istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@master reference docs (#6976) 

* Automator: update istio.io@master reference docs

* Updates to fix automated doc changes

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
This commit is contained in:
Istio Automation 2020-04-06 17:16:32 -07:00 committed by GitHub
parent a51d8af8db
commit 21e890610f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 461 additions and 878 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/blog/2019/performance-best-practices/index.md
View File

@ -33,7 +33,7 @@ Say you run 2,000 Envoy-injected pods, each handling 1,000 requests per second.
It is also important to focus on data plane performance for **latency** reasons. This is because most application requests move through the Istio data plane, not the control plane. There are two exceptions:
1. **Telemetry reporting:** Each proxy sends raw telemetry data to {{<gloss>}}Mixer{{</gloss>}}, which Mixer processes into metrics, traces, and other telemetry. The raw telemetry data is similar to access logs, and therefore comes at a cost. Access log processing consumes CPU and keeps a worker thread from picking up the next unit of work. At higher throughput, it is more likely that the next unit of work is waiting in the queue to be picked up by the worker. This can lead to long-tail (99th percentile) latency for Envoy.
1. **Custom policy checks:** When using [custom Istio policy adapters](/docs/concepts/observability/), policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. **Note:** These policy checks are [disabled by default](/docs/reference/config/installation-options/#global-options), as the most common policy use case ([RBAC](/docs/reference/config/security/istio.rbac.v1alpha1)) is performed entirely by the Envoy proxies.
1. **Custom policy checks:** When using [custom Istio policy adapters](/docs/concepts/observability/), policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. **Note:** These policy checks are [disabled by default](/docs/reference/config/installation-options/#global-options), as the most common policy use case ([RBAC](https://archive.istio.io/1.4/docs/reference/config/security/istio.rbac.v1alpha1)) is performed entirely by the Envoy proxies.
Both of these exceptions will go away in a future Istio release, when [Mixer V2](https://docs.google.com/document/d/1QKmtem5jU_2F3Lh5SqLp0IuPb80_70J7aJEYu4_gS-s) moves all policy and telemetry features directly into the proxies.

2
content/en/docs/concepts/security/index.md
View File

@ -290,7 +290,7 @@ As you'll remember from the
authentication policies apply to requests that a service receives. To specify
client-side authentication rules in mutual TLS, you need to specify the
`TLSSettings` in the `DestinationRule`. You can find more information in our
[TLS settings reference docs](/docs/reference/config/networking/destination-rule/#TLSSettings).
[TLS settings reference docs](/docs/reference/config/networking/destination-rule#ClientTLSSettings).
Like other Istio configurations, you can specify authentication policies in
`.yaml` files. You deploy policies using `kubectl`.

24
content/en/docs/reference/commands/galley/index.html
View File

@ -31,12 +31,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -61,7 +61,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -101,12 +101,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -131,7 +131,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -271,12 +271,12 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -301,7 +301,7 @@ remove_toc_prefix: 'galley '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -468,12 +468,12 @@ validation:
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -498,7 +498,7 @@ validation:
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, default, grpcAdapter, mcp, model, processing, rbac, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>

198
content/en/docs/reference/commands/istioctl/index.html
View File

@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
title: istioctl
description: Istio control interface.
generator: pkg-collateral-docs
number_of_entries: 76
number_of_entries: 77
max_toc_level: 2
remove_toc_prefix: 'istioctl '
---
@ -103,7 +103,7 @@ debug and diagnose their Istio mesh.
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>Output format: one of [json yaml log] (default `log`)</td>
<td>Output format: one of [log json yaml] (default `log`)</td>
</tr>
<tr>
<td><code>--output-threshold &lt;Level&gt;</code></td>
@ -263,6 +263,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -282,6 +287,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h2 id="istioctl-dashboard-controlz">istioctl dashboard controlz</h2>
@ -298,6 +308,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -323,6 +338,11 @@ istioctl d [flags]
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
<tr>
<td><code>--selector &lt;string&gt;</code></td>
<td><code>-l</code></td>
<td>label selector (default ``)</td>
@ -346,6 +366,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -366,6 +391,11 @@ istioctl d [flags]
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
<tr>
<td><code>--selector &lt;string&gt;</code></td>
<td><code>-l</code></td>
<td>label selector (default ``)</td>
@ -389,6 +419,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -408,6 +443,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-dashboard-grafana Examples">Examples</h3>
@ -427,6 +467,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -446,6 +491,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-dashboard-jaeger Examples">Examples</h3>
@ -465,6 +515,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -484,6 +539,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-dashboard-kiali Examples">Examples</h3>
@ -503,6 +563,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -522,6 +587,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-dashboard-prometheus Examples">Examples</h3>
@ -541,6 +611,11 @@ istioctl d [flags]
</thead>
<tbody>
<tr>
<td><code>--address &lt;string&gt;</code></td>
<td></td>
<td>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -560,6 +635,11 @@ istioctl d [flags]
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td><code>-p</code></td>
<td>Local port to listen to (default `0`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-dashboard-zipkin Examples">Examples</h3>
@ -759,6 +839,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--valuesFile &lt;string&gt;</code></td>
<td></td>
<td>injection values configuration filename. (default ``)</td>
@ -910,6 +995,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--valuesFile &lt;string&gt;</code></td>
<td></td>
<td>injection values configuration filename. (default ``)</td>
@ -2382,6 +2472,105 @@ istioctl experimental wait --for=distribution virtualservice bookinfo.default
# Wait until 99% of the proxies receive the distribution, timing out after 5 minutes
istioctl experimental wait --for=distribution --threshold=.99 --timeout=300 virtualservice bookinfo.default
</code></pre>
<h2 id="istioctl-install">istioctl install</h2>
<p>The install generates an Istio install manifest and applies it to a cluster.</p>
<pre class="language-bash"><code>istioctl install [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--dry-run</code></td>
<td></td>
<td>Console/log output only, make no changes. </td>
</tr>
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
<td><code>--force</code></td>
<td></td>
<td>Proceed even with validation errors </td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--readiness-timeout &lt;duration&gt;</code></td>
<td></td>
<td>Maximum seconds to wait for all Istio resources to be ready. The --wait flag must be set for this flag to apply (default `5m0s`)</td>
</tr>
<tr>
<td><code>--set &lt;stringArray&gt;</code></td>
<td><code>-s</code></td>
<td>Override an IstioOperator value, e.g. to choose a profile
(--set profile=demo), enable or disable components (--set components.policy.enabled=true), or override Istio
settings (--set values.grafana.enabled=true). See documentation for more info:
https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControlPlaneSpec (default `[]`)</td>
</tr>
<tr>
<td><code>--skip-confirmation</code></td>
<td><code>-y</code></td>
<td>skipConfirmation determines whether the user is prompted for confirmation.
If set to true, the user is not prompted and a Yes response is assumed in all cases. </td>
</tr>
<tr>
<td><code>--verbose</code></td>
<td></td>
<td>Verbose output. </td>
</tr>
<tr>
<td><code>--wait</code></td>
<td><code>-w</code></td>
<td>Wait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds </td>
</tr>
</tbody>
</table>
<h3 id="istioctl-install Examples">Examples</h3>
<pre class="language-bash"><code> # Apply a default Istio installation
istioctl install
# Enable grafana dashboard
istioctl install --set values.grafana.enabled=true
# Generate the demo profile and don&#39;t wait for confirmation
istioctl install --set profile=demo --skip-confirmation
# To override a setting that includes dots, escape them with a backslash (\). Your shell may require enclosing quotes.
istioctl install --set &#34;values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default&#34;
</code></pre>
<h2 id="istioctl-kube-inject">istioctl kube-inject</h2>
<p></p>
@ -2460,6 +2649,11 @@ kube-inject on deployments to get the most up-to-date changes.
<td>Modified output Kubernetes resource filename (default ``)</td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--valuesFile &lt;string&gt;</code></td>
<td></td>
<td>injection values configuration filename. (default ``)</td>

