diff --git a/content/en/docs/reference/commands/install-cni/index.html b/content/en/docs/reference/commands/install-cni/index.html index 6c5940d5ba..217a01b84e 100644 --- a/content/en/docs/reference/commands/install-cni/index.html +++ b/content/en/docs/reference/commands/install-cni/index.html @@ -81,11 +81,11 @@ remove_toc_prefix: 'install-cni ' --log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -105,7 +105,7 @@ remove_toc_prefix: 'install-cni ' --log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -203,11 +203,11 @@ See each sub-command's help for details on how to use the generated script. --log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -227,7 +227,7 @@ See each sub-command's help for details on how to use the generated script. --log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -272,11 +272,11 @@ If it is not installed already, you can install it via your OS's package man --log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -296,7 +296,7 @@ If it is not installed already, you can install it via your OS's package man --log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -340,11 +340,11 @@ If it is not installed already, you can install it via your OS's package man --log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -364,7 +364,7 @@ If it is not installed already, you can install it via your OS's package man --log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -407,11 +407,11 @@ to your powershell profile. --log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -431,7 +431,7 @@ to your powershell profile. --log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -481,11 +481,11 @@ to enable it. You can execute the following once:

--log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -505,7 +505,7 @@ to enable it. You can execute the following once:

--log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> @@ -548,12 +548,12 @@ to enable it. You can execute the following once:

--log_caller <string> -Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) +Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``) --log_output_level <string> -Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) +Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) --log_rotate <string> @@ -578,7 +578,7 @@ to enable it. You can execute the following once:

--log_stacktrace_level <string> -Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) +Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) --log_target <stringArray> diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html index 253c204477..4f2c3e1582 100644 --- a/content/en/docs/reference/config/annotations/index.html +++ b/content/en/docs/reference/config/annotations/index.html @@ -913,160 +913,6 @@ Istio supports to control its behavior. -

traffic.istio.io/excludeInboundPorts

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/excludeInboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

-
-

traffic.istio.io/excludeInterfaces

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/excludeInterfaces
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of interfaces to be excluded from Istio traffic capture

-
-

traffic.istio.io/excludeOutboundIPRanges

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/excludeOutboundIPRanges
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

-
-

traffic.istio.io/excludeOutboundPorts

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/excludeOutboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of outbound ports to be excluded from redirection to Envoy.

-
-

traffic.istio.io/includeInboundPorts

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/includeInboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

-
-

traffic.istio.io/includeOutboundIPRanges

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/includeOutboundIPRanges
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

-
-

traffic.istio.io/includeOutboundPorts

- - - - - - - - - - - - - - - - - - - -
Nametraffic.istio.io/includeOutboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description

A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

-

traffic.istio.io/nodeSelector

diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html index a821d3bd77..686d06991b 100644 --- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html +++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html @@ -3957,7 +3957,7 @@ No - + - + @@ -105,7 +105,7 @@ remove_toc_prefix: 'install-cni ' - + @@ -203,11 +203,11 @@ See each sub-command's help for details on how to use the generated script. - + - + @@ -227,7 +227,7 @@ See each sub-command's help for details on how to use the generated script. - + @@ -272,11 +272,11 @@ If it is not installed already, you can install it via your OS's package man - + - + @@ -296,7 +296,7 @@ If it is not installed already, you can install it via your OS's package man - + @@ -340,11 +340,11 @@ If it is not installed already, you can install it via your OS's package man - + - + @@ -364,7 +364,7 @@ If it is not installed already, you can install it via your OS's package man - + @@ -407,11 +407,11 @@ to your powershell profile. - + - + @@ -431,7 +431,7 @@ to your powershell profile. - + @@ -481,11 +481,11 @@ to enable it. You can execute the following once:

- + - + @@ -505,7 +505,7 @@ to enable it. You can execute the following once:

- + @@ -548,12 +548,12 @@ to enable it. You can execute the following once:

- + - + @@ -578,7 +578,7 @@ to enable it. You can execute the following once:

- + diff --git a/content/zh/docs/reference/config/annotations/index.html b/content/zh/docs/reference/config/annotations/index.html index bf65058a5b..c289bc6af8 100644 --- a/content/zh/docs/reference/config/annotations/index.html +++ b/content/zh/docs/reference/config/annotations/index.html @@ -913,160 +913,6 @@ Istio supports to control its behavior.
envoyDebugHeaders EnvoyDebugHeaders -

Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and `X-Envoy-Upstream-Service-Time. If enabled, +

Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, these headers will be included. If disabled, these headers will not be set. If they are already present, they will be preserved. See the Envoy documentation for more details. diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html index 739c2e1818..24d6ce0102 100644 --- a/content/en/docs/reference/config/networking/destination-rule/index.html +++ b/content/en/docs/reference/config/networking/destination-rule/index.html @@ -16,7 +16,7 @@ for load balancing, connection pool size from the sidecar, and outlier detection settings to detect and evict unhealthy hosts from the load balancing pool. For example, a simple load balancing policy for the ratings service would look as follows:

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -31,7 +31,7 @@ spec:
 following rule uses a round robin load balancing policy for all traffic
 going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -54,7 +54,7 @@ a route rule explicitly sends traffic to this subset.

 following rule uses the least connection load balancing policy for all
 traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings-port
@@ -74,7 +74,7 @@ spec:
 
Destination Rules can be customized to specific workloads as well.
 The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: configure-client-mtls-dr-with-workloadselector
@@ -311,7 +311,7 @@ service-level can be overridden at a subset-level. The following rule
 uses a round robin load balancing policy for all traffic going to a
 subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -395,7 +395,7 @@ load balancing
 for more details.

