istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update generated docs (#6759)

This commit is contained in:
Martin Taillefer 2020-03-05 15:21:03 -08:00 committed by GitHub
parent 5b6932ad40
commit 323f2a67fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 2990 additions and 1092 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
content/en/docs/reference/commands/istioctl/index.html
View File

@ -171,104 +171,6 @@ istioctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment f
# List available analyzers
istioctl analyze -L
</code></pre>
<h2 id="istioctl-authn">istioctl authn</h2>
<p>
A group of commands used to interact with Istio authentication policies.
tls-check
</p>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-authn Examples">Examples</h3>
<pre class="language-bash"><code># Check whether TLS setting are matching between authentication policy and destination rules:
istioctl authn tls-check
</code></pre>
<h2 id="istioctl-authn-tls-check">istioctl authn tls-check</h2>
<p>
Check what authentication policies and destination rules pilot uses to config a proxy instance,
and check if TLS settings are compatible between them.
</p>
<pre class="language-bash"><code>istioctl authn tls-check &lt;pod-name[.namespace]&gt; [&lt;service&gt;] [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-authn-tls-check Examples">Examples</h3>
<pre class="language-bash"><code>
# Check settings for pod &#34;foo-656bd7df7c-5zp4s&#34; in namespace default:
istioctl authn tls-check foo-656bd7df7c-5zp4s.default
# Check settings for pod &#34;foo-656bd7df7c-5zp4s&#34; in namespace default, filtered on destination
service &#34;bar&#34; :
istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
</code></pre>
<h2 id="istioctl-authz">istioctl authz</h2>
<p>(authz is experimental. Use `istioctl experimental authz`)</p>
@ -1173,7 +1075,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>Output format: one of [yaml log json] (default `log`)</td>
<td>Output format: one of [log json yaml] (default `log`)</td>
</tr>
<tr>
<td><code>--output-threshold &lt;Level&gt;</code></td>
@ -2888,7 +2790,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -3073,7 +2975,7 @@ e.g.
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -3201,7 +3103,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
</tbody>
</table>
<h2 id="istioctl-manifest-versions">istioctl manifest versions</h2>
<p>List the versions of Istio recommended for use or supported for upgrade by this version of the operator binary.</p>
<p>List the versions of Istio recommended for use or supported for upgrade by this version of istioctl.</p>
<pre class="language-bash"><code>istioctl manifest versions [flags]
</code></pre>
<table class="command-flags">
@ -3324,7 +3226,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<tr>
<td><code>--filename &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)</td>
</tr>
<tr>
@ -3410,7 +3312,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<tr>
<td><code>--filename &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)</td>
</tr>
<tr>
@ -3528,6 +3430,10 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
</tr>
</tbody>
</table>
<h3 id="istioctl-profile Examples">Examples</h3>
<pre class="language-bash"><code>istioctl profile list
istioctl manifest apply --set profile=demo # Use a profile from the list
</code></pre>
<h2 id="istioctl-profile-diff">istioctl profile diff</h2>
<p>The diff subcommand displays the differences between two Istio configuration profiles.</p>
<pre class="language-bash"><code>istioctl profile diff &lt;file1.yaml&gt; &lt;file2.yaml&gt; [flags]
@ -3614,7 +3520,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Path to file containing IstioOperator CustomResource
<td>Path to file containing IstioOperator custom resource
This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)</td>
</tr>
<tr>
@ -4727,6 +4633,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Default Http and gRPC Request timeout</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
@ -4799,18 +4711,18 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLED_SERVICE_APIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -4835,12 +4747,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -4877,6 +4783,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_THRIFT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -4907,12 +4819,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESPECT_DNS_TTL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -4925,12 +4831,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_PUSHES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -4955,12 +4855,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>PROV_CERT</code></td>
<td>String</td>
<td><code></code></td>
<td>Set to a directory containing provisioned certs, for VMs</td>
</tr>
<tr>
<td><code>SECRET_WATCHER_RESYNC_PERIOD</code></td>
<td>String</td>
<td><code></code></td>