36
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -81,12 +81,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -111,7 +111,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -206,12 +206,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -236,7 +236,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -313,11 +313,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -337,7 +337,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -411,11 +411,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -435,7 +435,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -464,12 +464,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -494,7 +494,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, cache, citadelclient, configmapcontroller, default, googleca, model, rbac, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>

29
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -67,7 +67,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -166,12 +166,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -196,7 +196,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -303,11 +303,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -327,7 +327,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -381,12 +381,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -411,7 +411,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, rbac, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -828,11 +828,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>citadel_secret_controller_csr_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when creating the CSR.</td></tr>
<tr><td><code>citadel_secret_controller_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_secret_controller_secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>

2
content/en/docs/reference/config/analysis/ist0113/index.md
View File

@ -113,7 +113,7 @@ You can fix the conflict by doing one of the following:
* Modifying policy resource `my-namespace/my-policy` to require mutual TLS as an
authentication mode. In general this is done by adding a `peers` attribute to
the resource with a child of `mtls`. You can read more about how this is
achieved on the [reference page for policy objects](/docs/reference/config/security/istio.authentication.v1alpha1/#Policy).
achieved on the [reference page for policy objects](https://archive.istio.io/1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy).
* Modifying destination rule `istio-system/default-rule` to not use mutual TLS by
removing the `ISTIO_MUTUAL` traffic policy. Note that `default-rule` is in the
`istio-system` namespace - by default, the `istio-system` namespace is

19
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -205,17 +205,6 @@ No
<p>Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-connect_timeout">
<td><code>connectTimeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Connection timeout used by Envoy for supporting services. (MUST BE &gt;=1ms)</p>
</td>
<td>
No
@ -417,7 +406,7 @@ No
</tr>
<tr id="RemoteService-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#TLSSettings">TLSSettings</a></code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls_settings to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
@ -894,14 +883,14 @@ No
<p>This flag is used to enable mutual TLS automatically for service to service communication
within the mesh, default false.
If set to true, and a given service does not have a corresponding DestinationRule configured,
or its DestinationRule does not have TLSSettings specified, Istio configures client side
or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
for mutual TLS to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual TLS when server sides are capable of accepting mutual TLS traffic.
If service DestinationRule exists and has TLSSettings specified, that is always used instead.</p>
If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.</p>
</td>
<td>
@ -1215,7 +1204,7 @@ No
</tr>
<tr id="ConfigSource-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#TLSSettings">TLSSettings</a></code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls<em>settings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS

34
content/en/docs/reference/config/networking/destination-rule/index.html
View File