 
For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -408,7 +408,7 @@ spec:
 
The following example sets up sticky sessions for the ratings service
 hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -492,7 +492,7 @@ for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.

 
For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-redis
@@ -559,7 +559,7 @@ with no more than 10 req/connection to the “reviews” service. In add
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-cb-policy
@@ -728,7 +728,7 @@ context
 for more details. These settings are common to both HTTP and TCP upstreams.

 
For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: db-mtls
@@ -743,7 +743,7 @@ spec:
 

 
The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: tls-foo
@@ -755,7 +755,7 @@ spec:
 

 
The following rule configures a client to use Istio mutual TLS when talking
 to rating services.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: ratings-istio-mtls
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index 4a2c316117..9aed39f659 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -389,12 +389,13 @@ No
targetRefs PolicyTargetReference[] -

Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

+

Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

Currently, the following resource attachment types are supported:

  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • +
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.

If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html index 3b813daf31..22dc5cbfee 100644 --- a/content/en/docs/reference/config/networking/gateway/index.html +++ b/content/en/docs/reference/config/networking/gateway/index.html @@ -20,7 +20,7 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https), applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-gateway
@@ -84,7 +84,7 @@ in the qa version. The same rule is also applicable inside the mesh for
 requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-rule
@@ -124,7 +124,7 @@ spec:
 port 27017 to internal Mongo server on port 5555. This rule is not
 applicable internally in the mesh as the gateway list omits the
 reserved name mesh.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-mongo
@@ -148,7 +148,7 @@ a gateway server using the namespace/hostname syntax in the hosts field.
 For example, the following Gateway allows any virtual service in the ns1
 namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-gateway
@@ -221,7 +221,7 @@ No
 

 
Server describes the properties of the proxy on a given load balancer
 port. For example,

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-ingress
@@ -237,7 +237,7 @@ spec:
     - "*"
 

 
Another example

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-tcp-ingress
@@ -253,7 +253,7 @@ spec:
     - "*"
 

 
The following is an example of TLS configuration for port 443

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-tls-ingress
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index 49005dcf1a..1a8ba9a5c1 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -28,7 +28,7 @@ services.

 
The following example declares a few external APIs accessed by internal
 applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-https
@@ -48,7 +48,7 @@ spec:
 unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-mongocluster
@@ -68,7 +68,7 @@ spec:
   - address: 3.3.3.3
 

 
and the associated DestinationRule

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: mtls-mongocluster
@@ -84,7 +84,7 @@ spec:
 
The following example uses a combination of service entry and TLS
 routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-redirect
@@ -100,7 +100,7 @@ spec:
   resolution: NONE
 

 
And the associated VirtualService to route based on the SNI value.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: tls-routing
@@ -127,7 +127,7 @@ declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
 current namespace, represented by “.”, so that it cannot be used by other
 namespaces.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-httpbin
@@ -145,7 +145,7 @@ spec:
   resolution: DNS
 

 
Define a gateway to handle all egress traffic.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
  name: istio-egressgateway
@@ -167,7 +167,7 @@ well as route from the gateway to the external service. Note that the
 virtual service is exported to all namespaces enabling them to route traffic
 through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: gateway-routing
@@ -200,7 +200,7 @@ spec:
 external services. If the connection has to be routed to the IP address
 requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the resolution mode must be set to NONE.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-wildcard-example
@@ -217,7 +217,7 @@ spec:
 
The following example demonstrates a service that is available via a
 Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: unix-domain-socket-example
@@ -240,7 +240,7 @@ reroute API calls for the VirtualService to a chosen backend. For
 example, the following configuration creates a non-existent external
 service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-dns
@@ -271,7 +271,7 @@ be translated to http://uk.foo.bar.com/baz.

 
The following example illustrates the usage of a ServiceEntry
 containing a subject alternate name
 whose format conforms to the SPIFFE standard:

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: httpbin
@@ -298,7 +298,7 @@ VM-based instances with sidecars as well as a set of Kubernetes
 pods managed by a standard deployment object. Consumers of this
 service in the mesh will be automatically load balanced across the
 VMs and Kubernetes.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-vm-1
@@ -309,7 +309,7 @@ spec:
     app: details
     instance-id: vm1
 ---
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-vm-2
@@ -324,7 +324,7 @@ spec:
 app: details using the same service account details, the
 following service entry declares a service spanning both VMs and
 Kubernetes:

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index a45041238a..c144e010e9 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -48,7 +48,7 @@ in the root namespace called istio-config, that configures
 sidecars in all namespaces to allow egress traffic only to other
 workloads in the same namespace as well as to services in the
 istio-system namespace.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: default
@@ -64,7 +64,7 @@ spec:
 above, and configures the sidecars in the namespace to allow egress
 traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: default
@@ -84,7 +84,7 @@ the attached workload instance listening on a Unix domain
 socket. In the egress direction, in addition to the istio-system
 namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: ratings
@@ -123,7 +123,7 @@ it to the application listening on 127.0.0.1:8080. It also allows
 the application to communicate with a backing MySQL database on
 127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: no-ip-tables
@@ -150,7 +150,7 @@ spec:
     - "*/mysql.foo.com"
 