76
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -81,7 +81,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--connectTimeout &lt;duration&gt;</code></td>
<td>Connection timeout used by Envoy for supporting services (default `1s`)</td>
<td>Connection timeout used by Envoy for supporting services (default `10s`)</td>
</tr>
<tr>
<td><code>--controlPlaneAuthPolicy &lt;string&gt;</code></td>
@ -105,11 +105,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--discoveryAddress &lt;string&gt;</code></td>
<td>Address of the discovery service exposing xDS (e.g. istio-pilot:8080) (default `istio-pilot:15010`)</td>
</tr>
<tr>
<td><code>--dnsRefreshRate &lt;string&gt;</code></td>
<td>The dns_refresh_rate for bootstrap STRICT_DNS clusters (default `300s`)</td>
<td>Address of the discovery service exposing xDS (e.g. istio-pilot:8080) (default ``)</td>
</tr>
<tr>
<td><code>--domain &lt;string&gt;</code></td>
@ -188,6 +184,10 @@ remove_toc_prefix: 'pilot-agent '
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--meshConfig &lt;string&gt;</code></td>
<td>File name for Istio mesh configuration. If not specified, a default mesh will be used. MESH_CONFIG environment variable takes precedence. (default `/etc/istio/config/mesh`)</td>
</tr>
<tr>
<td><code>--mixerIdentity &lt;string&gt;</code></td>
<td>The identity used as the suffix for mixer&#39;s spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot (default ``)</td>
</tr>
@ -404,6 +404,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>GCP_METADATA</code></td>
<td>String</td>
<td><code></code></td>
<td>Pipe separted GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE</td>
</tr>
<tr>
<td><code>GKE_CLUSTER_URL</code></td>
<td>String</td>
<td><code></code></td>
@ -458,6 +464,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Default Http and gRPC Request timeout</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
@ -524,16 +536,22 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>MESH_CONFIG</code></td>
<td>String</td>
<td><code></code></td>
<td>The mesh configuration</td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
<td>namespace that nodeagent/citadel run in</td>
</tr>
<tr>
<td><code>OUTPUT_CERTS</code></td>
<td><code>OUTPUT_KEY_CERT_TO_DIRECTORY</code></td>
<td>String</td>
<td><code></code></td>
<td>The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.</td>
<td>The output directory for the key and certificate. If empty, no output of key and certificate.</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
@ -572,18 +590,18 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLED_SERVICE_APIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -608,12 +626,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -650,6 +662,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_THRIFT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -680,12 +698,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESPECT_DNS_TTL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -698,12 +710,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_PUSHES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -752,12 +758,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>PROV_CERT</code></td>
<td>String</td>
<td><code></code></td>
<td>Set to a directory containing provisioned certs, for VMs</td>
</tr>
<tr>
<td><code>SDS_ENABLED</code></td>
<td>Boolean</td>
<td><code>false</code></td>

54
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -231,7 +231,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default ``)</td>
<td>Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`)</td>
</tr>
<tr>
<td><code>--networksConfig &lt;string&gt;</code></td>
@ -261,7 +261,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--secureGrpcAddr &lt;string&gt;</code></td>
<td></td>
<td>Discovery service grpc address, with https and spiffe certificates. (default `:15011`)</td>
<td>Discovery service grpc address, with https (default ``)</td>
</tr>
<tr>
<td><code>--trust-domain &lt;string&gt;</code></td>
@ -496,6 +496,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Default Http and gRPC Request timeout</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
@ -532,12 +538,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Kuberenetes service host, set automatically when running in-cluster</td>
</tr>
<tr>
<td><code>MASTER_ELECTION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>Enable master election</td>
</tr>
<tr>
<td><code>MAX_WORKLOAD_CERT_TTL</code></td>
<td>Time Duration</td>
<td><code>2160h0m0s</code></td>
@ -580,18 +580,18 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLED_SERVICE_APIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -616,12 +616,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -658,6 +652,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_THRIFT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -688,12 +688,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESPECT_DNS_TTL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -706,12 +700,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_PUSHES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -744,7 +732,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr>
<td><code>POD_NAMESPACE</code></td>
<td>String</td>
<td><code></code></td>
<td><code>istio-system</code></td>
<td></td>
</tr>
<tr>