@ -300,7 +300,7 @@ No
</tr>
<tr id="TrafficPolicy-tls">
<td><code>tls</code></td>
<td><code><a href="#TLSSettings">TLSSettings</a></code></td>
<td><code><a href="#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>TLS related settings for connections to the upstream service.</p>
@ -390,7 +390,7 @@ a route rule explicitly sends traffic to this subset.</p>
<p>One or more labels are typically required to identify the subset destination,
however, when the corresponding DestinationRule represents a host that
supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
may be meaningful. In this case a traffic policy with <a href="#TLSSettings">TLSSettings</a>
may be meaningful. In this case a traffic policy with <a href="#ClientTLSSettings">ClientTLSSettings</a>
can be used to identify a specific SNI host corresponding to the named subset.</p>
<table class="message-fields">
@ -839,7 +839,7 @@ No
</tbody>
</table>
</section>
<h2 id="TLSSettings">TLSSettings</h2>
<h2 id="ClientTLSSettings">ClientTLSSettings</h2>
<section>
<p>SSL/TLS related settings for upstream connections. See Envoy&rsquo;s <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto.html">TLS
context</a>
@ -966,9 +966,9 @@ spec:
</tr>
</thead>
<tbody>
<tr id="TLSSettings-mode">
<tr id="ClientTLSSettings-mode">
<td><code>mode</code></td>
<td><code><a href="#TLSSettings-TLSmode">TLSmode</a></code></td>
<td><code><a href="#ClientTLSSettings-TLSmode">TLSmode</a></code></td>
<td>
<p>Indicates whether connections to this port should be secured
using TLS. The value of this field determines how TLS is enforced.</p>
@ -978,7 +978,7 @@ using TLS. The value of this field determines how TLS is enforced.</p>
Yes
</td>
</tr>
<tr id="TLSSettings-client_certificate">
<tr id="ClientTLSSettings-client_certificate">
<td><code>clientCertificate</code></td>
<td><code>string</code></td>
<td>
@ -991,7 +991,7 @@ Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
No
</td>
</tr>
<tr id="TLSSettings-private_key">
<tr id="ClientTLSSettings-private_key">
<td><code>privateKey</code></td>
<td><code>string</code></td>
<td>
@ -1004,7 +1004,7 @@ Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
No
</td>
</tr>
<tr id="TLSSettings-ca_certificates">
<tr id="ClientTLSSettings-ca_certificates">
<td><code>caCertificates</code></td>
<td><code>string</code></td>
<td>
@ -1018,7 +1018,7 @@ Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
No
</td>
</tr>
<tr id="TLSSettings-subject_alt_names">
<tr id="ClientTLSSettings-subject_alt_names">
<td><code>subjectAltNames</code></td>
<td><code>string[]</code></td>
<td>
@ -1033,7 +1033,7 @@ from the ServiceEntry.</p>
No
</td>
</tr>
<tr id="TLSSettings-sni">
<tr id="ClientTLSSettings-sni">
<td><code>sni</code></td>
<td><code>string</code></td>
<td>
@ -1210,7 +1210,7 @@ No
</tr>
<tr id="TrafficPolicy-PortTrafficPolicy-tls">
<td><code>tls</code></td>
<td><code><a href="#TLSSettings">TLSSettings</a></code></td>
<td><code><a href="#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>TLS related settings for connections to the upstream service.</p>
@ -1762,7 +1762,7 @@ This opt-in option overrides the default.</p>
</tbody>
</table>
</section>
<h2 id="TLSSettings-TLSmode">TLSSettings.TLSmode</h2>
<h2 id="ClientTLSSettings-TLSmode">ClientTLSSettings.TLSmode</h2>
<section>
<p>TLS connection mode</p>
@ -1774,21 +1774,21 @@ This opt-in option overrides the default.</p>
</tr>
</thead>
<tbody>
<tr id="TLSSettings-TLSmode-DISABLE">
<tr id="ClientTLSSettings-TLSmode-DISABLE">
<td><code>DISABLE</code></td>
<td>
<p>Do not setup a TLS connection to the upstream endpoint.</p>
</td>
</tr>
<tr id="TLSSettings-TLSmode-SIMPLE">
<tr id="ClientTLSSettings-TLSmode-SIMPLE">
<td><code>SIMPLE</code></td>
<td>
<p>Originate a TLS connection to the upstream endpoint.</p>
</td>
</tr>
<tr id="TLSSettings-TLSmode-MUTUAL">
<tr id="ClientTLSSettings-TLSmode-MUTUAL">
<td><code>MUTUAL</code></td>
<td>
<p>Secure connections to the upstream using mutual TLS by presenting
@ -1796,14 +1796,14 @@ client certificates for authentication.</p>
</td>
</tr>
<tr id="TLSSettings-TLSmode-ISTIO_MUTUAL">
<tr id="ClientTLSSettings-TLSmode-ISTIO_MUTUAL">
<td><code>ISTIO_MUTUAL</code></td>
<td>
<p>Secure connections to the upstream using mutual TLS by presenting
client certificates for authentication.
Compared to Mutual mode, this mode uses certificates generated
automatically by Istio for mTLS authentication. When this mode is
used, all other fields in <code>TLSSettings</code> should be empty.</p>
used, all other fields in <code>ClientTLSSettings</code> should be empty.</p>
</td>
</tr>

