and the remaining traffic (i.e., 75%) to
|
||||
“v1”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -1265,7 +1265,7 @@ spec:
|
|||
weight: 75
|
||||
</code></pre>
|
||||
<p>And the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -1282,7 +1282,7 @@ spec:
|
|||
<p>Traffic can also be split across two entirely different services without
|
||||
having to define new subsets. For example, the following rule forwards 25% of
|
||||
traffic to reviews.com to dev.reviews.com</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route-two-domains
|
||||
|
|
@ -1577,7 +1577,7 @@ where the Authority/Host and the URI in the response can be swapped with
|
|||
the specified values. For example, the following rule redirects
|
||||
requests for /v1/getProductRatings API on the ratings service to
|
||||
/v1/bookRatings provided by the bookratings service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1689,7 +1689,7 @@ No
|
|||
<p>HTTPDirectResponse can be used to send a fixed response to clients.
|
||||
For example, the following rule returns a fixed 503 status with a body
|
||||
to requests for /v1/getProductRatings API.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1708,7 +1708,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>It is also possible to specify a binary response body.
|
||||
This is mostly useful for non text-based protocols such as gRPC.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1728,7 +1728,7 @@ spec:
|
|||
<p>It is good practice to add headers in the HTTPRoute
|
||||
as well as the direct_response, for example to specify
|
||||
the returned Content-Type.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1830,7 +1830,7 @@ before forwarding the request to the destination. Rewrite primitive can
|
|||
be used only with HTTPRouteDestination. The following example
|
||||
demonstrates how to rewrite the URL prefix for api call (/ratings) to
|
||||
ratings service before making the actual API call.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2000,7 +2000,7 @@ example, the following rule sets the maximum number of retries to 3 when
|
|||
calling ratings:v1 service, with a 2s timeout per retry attempt.
|
||||
A retry will be attempted if there is a connect-failure, refused_stream
|
||||
or when the upstream server responds with Service Unavailable(503).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2097,7 +2097,7 @@ the following rule restricts cross origin requests to those originating
|
|||
from example.com domain using HTTP POST/GET, and sets the
|
||||
<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
|
||||
exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2413,7 +2413,7 @@ No
|
|||
forwarding path. The following example will introduce a 5 second delay
|
||||
in 1 out of every 1000 requests to the “v1” version of the “reviews”
|
||||
service from all pods with label env: prod</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -2493,7 +2493,7 @@ No
|
|||
<p>Abort specification is used to prematurely abort a request with a
|
||||
pre-specified error code. The following example will return an HTTP 400
|
||||
error code for 1 out of every 1000 requests to the “ratings” service “v1”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ account. The service is exposed on port 80 to applications in the
|
|||
mesh. The HTTP traffic to this service is wrapped in Istio mutual
|
||||
TLS and sent to sidecars on VMs on target port 8080, that in turn
|
||||
forward it to the application on localhost on the same port.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
instance-id: vm1
|
||||
</code></pre>
|
||||
<p>and the associated service entry</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -69,7 +69,7 @@ its fully qualified DNS name. The service entry’s resolution
|
|||
mode should be changed to DNS to indicate that the client-side
|
||||
sidecars should dynamically resolve the DNS name at runtime before
|
||||
forwarding the request.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -85,7 +85,7 @@ spec:
|
|||
instance-id: vm1
|
||||
</code></pre>
|
||||
<p>and the associated service entry</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -109,7 +109,7 @@ to write a <code>WorkloadEntry</code> in the local cluster that represents
|
|||
the Workload(s) in the remote network with the given labels. A
|
||||
single <code>WorkloadEntry</code> with weights represent the aggregate of all
|
||||
the actual workloads in a given remote network.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: foo-workloads-cluster-2
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ of workloads that will be registered under <code>reviews</code> in namespace
|
|||
instance during the bootstrap process, and the ports 3550 and 8080
|
||||
will be associated with the workload group and use service account <code>default</code>.