640
content/en/docs/reference/commands/sidecar-injector/index.html
View File

@ -1,640 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
source_repo: https://github.com/istio/istio
title: sidecar-injector
description: Kubernetes webhook for automatic Istio sidecar injection.
generator: pkg-collateral-docs
number_of_entries: 4
max_toc_level: 2
remove_toc_prefix: 'sidecar-injector '
---
<p>Kubernetes webhook for automatic Istio sidecar injection.</p>
<pre class="language-bash"><code>sidecar-injector [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--caCertFile &lt;string&gt;</code></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--healthCheckFile &lt;string&gt;</code></td>
<td>File that should be periodically updated if health checking is enabled (default ``)</td>
</tr>
<tr>
<td><code>--healthCheckInterval &lt;duration&gt;</code></td>
<td>Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`)</td>
</tr>
<tr>
<td><code>--injectConfig &lt;string&gt;</code></td>
<td>File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`)</td>
</tr>
<tr>
<td><code>--injectValues &lt;string&gt;</code></td>
<td>File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--meshConfig &lt;string&gt;</code></td>
<td>File containing the Istio mesh configuration (default `/etc/istio/config/mesh`)</td>
</tr>
<tr>
<td><code>--monitoringPort &lt;int&gt;</code></td>
<td>Webhook monitoring port (default `15014`)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--reconcileWebhookConfig</code></td>
<td>Enable managing webhook configuration. </td>
</tr>
<tr>
<td><code>--tlsCertFile &lt;string&gt;</code></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--tlsKeyFile &lt;string&gt;</code></td>
<td>File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--webhookConfigName &lt;string&gt;</code></td>
<td>Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`)</td>
</tr>
<tr>
<td><code>--webhookName &lt;string&gt;</code></td>
<td>Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`)</td>
</tr>
</tbody>
</table>
<h2 id="sidecar-injector-probe">sidecar-injector probe</h2>
<p>Check the liveness or readiness of a locally-running server</p>
<pre class="language-bash"><code>sidecar-injector probe [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--caCertFile &lt;string&gt;</code></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--healthCheckFile &lt;string&gt;</code></td>
<td>File that should be periodically updated if health checking is enabled (default ``)</td>
</tr>
<tr>
<td><code>--healthCheckInterval &lt;duration&gt;</code></td>
<td>Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`)</td>
</tr>
<tr>
<td><code>--injectConfig &lt;string&gt;</code></td>
<td>File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`)</td>
</tr>
<tr>
<td><code>--injectValues &lt;string&gt;</code></td>
<td>File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`)</td>
</tr>
<tr>
<td><code>--interval &lt;duration&gt;</code></td>
<td>Duration used for checking the target file&#39;s last modified time. (default `0s`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--meshConfig &lt;string&gt;</code></td>
<td>File containing the Istio mesh configuration (default `/etc/istio/config/mesh`)</td>
</tr>
<tr>
<td><code>--monitoringPort &lt;int&gt;</code></td>
<td>Webhook monitoring port (default `15014`)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--probe-path &lt;string&gt;</code></td>
<td>Path of the file for checking the availability. (default ``)</td>
</tr>
<tr>
<td><code>--reconcileWebhookConfig</code></td>
<td>Enable managing webhook configuration. </td>
</tr>
<tr>
<td><code>--tlsCertFile &lt;string&gt;</code></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--tlsKeyFile &lt;string&gt;</code></td>
<td>File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--webhookConfigName &lt;string&gt;</code></td>
<td>Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`)</td>
</tr>
<tr>
<td><code>--webhookName &lt;string&gt;</code></td>
<td>Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`)</td>
</tr>
</tbody>
</table>
<h2 id="sidecar-injector-version">sidecar-injector version</h2>
<p>Prints out build version information</p>
<pre class="language-bash"><code>sidecar-injector version [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--caCertFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--healthCheckFile &lt;string&gt;</code></td>
<td></td>
<td>File that should be periodically updated if health checking is enabled (default ``)</td>
</tr>
<tr>
<td><code>--healthCheckInterval &lt;duration&gt;</code></td>
<td></td>
<td>Configure how frequently the health check file specified by --healthCheckFile should be updated (default `0s`)</td>
</tr>
<tr>
<td><code>--injectConfig &lt;string&gt;</code></td>
<td></td>
<td>File containing the Istio sidecar injection configuration and template (default `/etc/istio/inject/config`)</td>
</tr>
<tr>
<td><code>--injectValues &lt;string&gt;</code></td>
<td></td>
<td>File containing the Istio sidecar injection values, in yaml format (default `/etc/istio/inject/values`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td></td>
<td>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. (default ``)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--meshConfig &lt;string&gt;</code></td>
<td></td>
<td>File containing the Istio mesh configuration (default `/etc/istio/config/mesh`)</td>
</tr>
<tr>
<td><code>--monitoringPort &lt;int&gt;</code></td>
<td></td>
<td>Webhook monitoring port (default `15014`)</td>
</tr>
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>One of &#39;yaml&#39; or &#39;json&#39;. (default ``)</td>
</tr>
<tr>
<td><code>--port &lt;int&gt;</code></td>
<td></td>
<td>Webhook port (default `9443`)</td>
</tr>
<tr>
<td><code>--reconcileWebhookConfig</code></td>
<td></td>
<td>Enable managing webhook configuration. </td>
</tr>
<tr>
<td><code>--short</code></td>
<td><code>-s</code></td>
<td>Use --short=false to generate full version information </td>
</tr>
<tr>
<td><code>--tlsCertFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--tlsKeyFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 private key matching --tlsCertFile. (default `/etc/istio/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--webhookConfigName &lt;string&gt;</code></td>
<td></td>
<td>Name of the mutatingwebhookconfiguration resource in Kubernetes. (default `istio-sidecar-injector`)</td>
</tr>
<tr>
<td><code>--webhookName &lt;string&gt;</code></td>
<td></td>
<td>Name of the webhook entry in the webhook config. (default `sidecar-injector.istio.io`)</td>
</tr>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>sidecar-injector</code> command.
<table class="envvars">
<thead>
<tr>
<th>Variable Name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>istiod</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_REDIS_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td>Protocol detection timeout for inbound listener</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESPECT_DNS_TTL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_GATEWAY_TO_NAMESPACE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_PUSHES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
</tr>
<tr>
<td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
<tr><td><code>sidecar_injection_failure_total</code></td><td><code>Sum</code></td><td>Total number of failed Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_requests_total</code></td><td><code>Sum</code></td><td>Total number of Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_skip_total</code></td><td><code>Sum</code></td><td>Total number of skipped injection requests.</td></tr>
<tr><td><code>sidecar_injection_success_total</code></td><td><code>Sum</code></td><td>Total number of successful Side car injection requests.</td></tr>
</tbody>
</table>