 
And the associated service entry for routing to mysql.foo.com:3306

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-mysql
@@ -176,7 +176,7 @@ listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving
 
NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: partial-ip-tables
@@ -214,7 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: ratings
@@ -249,7 +249,7 @@ spec:
   selector:
     app: ratings
 ---
-apiVersion: security.istio.io/v1beta1
+apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: ratings-peer-auth
@@ -271,7 +271,7 @@ connections to the service) as well as servers (for inbound connections to a ser
 instance). Using the InboundConnectionPool and per-port ConnectionPool settings
 in a Sidecar allow you to control those connection pools for the server separately
 from the settings pushed to all clients.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: connection-pool-settings
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index 62132d392c..df519595b5 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -43,7 +43,7 @@ to be customized for specific client contexts.

 pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -72,7 +72,7 @@ spec:
 
A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -249,7 +249,7 @@ domain names over short names.

 
The following Kubernetes example routes all traffic by default to pods
 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -275,7 +275,7 @@ spec:
         subset: v1
 

 
And the associated DestinationRule

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -299,7 +299,7 @@ that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: my-productpage-rule
@@ -318,7 +318,7 @@ services must first be added to Istio’s internal service registry using th
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-wikipedia
@@ -332,7 +332,7 @@ spec:
     protocol: HTTP
   resolution: DNS
 ---
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: my-wiki-rule
@@ -638,7 +638,7 @@ No
 
Describes the delegate VirtualService.
 The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
 forward the traffic to /reviews by a delegate VirtualService named reviews.

-
apiVersion: networking.istio.io/v1alpha3
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo
@@ -661,7 +661,7 @@ spec:
         name: reviews
         namespace: nsB
 

-
apiVersion: networking.istio.io/v1alpha3
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: productpage
@@ -678,7 +678,7 @@ spec:
     - destination:
         host: productpage.nsA.svc.cluster.local
 

-
apiVersion: networking.istio.io/v1alpha3
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews
@@ -735,7 +735,7 @@ The following VirtualService adds a test header with the value reviews service destination.
 It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -805,7 +805,7 @@ No
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
 traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-sni
@@ -874,7 +874,7 @@ No
 
Describes match conditions and actions for routing TCP traffic. The
 following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-mongo
@@ -936,7 +936,7 @@ rule to be applied to the HTTP request. For example, the following
 restricts the rule to match only requests where the URL path
 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1246,7 +1246,7 @@ determine the proportion of traffic it receives. For example, the
 following rule will route 25% of traffic for the “reviews” service to
 instances with the “v2” tag and the remaining traffic (i.e., 75%) to
 “v1”.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -1265,7 +1265,7 @@ spec:
       weight: 75
 

 
And the associated DestinationRule

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -1282,7 +1282,7 @@ spec:
 
Traffic can also be split across two entirely different services without
 having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route-two-domains
@@ -1577,7 +1577,7 @@ where the Authority/Host and the URI in the response can be swapped with
 the specified values. For example, the following rule redirects
 requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1689,7 +1689,7 @@ No
 
HTTPDirectResponse can be used to send a fixed response to clients.
 For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1708,7 +1708,7 @@ spec:
 

 
It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1728,7 +1728,7 @@ spec:
 
It is good practice to add headers in the HTTPRoute
 as well as the direct_response, for example to specify
 the returned Content-Type.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1830,7 +1830,7 @@ before forwarding the request to the destination. Rewrite primitive can
 be used only with HTTPRouteDestination. The following example
 demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2000,7 +2000,7 @@ example, the following rule sets the maximum number of retries to 3 when
 calling ratings:v1 service, with a 2s timeout per retry attempt.
 A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2097,7 +2097,7 @@ the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
 Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2413,7 +2413,7 @@ No
 forwarding path. The following example will introduce a 5 second delay
 in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -2493,7 +2493,7 @@ No
 
Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the “ratings” service “v1”.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html
index 9ded68bd6d..a8bc6989ae 100644
--- a/content/en/docs/reference/config/networking/workload-entry/index.html
+++ b/content/en/docs/reference/config/networking/workload-entry/index.html
@@ -30,7 +30,7 @@ account. The service is exposed on port 80 to applications in the
 mesh. The HTTP traffic to this service is wrapped in Istio mutual
 TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-svc
@@ -46,7 +46,7 @@ spec:
     instance-id: vm1
 

 
and the associated service entry

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
@@ -69,7 +69,7 @@ its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-svc
@@ -85,7 +85,7 @@ spec:
     instance-id: vm1
 

 
and the associated service entry

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
@@ -109,7 +109,7 @@ to write a WorkloadEntry in the local cluster that represents
 the Workload(s) in the remote network with the given labels. A
 single WorkloadEntry with weights represent the aggregate of all
 the actual workloads in a given remote network.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: foo-workloads-cluster-2
diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html
index 68f0125a4a..4a7d9fd9f0 100644
--- a/content/en/docs/reference/config/networking/workload-group/index.html
+++ b/content/en/docs/reference/config/networking/workload-group/index.html
@@ -22,7 +22,7 @@ of workloads that will be registered under reviews in namespace
 instance during the bootstrap process, and the ports 3550 and 8080
 will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.