58
content/en/docs/reference/config/networking/gateway/index.html
View File

@ -595,7 +595,7 @@ Yes
</tr>
<tr id="Server-tls">
<td><code>tls</code></td>
<td><code><a href="#Server-TLSOptions">TLSOptions</a></code></td>
<td><code><a href="#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td>
<p>Set of TLS related options that govern the server&rsquo;s behavior. Use
these options to control if all http requests should be redirected to
@ -662,7 +662,7 @@ No
</tbody>
</table>
</section>
<h2 id="Server-TLSOptions">Server.TLSOptions</h2>
<h2 id="ServerTLSSettings">ServerTLSSettings</h2>
<section>
<table class="message-fields">
<thead>
@ -674,7 +674,7 @@ No
</tr>
</thead>
<tbody>
<tr id="Server-TLSOptions-https_redirect">
<tr id="ServerTLSSettings-https_redirect">
<td><code>httpsRedirect</code></td>
<td><code>bool</code></td>
<td>
@ -686,9 +686,9 @@ all http connections, asking the clients to use HTTPS.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-mode">
<tr id="ServerTLSSettings-mode">
<td><code>mode</code></td>
<td><code><a href="#Server-TLSOptions-TLSmode">TLSmode</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSmode">TLSmode</a></code></td>
<td>
<p>Optional: Indicates whether connections to this port should be
secured using TLS. The value of this field determines how TLS is
@ -699,7 +699,7 @@ enforced.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-server_certificate">
<tr id="ServerTLSSettings-server_certificate">
<td><code>serverCertificate</code></td>
<td><code>string</code></td>
<td>
@ -711,7 +711,7 @@ holding the server-side TLS certificate to use.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-private_key">
<tr id="ServerTLSSettings-private_key">
<td><code>privateKey</code></td>
<td><code>string</code></td>
<td>
@ -723,7 +723,7 @@ holding the server&rsquo;s private key.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-ca_certificates">
<tr id="ServerTLSSettings-ca_certificates">
<td><code>caCertificates</code></td>
<td><code>string</code></td>
<td>
@ -736,7 +736,7 @@ client side certificate.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-credential_name">
<tr id="ServerTLSSettings-credential_name">
<td><code>credentialName</code></td>
<td><code>string</code></td>
<td>
@ -753,7 +753,7 @@ feature is enabled in the proxy by setting
No
</td>
</tr>
<tr id="Server-TLSOptions-subject_alt_names">
<tr id="ServerTLSSettings-subject_alt_names">
<td><code>subjectAltNames</code></td>
<td><code>string[]</code></td>
<td>
@ -765,7 +765,7 @@ certificate presented by the client.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-verify_certificate_spki">
<tr id="ServerTLSSettings-verify_certificate_spki">
<td><code>verifyCertificateSpki</code></td>
<td><code>string[]</code></td>
<td>
@ -780,7 +780,7 @@ certificate being accepted.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-verify_certificate_hash">
<tr id="ServerTLSSettings-verify_certificate_hash">
<td><code>verifyCertificateHash</code></td>
<td><code>string[]</code></td>
<td>
@ -796,9 +796,9 @@ certificate being accepted.</p>
No
</td>
</tr>
<tr id="Server-TLSOptions-min_protocol_version">
<tr id="ServerTLSSettings-min_protocol_version">
<td><code>minProtocolVersion</code></td>
<td><code><a href="#Server-TLSOptions-TLSProtocol">TLSProtocol</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td>
<p>Optional: Minimum TLS protocol version.</p>
@ -807,9 +807,9 @@ No
No
</td>
</tr>
<tr id="Server-TLSOptions-max_protocol_version">
<tr id="ServerTLSSettings-max_protocol_version">
<td><code>maxProtocolVersion</code></td>
<td><code><a href="#Server-TLSOptions-TLSProtocol">TLSProtocol</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td>
<p>Optional: Maximum TLS protocol version.</p>
@ -818,7 +818,7 @@ No
No
</td>
</tr>
<tr id="Server-TLSOptions-cipher_suites">
<tr id="ServerTLSSettings-cipher_suites">
<td><code>cipherSuites</code></td>
<td><code>string[]</code></td>
<td>
@ -833,7 +833,7 @@ No
</tbody>
</table>
</section>
<h2 id="Server-TLSOptions-TLSmode">Server.TLSOptions.TLSmode</h2>
<h2 id="ServerTLSSettings-TLSmode">ServerTLSSettings.TLSmode</h2>
<section>
<p>TLS modes enforced by the proxy</p>
@ -845,7 +845,7 @@ No
</tr>
</thead>
<tbody>
<tr id="Server-TLSOptions-TLSmode-PASSTHROUGH">
<tr id="ServerTLSSettings-TLSmode-PASSTHROUGH">
<td><code>PASSTHROUGH</code></td>
<td>
<p>The SNI string presented by the client will be used as the
@ -854,14 +854,14 @@ the destination service from the service registry.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-SIMPLE">
<tr id="ServerTLSSettings-TLSmode-SIMPLE">
<td><code>SIMPLE</code></td>
<td>
<p>Secure connections with standard TLS semantics.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-MUTUAL">
<tr id="ServerTLSSettings-TLSmode-MUTUAL">
<td><code>MUTUAL</code></td>
<td>
<p>Secure connections to the downstream using mutual TLS by
@ -869,7 +869,7 @@ presenting server certificates for authentication.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-AUTO_PASSTHROUGH">
<tr id="ServerTLSSettings-TLSmode-AUTO_PASSTHROUGH">
<td><code>AUTO_PASSTHROUGH</code></td>
<td>
<p>Similar to the passthrough mode, except servers with this TLS
@ -886,7 +886,7 @@ the destination are using Istio mTLS to secure traffic.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-ISTIO_MUTUAL">
<tr id="ServerTLSSettings-TLSmode-ISTIO_MUTUAL">
<td><code>ISTIO_MUTUAL</code></td>
<td>
<p>Secure connections from the downstream using mutual TLS by
@ -901,7 +901,7 @@ fields in <code>TLSOptions</code> should be empty.</p>
</tbody>
</table>
</section>
<h2 id="Server-TLSOptions-TLSProtocol">Server.TLSOptions.TLSProtocol</h2>
<h2 id="ServerTLSSettings-TLSProtocol">ServerTLSSettings.TLSProtocol</h2>
<section>
<p>TLS protocol versions.</p>
@ -913,35 +913,35 @@ fields in <code>TLSOptions</code> should be empty.</p>
</tr>
</thead>
<tbody>
<tr id="Server-TLSOptions-TLSProtocol-TLS_AUTO">
<tr id="ServerTLSSettings-TLSProtocol-TLS_AUTO">
<td><code>TLS_AUTO</code></td>
<td>
<p>Automatically choose the optimal TLS version.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSProtocol-TLSV1_0">
<tr id="ServerTLSSettings-TLSProtocol-TLSV1_0">
<td><code>TLSV1_0</code></td>
<td>
<p>TLS version 1.0</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSProtocol-TLSV1_1">
<tr id="ServerTLSSettings-TLSProtocol-TLSV1_1">
<td><code>TLSV1_1</code></td>
<td>
<p>TLS version 1.1</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSProtocol-TLSV1_2">
<tr id="ServerTLSSettings-TLSProtocol-TLSV1_2">
<td><code>TLSV1_2</code></td>
<td>
<p>TLS version 1.2</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSProtocol-TLSV1_3">
<tr id="ServerTLSSettings-TLSProtocol-TLSV1_3">
<td><code>TLSV1_3</code></td>
<td>
<p>TLS version 1.3</p>