2631
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

File diff suppressed because it is too large Load Diff

21
content/en/docs/reference/config/istio.operator.v1alpha1/index.html
View File

@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.operator.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 59
number_of_entries: 60
---
<p>Configuration affecting Istio control plane installation version and shape.</p>
@ -681,7 +681,7 @@ No
</tr>
<tr id="HTTPGetAction-port">
<td><code>port</code></td>
<td><code><a href="#TypeIntOrStringForPB">TypeIntOrStringForPB</a></code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2259,7 +2259,7 @@ No
</tr>
<tr id="ResourceMetricSource-targetAverageUtilization">
<td><code>targetAverageUtilization</code></td>
<td><code>int32</code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2329,7 +2329,7 @@ No
<tbody>
<tr id="RollingUpdateDeployment-maxUnavailable">
<td><code>maxUnavailable</code></td>
<td><code><a href="#TypeIntOrStringForPB">TypeIntOrStringForPB</a></code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2338,7 +2338,7 @@ No
</tr>
<tr id="RollingUpdateDeployment-maxSurge">
<td><code>maxSurge</code></td>
<td><code><a href="#TypeIntOrStringForPB">TypeIntOrStringForPB</a></code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2431,7 +2431,7 @@ No
</tr>
<tr id="ServicePort-targetPort">
<td><code>targetPort</code></td>
<td><code><a href="#TypeIntOrStringForPB">TypeIntOrStringForPB</a></code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2622,7 +2622,7 @@ No
<tbody>
<tr id="TCPSocketAction-port">
<td><code>port</code></td>
<td><code><a href="#TypeIntOrStringForPB">TypeIntOrStringForPB</a></code></td>
<td><code><a href="#TypeInterface_kubernetes">TypeInterface_kubernetes</a></code></td>
<td>
</td>
<td>
@ -2660,6 +2660,11 @@ No
<section>
<p>GOTYPE: interface{}</p>
</section>
<h2 id="TypeInterface_kubernetes">TypeInterface_kubernetes</h2>
<section>
<p>GOTYPE: interface{}</p>
</section>
<h2 id="TypeMapStringInterface">TypeMapStringInterface</h2>
<section>
@ -2919,4 +2924,4 @@ No
</tr>
</tbody>
</table>
</section>
</section>

11
content/en/docs/reference/config/networking/destination-rule/index.html
View File

@ -744,6 +744,17 @@ Yes
<td>
<p>Hash based on the source IP address.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="LoadBalancerSettings-ConsistentHashLB-http_query_parameter_name" class="oneof">
<td><code>httpQueryParameterName</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Hash based on a specific HTTP query parameter.</p>
</td>
<td>
Yes