|
||||
<code>app.kubernetes.io/version</code> is just an arbitrary example of a label.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadGroup
|
||||
metadata:
|
||||
name: reviews
|
||||
|
|
|
|||
|
|
@ -205,12 +205,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -230,12 +230,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
@ -611,8 +612,8 @@ To be a valid path template, the path must not contain <code>*</code>, <code>{</
|
|||
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
|
||||
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
|
||||
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
|
||||
<li><code>/*/baz/{*}`` is not a valid path template since it includes </code>*` outside of a supported operator</li>
|
||||
<li><code>/**/baz/{*}`` is not a valid path template since it includes </code>**` outside of a supported operator</li>
|
||||
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
|
||||
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
|
||||
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
|
||||
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
|
||||
</ul>
|
||||
|
|
@ -819,7 +820,7 @@ One example use case of the extension is to integrate with a custom external aut
|
|||
the authorization decision to it.</p>
|
||||
<p>The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
|
||||
<code>my-custom-authz</code> if the request path has prefix <code>/admin/</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ext-authz
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ Development of PeerAuthentication is currently frozen and likely to be replaced
|
|||
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
|
||||
<p>Examples:</p>
|
||||
<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -30,7 +30,7 @@ spec:
|
|||
<p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
|
||||
<p>Policies to allow both mTLS and plaintext traffic for all workloads under namespace <code>foo</code>, but
|
||||
require mTLS for workload <code>finance</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -39,7 +39,7 @@ spec:
|
|||
mtls:
|
||||
mode: PERMISSIVE
|
||||
---
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: finance
|
||||
|
|
@ -54,7 +54,7 @@ spec:
|
|||
<p>Policy that enables strict mTLS for all <code>finance</code> workloads, but leaves the port <code>8080</code> to
|
||||
plaintext. Note the port value in the <code>portLevelMtls</code> field refers to the port
|
||||
of the workload, not the port of the Kubernetes service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -71,7 +71,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
|
||||
mTLS for workload port <code>8080</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
|
|||
|
|
@ -179,7 +179,7 @@ spec:
|
|||
- source:
|
||||
requestPrincipals: ["*"]
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: route-jwt
|
||||
|
|
@ -234,12 +234,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ selecting any given workload.</p>
|
|||
</ol>
|
||||
<h4 id="examples">Examples</h4>
|
||||
<p>Policy to enable random sampling for 10% of traffic:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -37,7 +37,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy to disable trace reporting for the <code>foo</code> workload (note: tracing
|
||||
context will still be propagated):</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: foo-tracing
|
||||
|
|
@ -50,7 +50,7 @@ spec:
|
|||
- disableSpanReporting: true
|
||||
</code></pre>
|
||||
<p>Policy to select the alternate zipkin provider for trace reporting:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: foo-tracing-alternate
|
||||
|
|
@ -65,7 +65,7 @@ spec:
|
|||
randomSamplingPercentage: 10.00
|
||||
</code></pre>
|
||||
<p>Policy to tailor the zipkin provider to sample traces from Client workloads only:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -78,7 +78,7 @@ spec:
|
|||
- name: "zipkin"
|
||||
</code></pre>
|
||||
<p>Policy to add a custom tag from a literal value:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -93,7 +93,7 @@ spec:
|
|||
value: "foo"
|
||||
</code></pre>
|
||||
<p>Policy to disable server-side metrics for Prometheus for an entire mesh:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -110,7 +110,7 @@ spec:
|
|||
disabled: true
|
||||
</code></pre>
|
||||
<p>Policy to add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: namespace-metrics
|
||||
|
|
@ -130,7 +130,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy to remove the <code>response_code</code> dimension on some Prometheus metrics for
|
||||
the <code>bar.foo</code> workload:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: remove-response-code
|
||||
|
|
@ -165,7 +165,7 @@ spec:
|
|||
operation: REMOVE
|
||||
</code></pre>
|
||||
<p>Policy to enable access logging for the entire mesh:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -181,7 +181,7 @@ spec:
|
|||
# those cases, `disabled: false` must be set explicitly to override.
|
||||
</code></pre>
|
||||
<p>Policy to disable access logging for the <code>foo</code> namespace:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: namespace-no-log
|
||||
|
|
@ -223,12 +223,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -74,9 +74,9 @@ Yes
|
|||
</section>
|
||||
<h2 id="PolicyTargetReference">PolicyTargetReference</h2>
|
||||
<section>
|
||||
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api">GEP-713</a>.</p>
|
||||
<p>PolicyTargetReferences specifies the targeted resource which the policy
|
||||
can be applied to. It must only target a single resource at a time, but it
|
||||
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules">GEP-2648</a>.</p>
|
||||
<p>PolicyTargetReference specifies the targeted resource which the policy
|
||||
should be applied to. It must only target a single resource at a time, but it
|
||||
can be used to target larger resources such as Gateways that may apply to
|
||||
multiple child resources. The PolicyTargetReference will be used instead of
|
||||
a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
|
||||
|
|
@ -91,8 +91,8 @@ metadata:
|
|||
name: httpbin
|
||||
namespace: foo
|
||||
spec:
|
||||
targetRef:
|
||||
name: waypoint
|
||||
targetRefs:
|
||||
- name: waypoint
|
||||
kind: Gateway
|
||||
group: gateway.networking.k8s.io
|
||||
action: DENY
|
||||
|
|
|
|||
|
|
@ -81,11 +81,11 @@ remove_toc_prefix: 'install-cni '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -105,7 +105,7 @@ remove_toc_prefix: 'install-cni '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -203,11 +203,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -227,7 +227,7 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -272,11 +272,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -296,7 +296,7 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -340,11 +340,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -364,7 +364,7 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -407,11 +407,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -431,7 +431,7 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -481,11 +481,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -505,7 +505,7 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -548,12 +548,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -578,7 +578,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
|
|||
|
|
@ -913,160 +913,6 @@ Istio supports to control its behavior.