-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1
 kind: WorkloadGroup
 metadata:
   name: reviews
diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 9cd724e36a..57c01ed448 100644
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -205,12 +205,13 @@ No
targetRefs PolicyTargetReference[] -

Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

+

Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

Currently, the following resource attachment types are supported:

  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • +
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.

If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html index 6f64f31ab1..6521538284 100644 --- a/content/en/docs/reference/config/security/authorization-policy/index.html +++ b/content/en/docs/reference/config/security/authorization-policy/index.html @@ -230,12 +230,13 @@ No 		targetRefs PolicyTargetReference[] -

Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

+

Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

Currently, the following resource attachment types are supported:

  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • +
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.

If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

@@ -611,8 +612,8 @@ To be a valid path template, the path must not contain *, {/foo/{*} matches /foo/bar but not /foo/bar/baz
  • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
  • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
    • -
  • /*/baz/{*}`` is not a valid path template since it includes *` outside of a supported operator
    • -
  • /**/baz/{*}`` is not a valid path template since it includes **` outside of a supported operator
    • +
  • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
    • +
  • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
  • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
  • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
    • @@ -819,7 +820,7 @@ One example use case of the extension is to integrate with a custom external aut the authorization decision to it.

    The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension my-custom-authz if the request path has prefix /admin/.

    -
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: ext-authz
diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html
index 4b952bbd93..1ae5659180 100644
--- a/content/en/docs/reference/config/security/peer_authentication/index.html
+++ b/content/en/docs/reference/config/security/peer_authentication/index.html
@@ -18,7 +18,7 @@ Development of PeerAuthentication is currently frozen and likely to be replaced
 PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
    
 
    Examples:
    
 
    Policy to allow mTLS traffic for all workloads under namespace foo:
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -30,7 +30,7 @@ spec:
 
    For mesh level, put the policy in root-namespace according to your Istio installation.
    
 
    Policies to allow both mTLS and plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -39,7 +39,7 @@ spec:
   mtls:
     mode: PERMISSIVE
 ---
-apiVersion: security.istio.io/v1beta1
+apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: finance
@@ -54,7 +54,7 @@ spec:
 
    Policy that enables strict mTLS for all finance workloads, but leaves the port 8080 to
 plaintext. Note the port value in the portLevelMtls field refers to the port
 of the workload, not the port of the Kubernetes service.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -71,7 +71,7 @@ spec:
 
    
 
    Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
 mTLS for workload port 8080.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 61bd2b61e8..3db08228bb 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -179,7 +179,7 @@ spec:
     - source:
         requestPrincipals: ["*"]
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: route-jwt
@@ -234,12 +234,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html index fd46b0e43c..a06f1d9d98 100644 --- a/content/en/docs/reference/config/telemetry/index.html +++ b/content/en/docs/reference/config/telemetry/index.html @@ -25,7 +25,7 @@ selecting any given workload.

    Examples

    Policy to enable random sampling for 10% of traffic:

    -
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -37,7 +37,7 @@ spec:
 
    
 
    Policy to disable trace reporting for the foo workload (note: tracing
 context will still be propagated):
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: foo-tracing
@@ -50,7 +50,7 @@ spec:
   - disableSpanReporting: true
 
    
 
    Policy to select the alternate zipkin provider for trace reporting:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: foo-tracing-alternate
@@ -65,7 +65,7 @@ spec:
     randomSamplingPercentage: 10.00
 
    
 
    Policy to tailor the zipkin provider to sample traces from Client workloads only:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -78,7 +78,7 @@ spec:
     - name: "zipkin"
 
    
 
    Policy to add a custom tag from a literal value:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -93,7 +93,7 @@ spec:
           value: "foo"
 
    
 
    Policy to disable server-side metrics for Prometheus for an entire mesh:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -110,7 +110,7 @@ spec:
       disabled: true
 
    
 
    Policy to add dimensions to all Prometheus metrics for the foo namespace:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: namespace-metrics
@@ -130,7 +130,7 @@ spec:
 
    
 
    Policy to remove the response_code dimension on some Prometheus metrics for
 the bar.foo workload:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: remove-response-code
@@ -165,7 +165,7 @@ spec:
           operation: REMOVE
 
    
 
    Policy to enable access logging for the entire mesh:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -181,7 +181,7 @@ spec:
     # those cases, `disabled: false` must be set explicitly to override.
 
    
 
    Policy to disable access logging for the foo namespace:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: namespace-no-log
@@ -223,12 +223,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/en/docs/reference/config/type/workload-selector/index.html b/content/en/docs/reference/config/type/workload-selector/index.html index 8c206cebec..5d378d7280 100644 --- a/content/en/docs/reference/config/type/workload-selector/index.html +++ b/content/en/docs/reference/config/type/workload-selector/index.html @@ -74,9 +74,9 @@ Yes

    PolicyTargetReference

    -

    PolicyTargetReference format as defined by GEP-713.

    -

    PolicyTargetReferences specifies the targeted resource which the policy -can be applied to. It must only target a single resource at a time, but it +

    PolicyTargetReference format as defined by GEP-2648.