70
content/en/docs/reference/config/networking/gateway/index.html
View File

@ -654,19 +654,6 @@ Yes
these options to control if all http requests should be redirected to
https, and the TLS modes to use.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Server-default_endpoint">
<td><code>defaultEndpoint</code></td>
<td><code>string</code></td>
<td>
<p>The loopback IP endpoint or Unix domain socket to which traffic should
be forwarded to by default. Format should be <code>127.0.0.1:PORT</code> or
<code>unix:///path/to/socket</code> or <code>unix://@foobar</code> (Linux abstract namespace).</p>
</td>
<td>
No
@ -691,8 +678,9 @@ No
<td><code>httpsRedirect</code></td>
<td><code>bool</code></td>
<td>
<p>If set to true, the load balancer will send a 301 redirect for all
http connections, asking the clients to use HTTPS.</p>
<p>If set to true, the load balancer will send a 301 redirect for
all http connections, asking the clients to use HTTPS. Not
applicable in Sidecar API.</p>
</td>
<td>
@ -756,18 +744,18 @@ No
<p>The credentialName stands for a unique identifier that can be used
to identify the serverCertificate and the privateKey. The
credentialName appended with suffix &ldquo;-cacert&rdquo; is used to identify
the CaCertificates associated with this server. Gateway workloads
the CaCertificates associated with this server. Proxies
capable of fetching credentials from a remote credential store such
as Kubernetes secrets, will be configured to retrieve the
serverCertificate and the privateKey using credentialName, instead
of using the file system paths specified above. If using mutual TLS,
gateway workload instances will retrieve the CaCertificates using
proxy instances will retrieve the CaCertificates using
credentialName-cacert. The semantics of the name are platform
dependent. In Kubernetes, the default Istio supplied credential
server expects the credentialName to match the name of the
Kubernetes secret that holds the server certificate, the private
key, and the CA certificate (if using mutual TLS). Set the
<code>ISTIO_META_USER_SDS</code> metadata variable in the gateway&rsquo;s proxy to
<code>ISTIO_META_USER_SDS</code> metadata variable in the proxy to
enable the dynamic credential fetching feature.</p>
</td>
@ -920,9 +908,11 @@ No
<tr id="Server-TLSOptions-TLSmode-PASSTHROUGH">
<td><code>PASSTHROUGH</code></td>
<td>
<p>The SNI string presented by the client will be used as the match
criterion in a VirtualService TLS route to determine the
destination service from the service registry.</p>
<p>The SNI string presented by the client will be used as the
match criterion in a VirtualService TLS route to determine
the destination service from the service registry. On a
sidecar, TLS traffic will be forwarded as is to the default
endpoint defined in the Ingress Listener.</p>
</td>
</tr>
@ -936,36 +926,38 @@ destination service from the service registry.</p>
<tr id="Server-TLSOptions-TLSmode-MUTUAL">
<td><code>MUTUAL</code></td>
<td>
<p>Secure connections to the downstream using mutual TLS by presenting
server certificates for authentication.</p>
<p>Secure connections to the downstream using mutual TLS by
presenting server certificates for authentication.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-AUTO_PASSTHROUGH">
<td><code>AUTO_PASSTHROUGH</code></td>
<td>
<p>Similar to the passthrough mode, except servers with this TLS mode
do not require an associated VirtualService to map from the SNI
value to service in the registry. The destination details such as
the service/subset/port are encoded in the SNI value. The proxy
will forward to the upstream (Envoy) cluster (a group of
endpoints) specified by the SNI value. This server is typically
used to provide connectivity between services in disparate L3
networks that otherwise do not have direct connectivity between
their respective endpoints. Use of this mode assumes that both the
source and the destination are using Istio mTLS to secure traffic.</p>
<p>Similar to the passthrough mode, except servers with this TLS
mode do not require an associated VirtualService to map from
the SNI value to service in the registry. The destination
details such as the service/subset/port are encoded in the
SNI value. The proxy will forward to the upstream (Envoy)
cluster (a group of endpoints) specified by the SNI
value. This server is typically used to provide connectivity
between services in disparate L3 networks that otherwise do
not have direct connectivity between their respective
endpoints. Use of this mode assumes that both the source and
the destination are using Istio mTLS to secure traffic. Not
applicable in Sidecar API.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-ISTIO_MUTUAL">
<td><code>ISTIO_MUTUAL</code></td>
<td>
<p>Secure connections from the downstream using mutual TLS by presenting
server certificates for authentication.
Compared to Mutual mode, this mode uses certificates, representing
gateway workload identity, generated automatically by Istio for
mTLS authentication. When this mode is used, all other fields in
<code>TLSOptions</code> should be empty.</p>
<p>Secure connections from the downstream using mutual TLS by
presenting server certificates for authentication. Compared
to Mutual mode, this mode uses certificates, representing
gateway workload identity, generated automatically by Istio
for mTLS authentication. When this mode is used, all other
fields in <code>TLSOptions</code> should be empty.</p>
</td>
</tr>