164
content/en/docs/reference/config/networking/sidecar/index.html
View File

@ -8,7 +8,7 @@ layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.Sidecar
aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
number_of_entries: 7
number_of_entries: 8
---
<p><code>Sidecar</code> describes the configuration of the sidecar proxy that mediates
inbound and outbound communication to the workload instance it is attached to. By
@ -470,6 +470,22 @@ application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-localhost">
<td><code>localhost</code></td>
<td><code><a href="#Localhost">Localhost</a></code></td>
<td>
<p><code>Localhost</code> describes the sidecar settings related to the
communication between the sidecar and the workload it is attached to
in a Kubernetes Pod or a VM. These settings apply to all ingress
and egress listeners in a sidecar unless overridden. There are no
built in defaults for this setting. If not specified, the
features will be disabled.</p>
</td>
<td>
No
@ -547,6 +563,21 @@ connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/
Yes
</td>
</tr>
<tr id="IstioIngressListener-localhost_client_tls">
<td><code>localhostClientTls</code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>TLS settings to be used by the sidecar (client) when forwarding
traffic from the sidecar to the workload (server) on the
localhost. Overrides the <code>localhost</code> level <code>clientTls</code> settings.</p>
<p><strong>NOTE</strong>: DISABLE, SIMPLE and MUTUAL are the only valid TLS modes.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
@ -660,6 +691,25 @@ in a future Istio release.</p>
Yes
</td>
</tr>
<tr id="IstioEgressListener-localhost_server_tls">
<td><code>localhostServerTls</code></td>
<td><code><a href="/docs/reference/config/networking/gateway.html#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td>
<p>TLS settings to be used by the sidecar (server) when receiving
traffic from the workload (client) on the
localhost. Overrides the <code>localhost</code> level <code>serverTls</code> settings.</p>
<p><strong>NOTE</strong>: SIMPLE and MUTUAL are the only valid TLS
modes. <code>httpsRedirect</code> and <code>credentialName</code> (for fetching
certificates from Kubernetes secrets) are not valid. All
certificates must be mounted as files inside the sidecar
container.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
@ -728,6 +778,118 @@ services can be monitored.</p>
<td><code>mode</code></td>
<td><code><a href="#OutboundTrafficPolicy-Mode">Mode</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Localhost">Localhost</h2>
<section>
<p><code>Localhost</code> describes the sidecar settings related to the
communication between the sidecar and the workload it is attached
to in a Kubernetes Pod or a VM. These settings apply by default to all
ingress and egress listeners in a sidecar unless overridden.</p>
<p>The following example configures the sidecars on pods of the
reviews service to use TLS for traffic to/from the sidecar to the
workload in the same pod, assuming the appropriate
certificates are mounted in the sidecar.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: reviews-localhost-tls
namespace: prod-us1
spec:
workloadSelector:
labels:
app: reviews
localhost:
clientTls:
mode: SIMPLE
caCertificates: /etc/legacy/ca.pem
serverTls:
mode: SIMPLE
serverCertificate: /etc/legacy/server.pem
privateKey: /etc/legacy/private.pem
egress:
- hosts:
- &quot;./&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: reviews-localhost-tls
namespace: prod-us1
spec:
workloadSelector:
labels:
app: reviews
localhost:
clientTls:
mode: SIMPLE
caCertificates: /etc/legacy/ca.pem
serverTls:
mode: SIMPLE
serverCertificate: /etc/legacy/server.pem
privateKey: /etc/legacy/private.pem
egress:
- hosts:
- &quot;./&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Localhost-client_tls">
<td><code>clientTls</code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>TLS settings to be used by the sidecar (client) when forwarding
traffic from the sidecar to the workload it is attached to
(server) on the localhost.</p>
<p><strong>NOTE</strong>: DISABLE, SIMPLE and MUTUAL are the only valid TLS modes.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Localhost-server_tls">
<td><code>serverTls</code></td>
<td><code><a href="/docs/reference/config/networking/gateway.html#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td>
<p>TLS settings to be used by the sidecar (server) when receiving
traffic from the workload (client) on the localhost.</p>
<p><strong>NOTE</strong>: SIMPLE and MUTUAL are the only valid TLS
modes. <code>httpsRedirect</code> and <code>credentialName</code> (for fetching
certificates from Kubernetes secrets) are not valid. All
certificates must be mounted as files inside the sidecar
container.</p>
</td>
<td>
No

41
content/en/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/index.html
View File

@ -1,41 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/apache/skywalking-data-collect-protocol' REPO
source_repo: https://github.com/apache/skywalking-data-collect-protocol
title: Apache SkyWalking
description: Adapter to deliver metrics to Apache SkyWalking.
location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking.html
layout: partner-component
generator: protoc-gen-docs
provider: Apache SkyWalking
contact_email: dev@skywalking.apache.org
support_link:
source_link: https://github.com/apache/skywalking
latest_release_link: https://skywalking.apache.org/downloads/
helm_chart_link:
istio_versions: "1.0.3, 1.0.4, 1.1.0, 1.1.1"
supported_templates: metric
logo_link: https://github.com/apache/skywalking-website/raw/master/docs/.vuepress/public/assets/logo.svg
number_of_entries: 1
---
<!-- Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. -->
<p>The SkyWalking adapter uses the <code>Istio bypass</code> adapter to collect metrics and make them available to
<a href="https://skywalking.apache.org/">Apache SkyWalking</a>. SkyWalking provides a topology map and metrics graph
to visualize the whole mesh.</p>
<p>This adapter supports the <a href="/docs/reference/config/policy-and-telemetry/templates/metric/">metric template</a>.</p>
<p>Follow the <a href="https://github.com/apache/skywalking/blob/master/docs/README.md">official Apache SkyWalking documentation</a>
and <a href="https://github.com/apache/skywalking-kubernetes">SkyWalking k8s documentation</a> for details on configuring SkyWalking and the Istio bypass adapter.</p>