    +

    PolicyTargetReference specifies the targeted resource which the policy +should be applied to. It must only target a single resource at a time, but it can be used to target larger resources such as Gateways that may apply to multiple child resources. The PolicyTargetReference will be used instead of a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, @@ -91,8 +91,8 @@ metadata: name: httpbin namespace: foo spec: - targetRef: - name: waypoint + targetRefs: + - name: waypoint kind: Gateway group: gateway.networking.k8s.io action: DENY diff --git a/content/zh/docs/reference/commands/install-cni/index.html b/content/zh/docs/reference/commands/install-cni/index.html index 6c5940d5ba..217a01b84e 100644 --- a/content/zh/docs/reference/commands/install-cni/index.html +++ b/content/zh/docs/reference/commands/install-cni/index.html @@ -81,11 +81,11 @@ remove_toc_prefix: 'install-cni '

    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    --log_caller <string> Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)Comma-separated list of scopes for which to include caller information, scopes can be any of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] (default ``)
    --log_output_level <string> Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
    --log_rotate <string>
    --log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, ambient, cni, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, cni, cni-agent, controllers, default, grpc, install, iptables, klog, model, monitoring, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
    --log_target <stringArray>
    -

    traffic.istio.io/excludeInboundPorts

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/excludeInboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

    -
    -

    traffic.istio.io/excludeInterfaces

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/excludeInterfaces
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of interfaces to be excluded from Istio traffic capture

    -
    -

    traffic.istio.io/excludeOutboundIPRanges

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/excludeOutboundIPRanges
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

    -
    -

    traffic.istio.io/excludeOutboundPorts

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/excludeOutboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of outbound ports to be excluded from redirection to Envoy.

    -
    -

    traffic.istio.io/includeInboundPorts

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/includeInboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

    -
    -

    traffic.istio.io/includeOutboundIPRanges

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/includeOutboundIPRanges
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

    -
    -

    traffic.istio.io/includeOutboundPorts

    - - - - - - - - - - - - - - - - - - - -
    Nametraffic.istio.io/includeOutboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description

    A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

    -

    traffic.istio.io/nodeSelector

    diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html index 77f5bf71da..80825d59fa 100644 --- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html +++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html @@ -3957,7 +3957,7 @@ No
    envoyDebugHeaders EnvoyDebugHeaders -

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and `X-Envoy-Upstream-Service-Time. If enabled, +

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, these headers will be included. If disabled, these headers will not be set. If they are already present, they will be preserved. See the Envoy documentation for more details. diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html index 9a5f110404..fd76be40d5 100644 --- a/content/zh/docs/reference/config/networking/destination-rule/index.html +++ b/content/zh/docs/reference/config/networking/destination-rule/index.html @@ -16,7 +16,7 @@ for load balancing, connection pool size from the sidecar, and outlier detection settings to detect and evict unhealthy hosts from the load balancing pool. For example, a simple load balancing policy for the ratings service would look as follows:

    -
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -31,7 +31,7 @@ spec:
 following rule uses a round robin load balancing policy for all traffic
 going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -54,7 +54,7 @@ a route rule explicitly sends traffic to this subset.
    
 following rule uses the least connection load balancing policy for all
 traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings-port
@@ -74,7 +74,7 @@ spec:
 
    Destination Rules can be customized to specific workloads as well.
 The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: configure-client-mtls-dr-with-workloadselector
@@ -311,7 +311,7 @@ service-level can be overridden at a subset-level. The following rule
 uses a round robin load balancing policy for all traffic going to a
 subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -395,7 +395,7 @@ load balancing
 for more details.
    
 
    For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -408,7 +408,7 @@ spec:
 
    The following example sets up sticky sessions for the ratings service
 hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-ratings
@@ -492,7 +492,7 @@ for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
    
 
    For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: bookinfo-redis
@@ -559,7 +559,7 @@ with no more than 10 req/connection to the “reviews” service. In add
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-cb-policy
@@ -728,7 +728,7 @@ context
 for more details. These settings are common to both HTTP and TCP upstreams.
    
 
    For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: db-mtls
@@ -743,7 +743,7 @@ spec:
 
    
 
    The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: tls-foo
@@ -755,7 +755,7 @@ spec:
 
    
 
    The following rule configures a client to use Istio mutual TLS when talking
 to rating services.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: ratings-istio-mtls
diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html
index abee6324b9..b56c77a973 100644
--- a/content/zh/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html
@@ -389,12 +389,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html index ea23a434ba..d2de55c095 100644 --- a/content/zh/docs/reference/config/networking/gateway/index.html +++ b/content/zh/docs/reference/config/networking/gateway/index.html @@ -20,7 +20,7 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https), applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

    -
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-gateway
@@ -84,7 +84,7 @@ in the qa version. The same rule is also applicable inside the mesh for
 requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-rule
@@ -124,7 +124,7 @@ spec:
 port 27017 to internal Mongo server on port 5555. This rule is not
 applicable internally in the mesh as the gateway list omits the
 reserved name mesh.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-mongo
@@ -148,7 +148,7 @@ a gateway server using the namespace/hostname syntax in the hosts field.
 For example, the following Gateway allows any virtual service in the ns1
 namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-gateway
@@ -221,7 +221,7 @@ No
 
    
 
    Server describes the properties of the proxy on a given load balancer
 port. For example,
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-ingress
@@ -237,7 +237,7 @@ spec:
     - "*"
 
    
 
    Another example
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-tcp-ingress
@@ -253,7 +253,7 @@ spec:
     - "*"
 
    
 
    The following is an example of TLS configuration for port 443
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
   name: my-tls-ingress
diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index c028231c07..47f47bc292 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -28,7 +28,7 @@ services.
    