242
content/en/docs/reference/config/networking/sidecar/index.html
View File

@ -31,22 +31,26 @@ workload instance, preference will be given to the resource with a
<code>workloadSelector</code> that selects this workload instance, over a <code>Sidecar</code> configuration
without any <code>workloadSelector</code>.</p>
<p>NOTE 1: <em><em>Each namespace can have only one <code>Sidecar</code> configuration without any
<code>workloadSelector</code></em></em>. The behavior of the system is undefined if more
than one selector-less <code>Sidecar</code> configurations exist in a given namespace. The
behavior of the system is undefined if two or more <code>Sidecar</code> configurations
with a <code>workloadSelector</code> select the same workload instance.</p>
<p><strong>NOTE 1</strong>: <em><em>Each namespace can have only one <code>Sidecar</code>
configuration without any <code>workloadSelector</code></em> that specifies the
default for all pods in that namespace</em>. It is recommended to use
the name <code>default</code> for the namespace-wide sidecar. The behavior of
the system is undefined if more than one selector-less <code>Sidecar</code>
configurations exist in a given namespace. The behavior of the
system is undefined if two or more <code>Sidecar</code> configurations with a
<code>workloadSelector</code> select the same workload instance.</p>
<p>NOTE 2: <em><em>A <code>Sidecar</code> configuration in the <code>MeshConfig</code>
<p><strong>NOTE 2</strong>: <em><em>A <code>Sidecar</code> configuration in the <code>MeshConfig</code>
<a href="/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">root namespace</a>
will be applied by default to all namespaces without a <code>Sidecar</code>
configuration</em></em>. This global default <code>Sidecar</code> configuration should not have
any <code>workloadSelector</code>.</p>
<p>The example below declares a global default <code>Sidecar</code> configuration in the
root namespace called <code>istio-config</code>, that configures sidecars in
all namespaces to allow egress traffic only to other workloads in
the same namespace, and to services in the <code>istio-system</code> namespace.</p>
<p>The example below declares a global default <code>Sidecar</code> configuration
in the root namespace called <code>istio-config</code>, that configures
sidecars in all namespaces to allow egress traffic only to other
workloads in the same namespace as well as to services in the
<code>istio-system</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -82,11 +86,11 @@ spec:
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The example below declares a <code>Sidecar</code> configuration in the <code>prod-us1</code>
namespace that overrides the global default defined above, and
configures the sidecars in the namespace to allow egress traffic to
public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the <code>istio-system</code>
namespaces.</p>
<p>The example below declares a <code>Sidecar</code> configuration in the
<code>prod-us1</code> namespace that overrides the global default defined
above, and configures the sidecars in the namespace to allow egress
traffic to public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the
<code>istio-system</code> namespaces.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -124,12 +128,21 @@ spec:
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The example below declares a <code>Sidecar</code> configuration in the <code>prod-us1</code> namespace
that accepts inbound HTTP traffic on port 9080 and forwards
it to the attached workload instance listening on a Unix domain socket. In the
egress direction, in addition to the <code>istio-system</code> namespace, the sidecar
proxies only HTTP traffic bound for port 9080 for services in the
<code>prod-us1</code> namespace.</p>
<p>The following example declares a <code>Sidecar</code> configuration in the
<code>prod-us1</code> namespace for all pods with labels <code>app: ratings</code>
belonging to the <code>ratings.prod-us1</code> service. The workload accepts
inbound HTTP traffic on port 9080 without any authentication, and
HTTPS traffic on port 9443 with one-way TLS termination using
custom certificates. <em>To accomplish custom TLS termination on this
workload, the <code>PeerAuthentication</code> security policy must be declared
to disable Istio mutual TLS on these two ports. Any other
auto-generated listener for this workload will still obey the
mutual TLS termination requirements set forth in the
PeerAuthentication policy</em>. The traffic is then forwarded to the
attached workload instance listening on a Unix domain socket. In
the egress direction, in addition to the <code>istio-system</code> namespace,
the sidecar proxies only HTTP traffic bound for port 9080 for
services in the <code>prod-us1</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -137,15 +150,27 @@ proxies only HTTP traffic bound for port 9080 for services in the
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
@ -164,15 +189,27 @@ spec:
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
@ -187,18 +224,94 @@ spec:
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the workload is deployed without IPTables-based traffic capture, the
<code>Sidecar</code> configuration is the only way to configure the ports on the proxy
attached to the workload instance. The following example declares a <code>Sidecar</code>
configuration in the <code>prod-us1</code> namespace for all pods with labels
<code>app: productpage</code> belonging to the <code>productpage.prod-us1</code> service. Assuming
that these pods are deployed without IPtable rules (i.e. the <code>istio-init</code>
container) and the proxy metadata <code>ISTIO_META_INTERCEPTION_MODE</code> is set to
<code>NONE</code>, the specification, below, allows such pods to receive HTTP traffic
on port 9080 and forward it to the application listening on
<code>127.0.0.1:8080</code>. It also allows the application to communicate with a
backing MySQL database on <code>127.0.0.1:3306</code>, that then gets proxied to the
externally hosted MySQL service at <code>mysql.foo.com:3306</code>.</p>
<p>and the associated PeerAuthentication security policy to ensure
that mutual TLS based authentication is not configured for ports
9080 and 9443:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
# other ports inherit the settings from namespace-wide policy.
portLevelMtls:
9080:
mode: DISABLE
9443:
mode: DISABLE
</code></pre>
<p>and the associated DestinationRule to ensure that the clients use
the appropriate TLS settings:</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the workload is deployed without IPTables-based traffic capture,
the <code>Sidecar</code> configuration is the only way to configure the ports
on the proxy attached to the workload instance. The following
example declares a <code>Sidecar</code> configuration in the <code>prod-us1</code>
namespace for all pods with labels <code>app: productpage</code> belonging to
the <code>productpage.prod-us1</code> service. Assuming that these pods are
deployed without IPtable rules (i.e. the <code>istio-init</code> container)
and the proxy metadata <code>ISTIO_META_INTERCEPTION_MODE</code> is set to
<code>NONE</code>, the specification, below, allows such pods to receive HTTP
traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
it to the application listening on <code>127.0.0.1:8080</code>. It also allows
the application to communicate with a backing MySQL database on
<code>127.0.0.1:3306</code>, that then gets proxied to the externally hosted
MySQL service at <code>mysql.foo.com:3306</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -315,10 +428,11 @@ outbound traffic on <code>192.168.0.0/16</code> subnet. Assume that the VM has a
additional network interface on <code>172.16.0.0/16</code> subnet for inbound
traffic. The following <code>Sidecar</code> configuration allows the VM to expose a
listener on <code>172.16.1.32:80</code> (the VM&rsquo;s IP) for traffic arriving from the
<code>172.16.0.0/16</code> subnet. Note that in this scenario, the
<code>ISTIO_META_INTERCEPTION_MODE</code> metadata on the proxy in the VM should
contain <code>REDIRECT</code> or <code>TPROXY</code> as its value, implying that IP tables
based traffic capture is active.</p>
<code>172.16.0.0/16</code> subnet.</p>
<p><strong>NOTE</strong>: The <code>ISTIO_META_INTERCEPTION_MODE</code> metadata on the
proxy in the VM should contain <code>REDIRECT</code> or <code>TPROXY</code> as its value,
implying that IP tables based traffic capture is active.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -607,6 +721,20 @@ connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/
Yes
</td>
</tr>
<tr id="IstioIngressListener-inbound_tls">
<td><code>inboundTls</code></td>
<td><code><a href="/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
<td>
<p>Overrides Sidecar level <code>inboundTls</code> settings. Has same
restrictions as the Sidecar level inboundTls,
i.e. PeerAuthentication policy takes precedance unless explicitly
disabled.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
@ -723,23 +851,43 @@ No
<td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
<td>
<p>Egress specifies the configuration of the sidecar for processing
outbound traffic from the attached workload instance to other services in the
mesh.</p>
outbound traffic from the attached workload instance to other
services in the mesh. If not specified, inherits the system
detected defaults from the namespace-wide or the global default Sidecar.</p>
</td>
<td>
Yes
No
</td>
</tr>
<tr id="Sidecar-outbound_traffic_policy">
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>This allows to configure the outbound traffic policy.
If your application uses one or more external
services that are not known apriori, setting the policy to <code>ALLOW_ANY</code>
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination.</p>
<p>Configuration for the outbound traffic policy. If your
application uses one or more external services that are not known
apriori, setting the policy to <code>ALLOW_ANY</code> will cause the
sidecars to route any unknown traffic originating from the
application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-inbound_tls">
<td><code>inboundTls</code></td>
<td><code><a href="/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
<td>
<p>Set of TLS related options that allow a listener to terminate
SIMPLE or MUTUAL TLS connections at the
sidecar. <code>PeerAuthentication</code> policy&rsquo;s settings take precedance
over custom TLS settings for the workload. When the
PeerAuthentication policy disables mTLS tunneling for one or more
ports in the workload, the TLS settings specified here will be
applied.</p>
</td>
<td>