212
content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
View File

@ -1,212 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: Authentication Policy
description: Authentication policy for Istio services.
location: https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.authentication.v1alpha1.Policy
weight: 10
aliases: [/docs/reference/config/istio.authentication.v1alpha1]
number_of_entries: 2
---
<p>This package defines user-facing authentication policy.</p>
<h2 id="Policy">Policy</h2>
<section>
<p>Policy defines what authentication methods can be accepted on workload(s),
and if authenticated, which method/certificate will set the request principal
(i.e request.auth.principal attribute).</p>
<p>Authentication policy is composed of 2-part authentication:
- peer: verify caller service credentials. This part will set source.user
(peer identity).
- origin: verify the origin credentials. This part will set request.auth.user
(origin identity), as well as other attributes like request.auth.presenter,
request.auth.audiences and raw claims. Note that the identity could be
end-user, service account, device etc.</p>
<p>Last but not least, the principal binding rule defines which identity (peer
or origin) should be used as principal. By default, it uses peer.</p>
<p>Examples:</p>
<p>Policy to enable mTLS for all services in namespace frod. The policy name must be
<code>default</code>, and it contains no rule for <code>targets</code>.</p>
<pre><code class="language-yaml">apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: frod
spec:
peers:
- mtls:
</code></pre>
<p>Policy to disable mTLS for &ldquo;productpage&rdquo; service</p>
<pre><code class="language-yaml">apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: productpage-mTLS-disable
namespace: frod
spec:
targets:
- name: productpage
</code></pre>
<p>Policy to require mTLS for peer authentication, and JWT for origin authentication
for productpage:9000 except the path &lsquo;/health_check&rsquo; . Principal is set from origin identity.</p>
<pre><code class="language-yaml">apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: productpage-mTLS-with-JWT
namespace: frod
spec:
targets:
- name: productpage
ports:
- number: 9000
peers:
- mtls:
origins:
- jwt:
issuer: &quot;https://securetoken.google.com&quot;
audiences:
- &quot;productpage&quot;
jwksUri: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;
jwtHeaders:
- &quot;x-goog-iap-jwt-assertion&quot;
triggerRules:
- excludedPaths:
- exact: /health_check
principalBinding: USE_ORIGIN
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Policy-targets" class="deprecated ">
<td><code>targets</code></td>
<td><code><a href="#TargetSelector">TargetSelector[]</a></code></td>
<td>
<p>Deprecated. Only mesh-level and namespace-level policies are supported.
List rules to select workloads that the policy should be applied on.
If empty, policy will be used on all workloads in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-peer_is_optional" class="deprecated ">
<td><code>peerIsOptional</code></td>
<td><code>bool</code></td>
<td>
<p>Deprecated. Should set mTLS to PERMISSIVE instead.
Set this flag to true to accept request (for peer authentication perspective),
even when none of the peer authentication methods defined above satisfied.
Typically, this is used to delay the rejection decision to next layer (e.g
authorization).
This flag is ignored if no authentication defined for peer (peers field is empty).</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-origins" class="deprecated ">
<td><code>origins</code></td>
<td><code><a href="#OriginAuthenticationMethod">OriginAuthenticationMethod[]</a></code></td>
<td>
<p>Deprecated. Please use security/v1beta1/RequestAuthentication instead.
List of authentication methods that can be used for origin authentication.
Similar to peers, these will be evaluated in order; the first validate one
will be used to set origin identity and attributes (i.e request.auth.user,
request.auth.issuer etc). If none of these methods pass, request will be
rejected with authentication failed error (401).
A method may be skipped, depends on its trigger rule. If all of these methods
are skipped, origin authentication will be ignored, as if it is not defined.
Leave the list empty if origin authentication is not required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-origin_is_optional" class="deprecated ">
<td><code>originIsOptional</code></td>
<td><code>bool</code></td>
<td>
<p>Deprecated. Please use security/v1beta1/RequestAuthentication instead.
Set this flag to true to accept request (for origin authentication perspective),
even when none of the origin authentication methods defined above satisfied.
Typically, this is used to delay the rejection decision to next layer (e.g
authorization).
This flag is ignored if no authentication defined for origin (origins field is empty).</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-principal_binding" class="deprecated ">
<td><code>principalBinding</code></td>
<td><code><a href="#PrincipalBinding">PrincipalBinding</a></code></td>
<td>
<p>Deprecated. Source principal is always from peer, and request principal is always from
RequestAuthentication.
Define whether peer or origin identity should be use for principal. Default
value is USE_PEER.
If peer (or origin) identity is not available, either because of peer/origin
authentication is not defined, or failed, principal will be left unset.
In other words, binding rule does not affect the decision to accept or
reject request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MutualTls-Mode">MutualTls.Mode</h2>
<section>
<p>Defines the acceptable connection TLS mode.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MutualTls-Mode-STRICT">
<td><code>STRICT</code></td>
<td>
<p>Client cert must be presented, connection is in TLS.</p>
</td>
</tr>
<tr id="MutualTls-Mode-PERMISSIVE">
<td><code>PERMISSIVE</code></td>
<td>
<p>Connection can be either plaintext or TLS with Client cert.</p>
</td>
</tr>
</tbody>
</table>
</section>

504
content/en/docs/reference/config/security/istio.rbac.v1alpha1/index.html
View File