 
    The following example declares a few external APIs accessed by internal
 applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-https
@@ -48,7 +48,7 @@ spec:
 unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-mongocluster
@@ -68,7 +68,7 @@ spec:
   - address: 3.3.3.3
 
    
 
    and the associated DestinationRule
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: mtls-mongocluster
@@ -84,7 +84,7 @@ spec:
 
    The following example uses a combination of service entry and TLS
 routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-redirect
@@ -100,7 +100,7 @@ spec:
   resolution: NONE
 
    
 
    And the associated VirtualService to route based on the SNI value.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: tls-routing
@@ -127,7 +127,7 @@ declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
 current namespace, represented by “.”, so that it cannot be used by other
 namespaces.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-httpbin
@@ -145,7 +145,7 @@ spec:
   resolution: DNS
 
    
 
    Define a gateway to handle all egress traffic.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
  name: istio-egressgateway
@@ -167,7 +167,7 @@ well as route from the gateway to the external service. Note that the
 virtual service is exported to all namespaces enabling them to route traffic
 through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: gateway-routing
@@ -200,7 +200,7 @@ spec:
 external services. If the connection has to be routed to the IP address
 requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the resolution mode must be set to NONE.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-wildcard-example
@@ -217,7 +217,7 @@ spec:
 
    The following example demonstrates a service that is available via a
 Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: unix-domain-socket-example
@@ -240,7 +240,7 @@ reroute API calls for the VirtualService to a chosen backend. For
 example, the following configuration creates a non-existent external
 service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-dns
@@ -271,7 +271,7 @@ be translated to http://uk.foo.bar.com/baz.
    
 
    The following example illustrates the usage of a ServiceEntry
 containing a subject alternate name
 whose format conforms to the SPIFFE standard:
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: httpbin
@@ -298,7 +298,7 @@ VM-based instances with sidecars as well as a set of Kubernetes
 pods managed by a standard deployment object. Consumers of this
 service in the mesh will be automatically load balanced across the
 VMs and Kubernetes.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-vm-1
@@ -309,7 +309,7 @@ spec:
     app: details
     instance-id: vm1
 ---
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-vm-2
@@ -324,7 +324,7 @@ spec:
 app: details using the same service account details, the
 following service entry declares a service spanning both VMs and
 Kubernetes:
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index d1dd009985..b58d6006b0 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -48,7 +48,7 @@ in the root namespace called istio-config, that configures
 sidecars in all namespaces to allow egress traffic only to other
 workloads in the same namespace as well as to services in the
 istio-system namespace.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: default
@@ -64,7 +64,7 @@ spec:
 above, and configures the sidecars in the namespace to allow egress
 traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: default
@@ -84,7 +84,7 @@ the attached workload instance listening on a Unix domain
 socket. In the egress direction, in addition to the istio-system
 namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: ratings
@@ -123,7 +123,7 @@ it to the application listening on 127.0.0.1:8080. It also allows
 the application to communicate with a backing MySQL database on
 127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: no-ip-tables
@@ -150,7 +150,7 @@ spec:
     - "*/mysql.foo.com"
 
    
 
    And the associated service entry for routing to mysql.foo.com:3306
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-mysql
@@ -176,7 +176,7 @@ listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving
 
    NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: partial-ip-tables
@@ -214,7 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: ratings
@@ -249,7 +249,7 @@ spec:
   selector:
     app: ratings
 ---
-apiVersion: security.istio.io/v1beta1
+apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: ratings-peer-auth
@@ -271,7 +271,7 @@ connections to the service) as well as servers (for inbound connections to a ser
 instance). Using the InboundConnectionPool and per-port ConnectionPool settings
 in a Sidecar allow you to control those connection pools for the server separately
 from the settings pushed to all clients.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: Sidecar
 metadata:
   name: connection-pool-settings
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index 5c599abdd8..a3a4adaf19 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -43,7 +43,7 @@ to be customized for specific client contexts.
    
 pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -72,7 +72,7 @@ spec:
 
    A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -249,7 +249,7 @@ domain names over short names.
    
 
    The following Kubernetes example routes all traffic by default to pods
 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -275,7 +275,7 @@ spec:
         subset: v1
 
    
 
    And the associated DestinationRule
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -299,7 +299,7 @@ that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: my-productpage-rule
@@ -318,7 +318,7 @@ services must first be added to Istio’s internal service registry using th
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: external-svc-wikipedia
@@ -332,7 +332,7 @@ spec:
     protocol: HTTP
   resolution: DNS
 ---
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: my-wiki-rule
@@ -638,7 +638,7 @@ No
 
    Describes the delegate VirtualService.
 The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
 forward the traffic to /reviews by a delegate VirtualService named reviews.
    