66
content/en/docs/reference/config/networking/virtual-service/index.html
View File

@ -1068,7 +1068,8 @@ e.g. <em>x-request-id</em>.</p>
<li><p><code>regex: &quot;value&quot;</code> for ECMAscript style regex-based match</p></li>
</ul>
<p><strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>
<p>If the value is empty and only the name of header is specfied, presence of the header is checked.
<strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>
</td>
<td>
@ -1146,6 +1147,31 @@ No
<p><strong>Note:</strong> The case will be ignored only in the case of <code>exact</code> and <code>prefix</code>
URI matches.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPMatchRequest-without_headers">
<td><code>withoutHeaders</code></td>
<td><code>map&lt;string,&nbsp;<a href="#StringMatch">StringMatch</a>&gt;</code></td>
<td>
<p>withoutHeader has the same syntax with the header, but has opposite meaning.
If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPMatchRequest-source_namespace">
<td><code>sourceNamespace</code></td>
<td><code>string</code></td>
<td>
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
</td>
<td>
No
@ -1352,6 +1378,18 @@ One or more policies can be specified using a , delimited list.
See the <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on">retry policies</a>
and <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on">gRPC retry policies</a> for more details.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPRetry-retry_remote_localities">
<td><code>retryRemoteLocalities</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>Flag to specify whether the retries should retry to other localities.
See the <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration">retry plugin configuration</a> for more details.</p>
</td>
<td>
No
@ -1989,6 +2027,19 @@ No
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p>
</td>
<td>
No
</td>
</tr>
<tr id="L4MatchAttributes-source_namespace">
<td><code>sourceNamespace</code></td>
<td><code>string</code></td>
<td>
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
</td>
<td>
No
@ -2309,6 +2360,19 @@ No
in the top-level <code>gateways</code> field of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p>
</td>
<td>
No
</td>
</tr>
<tr id="TLSMatchAttributes-source_namespace">
<td><code>sourceNamespace</code></td>
<td><code>string</code></td>
<td>
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
</td>
<td>
No