@ -1,504 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: RBAC (deprecated)
description: Configuration for Role Based Access Control.
location: https://istio.io/docs/reference/config/security/istio.rbac.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.rbac.v1alpha1.RbacConfig
schema: istio.rbac.v1alpha1.ServiceRole
schema: istio.rbac.v1alpha1.ServiceRoleBinding
weight: 40
aliases: [/docs/reference/config/authorization/istio.rbac.v1alpha1]
number_of_entries: 9
---
<p>Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy.
This page is kept for migration purpose and will be removed in Istio 1.6.</p>
<p>Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding
objects.</p>
<p>A ServiceRole specification includes a list of rules (permissions). Each rule has
the following standard fields:</p>
<ul>
<li>services: a list of services.</li>
<li>methods: A list of HTTP methods. You can set the value to <code>[&quot;*&quot;]</code> to include all HTTP methods.
This field should not be set for TCP services. The policy will be ignored.
For gRPC services, only <code>POST</code> is allowed; other methods will result in denying services.</li>
<li>paths: HTTP paths or gRPC methods. Note that gRPC methods should be
presented in the form of &ldquo;/packageName.serviceName/methodName&rdquo; and are case sensitive.</li>
</ul>
<p>In addition to the standard fields, operators can also use custom keys in the <code>constraints</code> field,
the supported keys are listed in the &ldquo;constraints and properties&rdquo; page.</p>
<p>Below is an example of ServiceRole object &ldquo;product-viewer&rdquo;, which has &ldquo;read&rdquo; (&ldquo;GET&rdquo; and &ldquo;HEAD&rdquo;)
access to &ldquo;products.svc.cluster.local&rdquo; service at versions &ldquo;v1&rdquo; and &ldquo;v2&rdquo;. &ldquo;path&rdquo; is not specified,
so it applies to any path in the service.</p>
<pre><code class="language-yaml">apiVersion: &quot;rbac.istio.io/v1alpha1&quot;
kind: ServiceRole
metadata:
name: products-viewer
namespace: default
spec:
rules:
- services: [&quot;products.svc.cluster.local&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
constraints:
- key: &quot;destination.labels[version]&quot;
values: [&quot;v1&quot;, &quot;v2&quot;]
</code></pre>
<p>A ServiceRoleBinding specification includes two parts:</p>
<ul>
<li>The <code>roleRef</code> field that refers to a ServiceRole object in the same namespace.</li>
<li>A list of <code>subjects</code> that are assigned the roles.</li>
</ul>
<p>In addition to a simple <code>user</code> field, operators can also use custom keys in the <code>properties</code> field,
the supported keys are listed in the &ldquo;constraints and properties&rdquo; page.</p>
<p>Below is an example of ServiceRoleBinding object &ldquo;test-binding-products&rdquo;, which binds two subjects
to ServiceRole &ldquo;product-viewer&rdquo;:</p>
<ul>
<li>User &ldquo;alice@yahoo.com&rdquo;</li>
<li>Services in &ldquo;abc&rdquo; namespace.</li>
</ul>
<pre><code class="language-yaml">apiVersion: &quot;rbac.istio.io/v1alpha1&quot;
kind: ServiceRoleBinding
metadata:
name: test-binding-products
namespace: default
spec:
subjects:
- user: alice@yahoo.com
- properties:
source.namespace: &quot;abc&quot;
roleRef:
kind: ServiceRole
name: &quot;products-viewer&quot;
</code></pre>
<h2 id="ServiceRole">ServiceRole</h2>
<section>
<p>ServiceRole specification contains a list of access rules (permissions).</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceRole-rules">
<td><code>rules</code></td>
<td><code><a href="#AccessRule">AccessRule[]</a></code></td>
<td>
<p>The set of access rules (permissions) that the role has.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AccessRule">AccessRule</h2>
<section>
<p>AccessRule defines a permission to access a list of services.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AccessRule-services">
<td><code>services</code></td>
<td><code>string[]</code></td>
<td>
<p>A list of service names.
Exact match, prefix match, and suffix match are supported for service names.
For example, the service name &ldquo;bookstore.mtv.cluster.local&rdquo; matches
&ldquo;bookstore.mtv.cluster.local&rdquo; (exact match), or &ldquo;bookstore*&rdquo; (prefix match),
or &ldquo;*.mtv.cluster.local&rdquo; (suffix match).
If set to [&rdquo;*&rdquo;], it refers to all services in the namespace.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="AccessRule-paths">
<td><code>paths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of HTTP paths or gRPC methods.
gRPC methods must be presented as fully-qualified name in the form of
&ldquo;/packageName.serviceName/methodName&rdquo; and are case sensitive.
Exact match, prefix match, and suffix match are supported. For example,
the path &ldquo;/books/review&rdquo; matches &ldquo;/books/review&rdquo; (exact match),
or &ldquo;/books/*&rdquo; (prefix match), or &ldquo;*/review&rdquo; (suffix match).
If not specified, it matches to any path.
This field should not be set for TCP services. The policy will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AccessRule-methods">
<td><code>methods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of HTTP methods (e.g., &ldquo;GET&rdquo;, &ldquo;POST&rdquo;).
If not specified or specified as &ldquo;*&rdquo;, it matches to any methods.
This field should not be set for TCP services. The policy will be ignored.
For gRPC services, only <code>POST</code> is allowed; other methods will result in denying services.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AccessRule-constraints">
<td><code>constraints</code></td>
<td><code><a href="#AccessRule-Constraint">Constraint[]</a></code></td>
<td>
<p>Optional. Extra constraints in the ServiceRole specification.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceRoleBinding">ServiceRoleBinding</h2>
<section>
<p>ServiceRoleBinding assigns a ServiceRole to a list of subjects.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceRoleBinding-subjects">
<td><code>subjects</code></td>
<td><code><a href="#Subject">Subject[]</a></code></td>
<td>
<p>List of subjects that are assigned the ServiceRole object.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServiceRoleBinding-roleRef">
<td><code>roleRef</code></td>
<td><code><a href="#RoleRef">RoleRef</a></code></td>
<td>
<p>Reference to the ServiceRole object.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Subject">Subject</h2>
<section>
<p>Subject defines an identity. The identity is either a user or identified by a set of <code>properties</code>.
The supported keys in <code>properties</code> are listed in &ldquo;constraint and properties&rdquo; page.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Subject-user">
<td><code>user</code></td>
<td><code>string</code></td>
<td>
<p>Optional. The user name/ID that the subject represents.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Subject-properties">
<td><code>properties</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Optional. The set of properties that identify the subject.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RoleRef">RoleRef</h2>
<section>
<p>RoleRef refers to a role object.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RoleRef-kind">
<td><code>kind</code></td>
<td><code>string</code></td>
<td>
<p>The type of the role being referenced.
Currently, &ldquo;ServiceRole&rdquo; is the only supported value for &ldquo;kind&rdquo;.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="RoleRef-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>The name of the ServiceRole object being referenced.
The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RbacConfig">RbacConfig</h2>
<section>
<p>RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior.
The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created
globally in the mesh and the namespace should be the same to other Istio components, which usually is <code>istio-system</code>.</p>
<p>Below is an example of an <code>ClusterRbacConfig</code> resource called <code>istio-rbac-config</code> which enables Istio RBAC for all
services in the default namespace.</p>
<pre><code class="language-yaml">apiVersion: &quot;rbac.istio.io/v1alpha1&quot;
kind: ClusterRbacConfig
metadata:
name: default
namespace: istio-system
spec:
mode: ON_WITH_INCLUSION
inclusion:
namespaces: [ &quot;default&quot; ]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RbacConfig-mode">
<td><code>mode</code></td>
<td><code><a href="#RbacConfig-Mode">Mode</a></code></td>
<td>
<p>Istio RBAC mode.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RbacConfig-inclusion">
<td><code>inclusion</code></td>
<td><code><a href="#RbacConfig-Target">Target</a></code></td>
<td>
<p>A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ON<em>WITH</em>INCLUSION and will be ignored for any other modes.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RbacConfig-exclusion">
<td><code>exclusion</code></td>
<td><code><a href="#RbacConfig-Target">Target</a></code></td>
<td>
<p>A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ON<em>WITH</em>EXCLUSION and will be ignored for any other modes.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AccessRule-Constraint">AccessRule.Constraint</h2>
<section>
<p>Definition of a custom constraint. The supported keys are listed in the &ldquo;constraint and properties&rdquo; page.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AccessRule-Constraint-key">
<td><code>key</code></td>
<td><code>string</code></td>
<td>
<p>Key of the constraint.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AccessRule-Constraint-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>List of valid values for the constraint.
Exact match, prefix match, and suffix match are supported.
For example, the value &ldquo;v1alpha2&rdquo; matches &ldquo;v1alpha2&rdquo; (exact match),
or &ldquo;v1*&rdquo; (prefix match), or &ldquo;*alpha2&rdquo; (suffix match).</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RbacConfig-Target">RbacConfig.Target</h2>
<section>
<p>Target defines a list of services or namespaces.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RbacConfig-Target-services">
<td><code>services</code></td>
<td><code>string[]</code></td>
<td>
<p>A list of services.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RbacConfig-Target-namespaces">
<td><code>namespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>A list of namespaces.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RbacConfig-Mode">RbacConfig.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="RbacConfig-Mode-OFF">
<td><code>OFF</code></td>
<td>
<p>Disable Istio RBAC completely, Istio RBAC policies will not be enforced.</p>
</td>
</tr>
<tr id="RbacConfig-Mode-ON">
<td><code>ON</code></td>
<td>
<p>Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default
which means all requests will be denied if it&rsquo;s not allowed by RBAC rules.</p>
</td>
</tr>
<tr id="RbacConfig-Mode-ON_WITH_INCLUSION">
<td><code>ON_WITH_INCLUSION</code></td>
<td>
<p>Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.</p>
</td>
</tr>
<tr id="RbacConfig-Mode-ON_WITH_EXCLUSION">
<td><code>ON_WITH_EXCLUSION</code></td>
<td>
<p>Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.</p>
</td>
</tr>
</tbody>
</table>
</section>