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo
@@ -661,7 +661,7 @@ spec:
         name: reviews
         namespace: nsB
 
    
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: productpage
@@ -678,7 +678,7 @@ spec:
     - destination:
         host: productpage.nsA.svc.cluster.local
 
    
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews
@@ -735,7 +735,7 @@ The following VirtualService adds a test header with the value reviews service destination.
 It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -805,7 +805,7 @@ No
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
 traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-sni
@@ -874,7 +874,7 @@ No
 
    Describes match conditions and actions for routing TCP traffic. The
 following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: bookinfo-mongo
@@ -936,7 +936,7 @@ rule to be applied to the HTTP request. For example, the following
 restricts the rule to match only requests where the URL path
 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1246,7 +1246,7 @@ determine the proportion of traffic it receives. For example, the
 following rule will route 25% of traffic for the “reviews” service to
 instances with the “v2” tag and the remaining traffic (i.e., 75%) to
 “v1”.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -1265,7 +1265,7 @@ spec:
       weight: 75
 
    
 
    And the associated DestinationRule
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
   name: reviews-destination
@@ -1282,7 +1282,7 @@ spec:
 
    Traffic can also be split across two entirely different services without
 having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route-two-domains
@@ -1577,7 +1577,7 @@ where the Authority/Host and the URI in the response can be swapped with
 the specified values. For example, the following rule redirects
 requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1689,7 +1689,7 @@ No
 
    HTTPDirectResponse can be used to send a fixed response to clients.
 For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1708,7 +1708,7 @@ spec:
 
    
 
    It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1728,7 +1728,7 @@ spec:
 
    It is good practice to add headers in the HTTPRoute
 as well as the direct_response, for example to specify
 the returned Content-Type.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -1830,7 +1830,7 @@ before forwarding the request to the destination. Rewrite primitive can
 be used only with HTTPRouteDestination. The following example
 demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2000,7 +2000,7 @@ example, the following rule sets the maximum number of retries to 3 when
 calling ratings:v1 service, with a 2s timeout per retry attempt.
 A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2097,7 +2097,7 @@ the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
 Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
@@ -2413,7 +2413,7 @@ No
 forwarding path. The following example will introduce a 5 second delay
 in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: reviews-route
@@ -2493,7 +2493,7 @@ No
 
    Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: ratings-route
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
index a8738615e4..77784ac778 100644
--- a/content/zh/docs/reference/config/networking/workload-entry/index.html
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -30,7 +30,7 @@ account. The service is exposed on port 80 to applications in the
 mesh. The HTTP traffic to this service is wrapped in Istio mutual
 TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-svc
@@ -46,7 +46,7 @@ spec:
     instance-id: vm1
 
    
 
    and the associated service entry
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
@@ -69,7 +69,7 @@ its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: details-svc
@@ -85,7 +85,7 @@ spec:
     instance-id: vm1
 
    
 
    and the associated service entry
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: ServiceEntry
 metadata:
   name: details-svc
@@ -109,7 +109,7 @@ to write a WorkloadEntry in the local cluster that represents
 the Workload(s) in the remote network with the given labels. A
 single WorkloadEntry with weights represent the aggregate of all
 the actual workloads in a given remote network.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: WorkloadEntry
 metadata:
   name: foo-workloads-cluster-2
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
index 0c574323c9..9ed7ecd89a 100644
--- a/content/zh/docs/reference/config/networking/workload-group/index.html
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -22,7 +22,7 @@ of workloads that will be registered under reviews in namespace
 instance during the bootstrap process, and the ports 3550 and 8080
 will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.
    
-
    apiVersion: networking.istio.io/v1beta1
+
    apiVersion: networking.istio.io/v1
 kind: WorkloadGroup
 metadata:
   name: reviews
diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index b3b6488404..bbdb4bc41f 100644
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -205,12 +205,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html index 93536a5eec..a9ffa0bf9c 100644 --- a/content/zh/docs/reference/config/security/authorization-policy/index.html +++ b/content/zh/docs/reference/config/security/authorization-policy/index.html @@ -230,12 +230,13 @@ No     		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    @@ -611,8 +612,8 @@ To be a valid path template, the path must not contain *, {/foo/{*} matches /foo/bar but not /foo/bar/baz
  • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
  • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
    • -
  • /*/baz/{*}`` is not a valid path template since it includes *` outside of a supported operator
    • -
  • /**/baz/{*}`` is not a valid path template since it includes **` outside of a supported operator
    • +
  • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
    • +
  • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
  • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
  • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
    • @@ -819,7 +820,7 @@ One example use case of the extension is to integrate with a custom external aut the authorization decision to it.

    The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension my-custom-authz if the request path has prefix /admin/.

    -
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
   name: ext-authz
diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html
index 29f7bed3de..a3d773fcef 100644
--- a/content/zh/docs/reference/config/security/peer_authentication/index.html
+++ b/content/zh/docs/reference/config/security/peer_authentication/index.html
@@ -18,7 +18,7 @@ Development of PeerAuthentication is currently frozen and likely to be replaced
 PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
    
 
    Examples:
    
 
    Policy to allow mTLS traffic for all workloads under namespace foo:
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -30,7 +30,7 @@ spec:
 
    For mesh level, put the policy in root-namespace according to your Istio installation.
    
 
    Policies to allow both mTLS and plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -39,7 +39,7 @@ spec:
   mtls:
     mode: PERMISSIVE
 ---
-apiVersion: security.istio.io/v1beta1
+apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: finance
@@ -54,7 +54,7 @@ spec:
 
    Policy that enables strict mTLS for all finance workloads, but leaves the port 8080 to
 plaintext. Note the port value in the portLevelMtls field refers to the port
 of the workload, not the port of the Kubernetes service.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
@@ -71,7 +71,7 @@ spec:
 
    
 
    Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
 mTLS for workload port 8080.
    