|
|||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeInboundPorts">traffic.istio.io/excludeInboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeInboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeInterfaces">traffic.istio.io/excludeInterfaces</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeInterfaces</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of interfaces to be excluded from Istio traffic capture</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeOutboundIPRanges">traffic.istio.io/excludeOutboundIPRanges</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeOutboundIPRanges</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficExcludeOutboundPorts">traffic.istio.io/excludeOutboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/excludeOutboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of outbound ports to be excluded from redirection to Envoy.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeInboundPorts">traffic.istio.io/includeInboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeInboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeOutboundIPRanges">traffic.istio.io/includeOutboundIPRanges</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeOutboundIPRanges</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficIncludeOutboundPorts">traffic.istio.io/includeOutboundPorts</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
<td><code>traffic.istio.io/includeOutboundPorts</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Feature Status</th>
|
||||
<td>Alpha</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Resource Types</th>
|
||||
<td>[Pod]</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Description</th>
|
||||
<td><p>A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2 id="TrafficNodeSelector">traffic.istio.io/nodeSelector</h2>
|
||||
<table class="annotations">
|
||||
<tbody>
|
||||
|
|
|
|||
|
|
@ -3957,7 +3957,7 @@ No
|
|||
<td><code>envoyDebugHeaders</code></td>
|
||||
<td><code><a href="#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">EnvoyDebugHeaders</a></code></td>
|
||||
<td>
|
||||
<p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and `X-Envoy-Upstream-Service-Time. If enabled,
|
||||
<p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and <code>X-Envoy-Upstream-Service-Time</code>. If enabled,
|
||||
these headers will be included.
|
||||
If disabled, these headers will not be set. If they are already present, they will be preserved.
|
||||
See the <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers">Envoy documentation</a> for more details.
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ for load balancing, connection pool size from the sidecar, and outlier
|
|||
detection settings to detect and evict unhealthy hosts from the load
|
||||
balancing pool. For example, a simple load balancing policy for the
|
||||
ratings service would look as follows:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -31,7 +31,7 @@ spec:
|
|||
following rule uses a round robin load balancing policy for all traffic
|
||||
going to a subset named testversion that is composed of endpoints (e.g.,
|
||||
pods) with labels (version:v3).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -54,7 +54,7 @@ a route rule explicitly sends traffic to this subset.</p>
|
|||
following rule uses the least connection load balancing policy for all
|
||||
traffic to port 80, while uses a round robin load balancing setting for
|
||||
traffic to the port 9080.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings-port
|
||||
|
|
@ -74,7 +74,7 @@ spec:
|
|||
<p>Destination Rules can be customized to specific workloads as well.
|
||||
The following example shows how a destination rule can be applied to a
|
||||
specific workload using the workloadSelector configuration.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: configure-client-mtls-dr-with-workloadselector
|
||||
|
|
@ -311,7 +311,7 @@ service-level can be overridden at a subset-level. The following rule
|
|||
uses a round robin load balancing policy for all traffic going to a
|
||||
subset named testversion that is composed of endpoints (e.g., pods) with
|
||||
labels (version:v3).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -395,7 +395,7 @@ load balancing
|
|||
for more details.</p>
|
||||
<p>For example, the following rule uses a round robin load balancing policy
|
||||
for all traffic going to the ratings service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -408,7 +408,7 @@ spec:
|
|||
<p>The following example sets up sticky sessions for the ratings service
|
||||
hashing-based load balancer for the same ratings service using the
|
||||
the User cookie as the hash key.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-ratings
|
||||
|
|
@ -492,7 +492,7 @@ for more details. Connection pool settings can be applied at the TCP
|
|||
level as well as at HTTP level.</p>
|
||||
<p>For example, the following rule sets a limit of 100 connections to redis
|
||||
service called myredissrv with a connect timeout of 30ms</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: bookinfo-redis
|
||||
|
|
@ -559,7 +559,7 @@ with no more than 10 req/connection to the “reviews” service. In add
|
|||
it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
|
||||
hosts to be scanned every 5 mins so that any host that fails 7 consecutive
|
||||
times with a 502, 503, or 504 error code will be ejected for 15 minutes.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-cb-policy
|
||||
|
|
@ -728,7 +728,7 @@ context</a>
|
|||
for more details. These settings are common to both HTTP and TCP upstreams.</p>
|
||||
<p>For example, the following rule configures a client to use mutual TLS
|
||||
for connections to upstream database cluster.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: db-mtls
|
||||
|
|
@ -743,7 +743,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>The following rule configures a client to use TLS when talking to a
|
||||
foreign service whose domain matches *.foo.com.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: tls-foo
|
||||
|
|
@ -755,7 +755,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>The following rule configures a client to use Istio mutual TLS when talking
|
||||
to rating services.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: ratings-istio-mtls
|
||||
|
|
|
|||
|
|
@ -389,12 +389,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https),
|
|||
applied to the proxy running on a pod with labels <code>app: my-gateway-controller</code>. While Istio will configure the proxy to listen
|
||||
on these ports, it is the responsibility of the user to ensure that
|
||||
external traffic to these ports are allowed into the mesh.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-gateway
|
||||
|
|
@ -84,7 +84,7 @@ in the qa version. The same rule is also applicable inside the mesh for
|
|||
requests to the “reviews.prod.svc.cluster.local” service. This rule is
|
||||
applicable across ports 443, 9080. Note that <code>http://uk.bookinfo.com</code>
|
||||
gets redirected to <code>https://uk.bookinfo.com</code> (i.e. 80 redirects to 443).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-rule
|
||||
|
|
@ -124,7 +124,7 @@ spec:
|
|||
port 27017 to internal Mongo server on port 5555. This rule is not
|
||||
applicable internally in the mesh as the gateway list omits the
|
||||
reserved name <code>mesh</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-mongo
|
||||
|
|
@ -148,7 +148,7 @@ a gateway server using the namespace/hostname syntax in the hosts field.