2
content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
View File

@ -42,7 +42,7 @@ aliases:
## Policy
- **Fixed** [Mixer based](https://github.com/istio/istio/issues/13868)TCP Policy enforcement.
- **Graduated** [Authorization (RBAC)](/docs/reference/config/security/istio.rbac.v1alpha1/) from Alpha to Alpha API and Beta runtime.
- **Graduated** [Authorization (RBAC)](https://archive.istio.io/1.2/docs/reference/config/security/istio.rbac.v1alpha1/) from Alpha to Alpha API and Beta runtime.
## Configuration management

2
content/en/news/releases/1.3.x/announcing-1.3.8/index.md
View File

@ -17,4 +17,4 @@ This release contains a fix for the security vulnerability described in [our Feb
- **ISTIO-SECURITY-2020-001** Improper input validation have been discovered in `AuthenticationPolicy`.
__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.
__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](https://archive.istio.io/1.3/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.

2
content/en/news/releases/1.4.x/announcing-1.4.4/index.md
View File

@ -17,7 +17,7 @@ This release includes bug fixes to improve robustness and user experience as wel
- **ISTIO-SECURITY-2020-001** An improper input validation has been discovered in `AuthenticationPolicy`.
__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.
__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](https://archive.istio.io/1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.
## Bug fixes

2
content/en/news/releases/1.4.x/announcing-1.4/_index.md
View File

@ -34,7 +34,7 @@ TCP metrics and Stackdriver metrics.
The authorization policy model is now in Beta with the introduction of the
[`v1beta1` authorization policy](/blog/2019/v1beta1-authorization-policy/) that
focuses on simplification and flexibility. This will also replace the old
[`v1alpha1` RBAC policy](/docs/reference/config/security/istio.rbac.v1alpha1/).
[`v1alpha1` RBAC policy](https://archive.istio.io/1.4/docs/reference/config/security/istio.rbac.v1alpha1/).
## Automatic mutual TLS

2
content/en/news/releases/1.4.x/announcing-1.4/change-notes/index.md
View File

@ -15,7 +15,7 @@ weight: 10
## Security
- **Added** the [`v1beta1` authorization policy model](/blog/2019/v1beta1-authorization-policy/) for enforcing access control. This will eventually replace the [`v1alpha1` RBAC policy](/docs/reference/config/security/istio.rbac.v1alpha1/).
- **Added** the [`v1beta1` authorization policy model](/blog/2019/v1beta1-authorization-policy/) for enforcing access control. This will eventually replace the [`v1alpha1` RBAC policy](https://archive.istio.io/1.4/docs/reference/config/security/istio.rbac.v1alpha1/).
- **Added** experimental support for automatic mutual TLS to enable mutual TLS without destination rule configuration.
- **Added** experimental support for [authorization policy trust domain migration](/docs/tasks/security/authorization/authz-td-migration/).
- **Added** experimental [DNS certificate management](/blog/2019/dns-cert/) to securely provision and manage DNS certificates signed by the Kubernetes CA.

2
content/en/news/releases/1.5.x/announcing-1.5/_index.md
View File

@ -84,7 +84,7 @@ Istio 1.4.
As always, we are working to make Istio more secure with every release. With
1.5, all security policies including
[Auto mTLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls),
[`AuthenticationPolicy`](/docs/reference/config/security/istio.authentication.v1alpha1/)
[`AuthenticationPolicy`](https://archive.istio.io/1.4/docs/reference/config/security/istio.authentication.v1alpha1/)
(`PeerAuthentication` and `RequestAuthentication`) and authorization are now in
Beta. SDS is now stable. Authorization now supports Deny semantics to enforce
mandatory controls that cannot be overridden. We have combined the Node agent

2
content/en/news/security/istio-security-2020-001/index.md
View File

@ -13,7 +13,7 @@ skip_seealso: true
{{< security_bulletin >}}
Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting [Authentication Policy](/docs/reference/config/security/istio.authentication.v1alpha1/#Policy):
Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting [Authentication Policy](https://archive.istio.io/1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Policy):
* __[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token. This bug affects all versions of Istio that support JWT Authentication Policy with path based trigger rules. The logic for the exact path match in the Istio JWT filter includes query strings or fragments instead of stripping them off before matching. This means attackers can bypass the JWT validation by appending `?` or `#` characters after the protected paths.