-
    apiVersion: security.istio.io/v1beta1
+
    apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:
   name: default
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index b2012fc93a..aef92e9147 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -179,7 +179,7 @@ spec:
     - source:
         requestPrincipals: ["*"]
 ---
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   name: route-jwt
@@ -234,12 +234,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html index b17ea8a7e9..7c5769a6d9 100644 --- a/content/zh/docs/reference/config/telemetry/index.html +++ b/content/zh/docs/reference/config/telemetry/index.html @@ -25,7 +25,7 @@ selecting any given workload.

    Examples

    Policy to enable random sampling for 10% of traffic:

    -
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -37,7 +37,7 @@ spec:
 
    
 
    Policy to disable trace reporting for the foo workload (note: tracing
 context will still be propagated):
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: foo-tracing
@@ -50,7 +50,7 @@ spec:
   - disableSpanReporting: true
 
    
 
    Policy to select the alternate zipkin provider for trace reporting:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: foo-tracing-alternate
@@ -65,7 +65,7 @@ spec:
     randomSamplingPercentage: 10.00
 
    
 
    Policy to tailor the zipkin provider to sample traces from Client workloads only:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -78,7 +78,7 @@ spec:
     - name: "zipkin"
 
    
 
    Policy to add a custom tag from a literal value:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -93,7 +93,7 @@ spec:
           value: "foo"
 
    
 
    Policy to disable server-side metrics for Prometheus for an entire mesh:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -110,7 +110,7 @@ spec:
       disabled: true
 
    
 
    Policy to add dimensions to all Prometheus metrics for the foo namespace:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: namespace-metrics
@@ -130,7 +130,7 @@ spec:
 
    
 
    Policy to remove the response_code dimension on some Prometheus metrics for
 the bar.foo workload:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: remove-response-code
@@ -165,7 +165,7 @@ spec:
           operation: REMOVE
 
    
 
    Policy to enable access logging for the entire mesh:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: mesh-default
@@ -181,7 +181,7 @@ spec:
     # those cases, `disabled: false` must be set explicitly to override.
 
    
 
    Policy to disable access logging for the foo namespace:
    
-
    apiVersion: telemetry.istio.io/v1alpha1
+
    apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
   name: namespace-no-log
@@ -223,12 +223,13 @@ No
    		targetRefs PolicyTargetReference[] -

    Optional. The targetRef specifies the gateway the policy should be -applied to. The targeted resource specified will determine which -workloads the policy applies to.

    +

    Optional. The targetRefs specifies a list of resources the policy should be +applied to. The targeted resources specified will determine which workloads +the policy applies to.

    Currently, the following resource attachment types are supported:

    • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
      • +
    • kind: Service with "" in the same namespace. This type is only supported for waypoints.

    If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.

    diff --git a/content/zh/docs/reference/config/type/workload-selector/index.html b/content/zh/docs/reference/config/type/workload-selector/index.html index 8c206cebec..5d378d7280 100644 --- a/content/zh/docs/reference/config/type/workload-selector/index.html +++ b/content/zh/docs/reference/config/type/workload-selector/index.html @@ -74,9 +74,9 @@ Yes

    PolicyTargetReference

    -

    PolicyTargetReference format as defined by GEP-713.

    -

    PolicyTargetReferences specifies the targeted resource which the policy -can be applied to. It must only target a single resource at a time, but it +

    PolicyTargetReference format as defined by GEP-2648.

    +

    PolicyTargetReference specifies the targeted resource which the policy +should be applied to. It must only target a single resource at a time, but it can be used to target larger resources such as Gateways that may apply to multiple child resources. The PolicyTargetReference will be used instead of a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, @@ -91,8 +91,8 @@ metadata: name: httpbin namespace: foo spec: - targetRef: - name: waypoint + targetRefs: + - name: waypoint kind: Gateway group: gateway.networking.k8s.io action: DENY diff --git a/data/features.yaml b/data/features.yaml index b5b650af3e..d04777f96a 100644 --- a/data/features.yaml +++ b/data/features.yaml @@ -414,3 +414,49 @@ features: link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/" nextExpectedPromotion: "" area: Core + # Ambient + - name: "Ztunnel Core" + level: + checklist: features/ambient.md + maturity: Beta + area: Ambient + - name: "Waypoints Core" + level: + checklist: features/ambient.md + maturity: Beta + area: Ambient + - name: "Authorization Policies" + level: + checklist: features/ambient.md + maturity: Beta + area: Ambient + - name: "Gateway API (HTTPRoute)" + level: + checklist: features/ambient.md + maturity: Beta + area: Ambient + - name: "Sidecar Interop" + level: + checklist: features/ambient.md + maturity: Alpha + area: Ambient + - name: "DNS Proxying" + level: + checklist: features/ambient.md + maturity: Alpha + area: Ambient + - name: "Multi-cluster" + level: + checklist: features/ambient.md + maturity: Alpha + area: Ambient + - name: "Multi-network" + level: + checklist: features/ambient.md + maturity: Experimental + area: Ambient + - name: "Dual Stack, IPv6" + level: + checklist: features/ambient.md + maturity: Experimental + area: Ambient \ No newline at end of file