|
|||
For example, the following Gateway allows any virtual service in the ns1
|
||||
namespace to bind to it, while restricting only the virtual service with
|
||||
foo.bar.com host in the ns2 namespace to bind to it.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-gateway
|
||||
|
|
@ -221,7 +221,7 @@ No
|
|||
<section>
|
||||
<p><code>Server</code> describes the properties of the proxy on a given load balancer
|
||||
port. For example,</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-ingress
|
||||
|
|
@ -237,7 +237,7 @@ spec:
|
|||
- "*"
|
||||
</code></pre>
|
||||
<p>Another example</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-tcp-ingress
|
||||
|
|
@ -253,7 +253,7 @@ spec:
|
|||
- "*"
|
||||
</code></pre>
|
||||
<p>The following is an example of TLS configuration for port 443</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: my-tls-ingress
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ services.</p>
|
|||
<p>The following example declares a few external APIs accessed by internal
|
||||
applications over HTTPS. The sidecar inspects the SNI value in the
|
||||
ClientHello message to route to the appropriate external service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-https
|
||||
|
|
@ -48,7 +48,7 @@ spec:
|
|||
unmanaged VMs to Istio’s registry, so that these services can be treated
|
||||
as any other service in the mesh. The associated DestinationRule is used
|
||||
to initiate mTLS connections to the database instances.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-mongocluster
|
||||
|
|
@ -68,7 +68,7 @@ spec:
|
|||
- address: 3.3.3.3
|
||||
</code></pre>
|
||||
<p>and the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: mtls-mongocluster
|
||||
|
|
@ -84,7 +84,7 @@ spec:
|
|||
<p>The following example uses a combination of service entry and TLS
|
||||
routing in a virtual service to steer traffic based on the SNI value to
|
||||
an internal egress firewall.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-redirect
|
||||
|
|
@ -100,7 +100,7 @@ spec:
|
|||
resolution: NONE
|
||||
</code></pre>
|
||||
<p>And the associated VirtualService to route based on the SNI value.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: tls-routing
|
||||
|
|
@ -127,7 +127,7 @@ declaration to other namespaces in the mesh. By default, a service is exported
|
|||
to all namespaces. The following example restricts the visibility to the
|
||||
current namespace, represented by “.”, so that it cannot be used by other
|
||||
namespaces.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-httpbin
|
||||
|
|
@ -145,7 +145,7 @@ spec:
|
|||
resolution: DNS
|
||||
</code></pre>
|
||||
<p>Define a gateway to handle all egress traffic.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: istio-egressgateway
|
||||
|
|
@ -167,7 +167,7 @@ well as route from the gateway to the external service. Note that the
|
|||
virtual service is exported to all namespaces enabling them to route traffic
|
||||
through the gateway to the external service. Forcing traffic to go through
|
||||
a managed middle proxy like this is a common practice.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: gateway-routing
|
||||
|
|
@ -200,7 +200,7 @@ spec:
|
|||
external services. If the connection has to be routed to the IP address
|
||||
requested by the application (i.e. application resolves DNS and attempts
|
||||
to connect to a specific IP), the resolution mode must be set to <code>NONE</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-wildcard-example
|
||||
|
|
@ -217,7 +217,7 @@ spec:
|
|||
<p>The following example demonstrates a service that is available via a
|
||||
Unix Domain Socket on the host of the client. The resolution must be
|
||||
set to STATIC to use Unix address endpoints.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: unix-domain-socket-example
|
||||
|
|
@ -240,7 +240,7 @@ reroute API calls for the <code>VirtualService</code> to a chosen backend. For
|
|||
example, the following configuration creates a non-existent external
|
||||
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
|
||||
uk.foo.bar.com:9080, and in.foo.bar.com:7080</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-dns
|
||||
|
|
@ -271,7 +271,7 @@ be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
|
|||
<p>The following example illustrates the usage of a <code>ServiceEntry</code>
|
||||
containing a subject alternate name
|
||||
whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">SPIFFE standard</a>:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: httpbin
|
||||
|
|
@ -298,7 +298,7 @@ VM-based instances with sidecars as well as a set of Kubernetes
|
|||
pods managed by a standard deployment object. Consumers of this
|
||||
service in the mesh will be automatically load balanced across the
|
||||
VMs and Kubernetes.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-vm-1
|
||||
|
|
@ -309,7 +309,7 @@ spec:
|
|||
app: details
|
||||
instance-id: vm1
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-vm-2
|
||||
|
|
@ -324,7 +324,7 @@ spec:
|
|||
<code>app: details</code> using the same service account <code>details</code>, the
|
||||
following service entry declares a service spanning both VMs and
|
||||
Kubernetes:</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ in the root namespace called <code>istio-config</code>, that configures
|
|||
sidecars in all namespaces to allow egress traffic only to other
|
||||
workloads in the same namespace as well as to services in the
|
||||
<code>istio-system</code> namespace.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -64,7 +64,7 @@ spec:
|
|||
above, and configures the sidecars in the namespace to allow egress
|
||||
traffic to public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the
|
||||
<code>istio-system</code> namespaces.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -84,7 +84,7 @@ the attached workload instance listening on a Unix domain
|
|||
socket. In the egress direction, in addition to the <code>istio-system</code>
|
||||
namespace, the sidecar proxies only HTTP traffic bound for port
|
||||
9080 for services in the <code>prod-us1</code> namespace.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: ratings
|
||||
|
|
@ -123,7 +123,7 @@ it to the application listening on <code>127.0.0.1:8080</code>. It also allows
|
|||
the application to communicate with a backing MySQL database on
|
||||
<code>127.0.0.1:3306</code>, that then gets proxied to the externally hosted
|
||||
MySQL service at <code>mysql.foo.com:3306</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: no-ip-tables
|
||||
|
|
@ -150,7 +150,7 @@ spec:
|
|||
- "*/mysql.foo.com"
|
||||
</code></pre>
|
||||
<p>And the associated service entry for routing to <code>mysql.foo.com:3306</code></p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-mysql
|
||||
|
|
@ -176,7 +176,7 @@ listener on <code>172.16.1.32:80</code> (the VM’s IP) for traffic arriving
|
|||
<p><strong>NOTE</strong>: The <code>ISTIO_META_INTERCEPTION_MODE</code> metadata on the
|
||||
proxy in the VM should contain <code>REDIRECT</code> or <code>TPROXY</code> as its value,
|
||||
implying that IP tables based traffic capture is active.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: partial-ip-tables
|
||||
|
|
@ -214,7 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
|
|||
ports.
|
||||
In this example, the mTLS mode is disabled on PORT 80.
|
||||
This feature is currently experimental.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: ratings
|
||||
|
|
@ -249,7 +249,7 @@ spec:
|
|||
selector:
|
||||
app: ratings
|
||||
---
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: ratings-peer-auth
|
||||
|
|
@ -271,7 +271,7 @@ connections to the service) as well as servers (for inbound connections to a ser
|
|||
instance). Using the <code>InboundConnectionPool</code> and per-port <code>ConnectionPool</code> settings
|
||||
in a <code>Sidecar</code> allow you to control those connection pools for the server separately
|
||||
from the settings pushed to all clients.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: Sidecar
|
||||
metadata:
|
||||
name: connection-pool-settings
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ to be customized for specific client contexts.</p>
|
|||
pods of the reviews service with label “version: v1”. In addition,
|
||||
HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
|
||||
be rewritten to /newcatalog and sent to pods with label “version: v2”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -72,7 +72,7 @@ spec:
|
|||
<p>A subset/version of a route destination is identified with a reference
|
||||
to a named service subset which must be declared in a corresponding
|
||||
<code>DestinationRule</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -249,7 +249,7 @@ domain names over short names.</em></p>
|
|||
<p>The following Kubernetes example routes all traffic by default to pods
|
||||
of the reviews service with label “version: v1” (i.e., subset v1), and
|
||||
some to subset v2, in a Kubernetes environment.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -275,7 +275,7 @@ spec:
|
|||
subset: v1
|
||||
</code></pre>
|
||||
<p>And the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -299,7 +299,7 @@ that this rule is set in the istio-system namespace but uses the fully
|
|||
qualified domain name of the productpage service,
|
||||
productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
|
||||
not have an impact in resolving the name of the productpage service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: my-productpage-rule
|
||||
|
|
@ -318,7 +318,7 @@ services must first be added to Istio’s internal service registry using th
|
|||
ServiceEntry resource. VirtualServices can then be defined to control traffic
|
||||
bound to these external services. For example, the following rules define a
|
||||
Service for wikipedia.org and set a timeout of 5s for HTTP requests.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-svc-wikipedia
|
||||
|
|
@ -332,7 +332,7 @@ spec:
|
|||
protocol: HTTP
|
||||
resolution: DNS
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: my-wiki-rule
|
||||
|
|
@ -638,7 +638,7 @@ No
|
|||
<p>Describes the delegate VirtualService.
|
||||
The following routing rules forward the traffic to <code>/productpage</code> by a delegate VirtualService named <code>productpage</code>,
|
||||
forward the traffic to <code>/reviews</code> by a delegate VirtualService named <code>reviews</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo
|
||||
|
|
@ -661,7 +661,7 @@ spec:
|
|||
name: reviews
|
||||
namespace: nsB
|
||||
</code></pre>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: productpage
|
||||
|
|
@ -678,7 +678,7 @@ spec:
|
|||
- destination:
|
||||
host: productpage.nsA.svc.cluster.local
|
||||
</code></pre>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews
|
||||
|
|
@ -735,7 +735,7 @@ The following VirtualService adds a <code>test</code> header with the value <cod
|
|||
to requests that are routed to any <code>reviews</code> service destination.
|
||||
It also removes the <code>foo</code> response header, but only from responses
|
||||
coming from the <code>v1</code> subset (version) of the <code>reviews</code> service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -805,7 +805,7 @@ No
|
|||
traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
|
||||
traffic arriving at port 443 of gateway called “mygateway” to internal
|
||||
services in the mesh based on the SNI value.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-sni
|
||||
|
|
@ -874,7 +874,7 @@ No
|
|||
<p>Describes match conditions and actions for routing TCP traffic. The
|
||||
following routing rule forwards traffic arriving at port 27017 for
|
||||
mongo.prod.svc.cluster.local to another Mongo server on port 5555.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: bookinfo-mongo
|
||||
|
|
@ -936,7 +936,7 @@ rule to be applied to the HTTP request. For example, the following
|
|||
restricts the rule to match only requests where the URL path
|
||||
starts with /ratings/v2/ and the request contains a custom <code>end-user</code> header
|
||||
with value <code>jason</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1246,7 +1246,7 @@ determine the proportion of traffic it receives. For example, the
|
|||
following rule will route 25% of traffic for the “reviews” service to
|
||||
instances with the “v2” tag and the remaining traffic (i.e., 75%) to
|
||||
“v1”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -1265,7 +1265,7 @@ spec:
|
|||
weight: 75
|
||||
</code></pre>
|
||||
<p>And the associated DestinationRule</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: DestinationRule
|
||||
metadata:
|
||||
name: reviews-destination
|
||||
|
|
@ -1282,7 +1282,7 @@ spec:
|
|||
<p>Traffic can also be split across two entirely different services without
|
||||
having to define new subsets. For example, the following rule forwards 25% of
|
||||
traffic to reviews.com to dev.reviews.com</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route-two-domains
|
||||
|
|
@ -1577,7 +1577,7 @@ where the Authority/Host and the URI in the response can be swapped with
|
|||
the specified values. For example, the following rule redirects
|
||||
requests for /v1/getProductRatings API on the ratings service to
|
||||
/v1/bookRatings provided by the bookratings service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1689,7 +1689,7 @@ No
|
|||
<p>HTTPDirectResponse can be used to send a fixed response to clients.
|
||||
For example, the following rule returns a fixed 503 status with a body
|
||||
to requests for /v1/getProductRatings API.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1708,7 +1708,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>It is also possible to specify a binary response body.
|
||||
This is mostly useful for non text-based protocols such as gRPC.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1728,7 +1728,7 @@ spec:
|
|||
<p>It is good practice to add headers in the HTTPRoute
|
||||
as well as the direct_response, for example to specify
|
||||
the returned Content-Type.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -1830,7 +1830,7 @@ before forwarding the request to the destination. Rewrite primitive can
|
|||
be used only with HTTPRouteDestination. The following example
|
||||
demonstrates how to rewrite the URL prefix for api call (/ratings) to
|
||||
ratings service before making the actual API call.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2000,7 +2000,7 @@ example, the following rule sets the maximum number of retries to 3 when
|
|||
calling ratings:v1 service, with a 2s timeout per retry attempt.
|
||||
A retry will be attempted if there is a connect-failure, refused_stream
|
||||
or when the upstream server responds with Service Unavailable(503).</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2097,7 +2097,7 @@ the following rule restricts cross origin requests to those originating
|
|||
from example.com domain using HTTP POST/GET, and sets the
|
||||
<code>Access-Control-Allow-Credentials</code> header to false. In addition, it only
|
||||
exposes <code>X-Foo-bar</code> header and sets an expiry period of 1 day.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
@ -2413,7 +2413,7 @@ No
|
|||
forwarding path. The following example will introduce a 5 second delay
|
||||
in 1 out of every 1000 requests to the “v1” version of the “reviews”
|
||||
service from all pods with label env: prod</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: reviews-route
|
||||
|
|
@ -2493,7 +2493,7 @@ No
|
|||
<p>Abort specification is used to prematurely abort a request with a
|
||||
pre-specified error code. The following example will return an HTTP 400
|
||||
error code for 1 out of every 1000 requests to the “ratings” service “v1”.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: ratings-route
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ account. The service is exposed on port 80 to applications in the
|
|||
mesh. The HTTP traffic to this service is wrapped in Istio mutual
|
||||
TLS and sent to sidecars on VMs on target port 8080, that in turn
|
||||
forward it to the application on localhost on the same port.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -46,7 +46,7 @@ spec:
|
|||
instance-id: vm1
|
||||
</code></pre>
|
||||
<p>and the associated service entry</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -69,7 +69,7 @@ its fully qualified DNS name. The service entry’s resolution
|
|||
mode should be changed to DNS to indicate that the client-side
|
||||
sidecars should dynamically resolve the DNS name at runtime before
|
||||
forwarding the request.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -85,7 +85,7 @@ spec:
|
|||
instance-id: vm1
|
||||
</code></pre>
|
||||
<p>and the associated service entry</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: details-svc
|
||||
|
|
@ -109,7 +109,7 @@ to write a <code>WorkloadEntry</code> in the local cluster that represents
|
|||
the Workload(s) in the remote network with the given labels. A
|
||||
single <code>WorkloadEntry</code> with weights represent the aggregate of all
|
||||
the actual workloads in a given remote network.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadEntry
|
||||
metadata:
|
||||
name: foo-workloads-cluster-2
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ of workloads that will be registered under <code>reviews</code> in namespace
|
|||
instance during the bootstrap process, and the ports 3550 and 8080
|
||||
will be associated with the workload group and use service account <code>default</code>.
|
||||
<code>app.kubernetes.io/version</code> is just an arbitrary example of a label.</p>
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1
|
||||
kind: WorkloadGroup
|
||||
metadata:
|
||||
name: reviews
|
||||
|
|
|
|||
|
|
@ -205,12 +205,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -230,12 +230,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
@ -611,8 +612,8 @@ To be a valid path template, the path must not contain <code>*</code>, <code>{</
|
|||
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
|
||||
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
|
||||
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
|
||||
<li><code>/*/baz/{*}`` is not a valid path template since it includes </code>*` outside of a supported operator</li>
|
||||
<li><code>/**/baz/{*}`` is not a valid path template since it includes </code>**` outside of a supported operator</li>
|
||||
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
|
||||
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
|
||||
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
|
||||
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
|
||||
</ul>
|
||||
|
|
@ -819,7 +820,7 @@ One example use case of the extension is to integrate with a custom external aut
|
|||
the authorization decision to it.</p>
|
||||
<p>The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
|
||||
<code>my-custom-authz</code> if the request path has prefix <code>/admin/</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: ext-authz
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ Development of PeerAuthentication is currently frozen and likely to be replaced
|
|||
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
|
||||
<p>Examples:</p>
|
||||
<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -30,7 +30,7 @@ spec:
|
|||
<p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
|
||||
<p>Policies to allow both mTLS and plaintext traffic for all workloads under namespace <code>foo</code>, but
|
||||
require mTLS for workload <code>finance</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -39,7 +39,7 @@ spec:
|
|||
mtls:
|
||||
mode: PERMISSIVE
|
||||
---
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: finance
|
||||
|
|
@ -54,7 +54,7 @@ spec:
|
|||
<p>Policy that enables strict mTLS for all <code>finance</code> workloads, but leaves the port <code>8080</code> to
|
||||
plaintext. Note the port value in the <code>portLevelMtls</code> field refers to the port
|
||||
of the workload, not the port of the Kubernetes service.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
@ -71,7 +71,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
|
||||
mTLS for workload port <code>8080</code>.</p>
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
|
||||
<pre><code class="language-yaml">apiVersion: security.istio.io/v1
|
||||
kind: PeerAuthentication
|
||||
metadata:
|
||||
name: default
|
||||
|
|
|
|||
|
|
@ -179,7 +179,7 @@ spec:
|
|||
- source:
|
||||
requestPrincipals: ["*"]
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
apiVersion: networking.istio.io/v1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: route-jwt
|
||||
|
|
@ -234,12 +234,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ selecting any given workload.</p>
|
|||
</ol>
|
||||
<h4 id="examples">Examples</h4>
|
||||
<p>Policy to enable random sampling for 10% of traffic:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -37,7 +37,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy to disable trace reporting for the <code>foo</code> workload (note: tracing
|
||||
context will still be propagated):</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: foo-tracing
|
||||
|
|
@ -50,7 +50,7 @@ spec:
|
|||
- disableSpanReporting: true
|
||||
</code></pre>
|
||||
<p>Policy to select the alternate zipkin provider for trace reporting:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: foo-tracing-alternate
|
||||
|
|
@ -65,7 +65,7 @@ spec:
|
|||
randomSamplingPercentage: 10.00
|
||||
</code></pre>
|
||||
<p>Policy to tailor the zipkin provider to sample traces from Client workloads only:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -78,7 +78,7 @@ spec:
|
|||
- name: "zipkin"
|
||||
</code></pre>
|
||||
<p>Policy to add a custom tag from a literal value:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -93,7 +93,7 @@ spec:
|
|||
value: "foo"
|
||||
</code></pre>
|
||||
<p>Policy to disable server-side metrics for Prometheus for an entire mesh:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -110,7 +110,7 @@ spec:
|
|||
disabled: true
|
||||
</code></pre>
|
||||
<p>Policy to add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: namespace-metrics
|
||||
|
|
@ -130,7 +130,7 @@ spec:
|
|||
</code></pre>
|
||||
<p>Policy to remove the <code>response_code</code> dimension on some Prometheus metrics for
|
||||
the <code>bar.foo</code> workload:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: remove-response-code
|
||||
|
|
@ -165,7 +165,7 @@ spec:
|
|||
operation: REMOVE
|
||||
</code></pre>
|
||||
<p>Policy to enable access logging for the entire mesh:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: mesh-default
|
||||
|
|
@ -181,7 +181,7 @@ spec:
|
|||
# those cases, `disabled: false` must be set explicitly to override.
|
||||
</code></pre>
|
||||
<p>Policy to disable access logging for the <code>foo</code> namespace:</p>
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1alpha1
|
||||
<pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
|
||||
kind: Telemetry
|
||||
metadata:
|
||||
name: namespace-no-log
|
||||
|
|
@ -223,12 +223,13 @@ No
|
|||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Optional. The targetRefs specifies a list of resources the policy should be
|
||||
applied to. The targeted resources specified will determine which workloads
|
||||
the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
<li><code>kind: Service</code> with <code>""</code> in the same namespace. This type is only supported for waypoints.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
|
|
|
|||
|
|
@ -74,9 +74,9 @@ Yes
|
|||
</section>
|
||||
<h2 id="PolicyTargetReference">PolicyTargetReference</h2>
|
||||
<section>
|
||||
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api">GEP-713</a>.</p>
|
||||
<p>PolicyTargetReferences specifies the targeted resource which the policy
|
||||
can be applied to. It must only target a single resource at a time, but it
|
||||
<p>PolicyTargetReference format as defined by <a href="https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules">GEP-2648</a>.</p>
|
||||
<p>PolicyTargetReference specifies the targeted resource which the policy
|
||||
should be applied to. It must only target a single resource at a time, but it
|
||||
can be used to target larger resources such as Gateways that may apply to
|
||||
multiple child resources. The PolicyTargetReference will be used instead of
|
||||
a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
|
||||
|
|
@ -91,8 +91,8 @@ metadata:
|
|||
name: httpbin
|
||||
namespace: foo
|
||||
spec:
|
||||
targetRef:
|
||||
name: waypoint
|
||||
targetRefs:
|
||||
- name: waypoint
|
||||
kind: Gateway
|
||||
group: gateway.networking.k8s.io
|
||||
action: DENY
|
||||
|
|
|
|||
|
|
@ -414,3 +414,49 @@ features:
|
|||
link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/"
|
||||
nextExpectedPromotion: ""
|
||||
area: Core
|
||||
# Ambient
|
||||
- name: "Ztunnel Core"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Beta
|
||||
area: Ambient
|
||||
- name: "Waypoints Core"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Beta
|
||||
area: Ambient
|
||||
- name: "Authorization Policies"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Beta
|
||||
area: Ambient
|
||||
- name: "Gateway API (HTTPRoute)"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Beta
|
||||
area: Ambient
|
||||
- name: "Sidecar Interop"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Alpha
|
||||
area: Ambient
|
||||
- name: "DNS Proxying"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Alpha
|
||||
area: Ambient
|
||||
- name: "Multi-cluster"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Alpha
|
||||
area: Ambient
|
||||
- name: "Multi-network"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Experimental
|
||||
area: Ambient
|
||||
- name: "Dual Stack, IPv6"
|
||||
level:
|
||||
checklist: features/ambient.md
|
||||
maturity: Experimental
|
||||
area: Ambient
|
||||
Loading…
Reference in New Issue