2
content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
View File

@ -1320,7 +1320,7 @@ specialized Mixer adapters and services can also generate attributes.</p>
<a href="/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">here</a>.</p>
<p>Attributes are strongly typed. The supported attribute types are defined by
<a href="https://github.com/istio/api/blob/release-1.5/policy/v1beta1/value_type.proto">ValueType</a>.
<a href="https://github.com/istio/api/blob/master/policy/v1beta1/value_type.proto">ValueType</a>.
Each type of value is encoded into one of the so-called transport types present
in this message.</p>

93
content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
View File

@ -9,55 +9,10 @@ generator: protoc-gen-docs
schema: istio.authentication.v1alpha1.Policy
weight: 10
aliases: [/docs/reference/config/istio.authentication.v1alpha1]
number_of_entries: 4
number_of_entries: 2
---
<p>This package defines user-facing authentication policy.</p>
<h2 id="MutualTls">MutualTls</h2>
<section>
<p>TLS authentication params.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MutualTls-mode">
<td><code>mode</code></td>
<td><code><a href="#MutualTls-Mode">Mode</a></code></td>
<td>
<p>Defines the mode of mTLS authentication.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MutualTls-allow_tls" class="deprecated ">
<td><code>allowTls</code></td>
<td><code>bool</code></td>
<td>
<p>Deprecated. Please use mode = PERMISSIVE instead.
If set, will translate to <code>TLS_PERMISSIVE</code> mode.
Set this flag to true to allow regular TLS (i.e without client x509
certificate). If request carries client certificate, identity will be
extracted and used (set to peer identity). Otherwise, peer identity will
be left unset.
When the flag is false (default), request must have client certificate.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MutualTls-Mode">MutualTls.Mode</h2>
<section>
<p>Defines the acceptable connection TLS mode.</p>
@ -82,37 +37,6 @@ No
<td>
<p>Connection can be either plaintext or TLS with Client cert.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthenticationMethod">PeerAuthenticationMethod</h2>
<section>
<p>PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
at the moment.
The type can be progammatically determine by checking the type of the
&ldquo;params&rdquo; field.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthenticationMethod-mtls" class="oneof oneof-start">
<td><code>mtls</code></td>
<td><code><a href="#MutualTls">MutualTls (oneof)</a></code></td>
<td>
<p>Set if mTLS is used.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -201,21 +125,6 @@ spec:
</tr>
</thead>
<tbody>
<tr id="Policy-peers">
<td><code>peers</code></td>
<td><code><a href="#PeerAuthenticationMethod">PeerAuthenticationMethod[]</a></code></td>
<td>
<p>List of authentication methods that can be used for peer authentication.
They will be evaluated in order; the first validate one will be used to
set peer identity (source.user) and other peer attributes. If none of
these methods pass, request will be rejected with authentication failed error (401).
Leave the list empty if peer authentication is not required</p>
</td>
<td>
No
</td>
</tr>
<tr id="Policy-targets" class="deprecated ">
<td><code>targets</code></td>
<td><code><a href="#TargetSelector">TargetSelector[]</a></code></td>

1
scripts/grab_reference_docs.sh
View File

@ -48,7 +48,6 @@ COMPONENTS=(
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@istioctl/cmd/istioctl@istioctl
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-agent@pilot-agent
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-discovery@pilot-discovery
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@sidecar-injector/cmd/sidecar-injector@sidecar-injector
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@security/cmd/istio_ca@istio_ca
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@security/cmd/node_agent@node_agent
https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@galley/cmd/galley@galley

11
static/operator.yaml
View File

@ -3,6 +3,13 @@ apiVersion: v1
kind: Namespace
metadata:
name: istio-operator
---
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-injection: disabled
...
---
apiVersion: apiextensions.k8s.io/v1beta1
@ -25,7 +32,7 @@ spec:
singular: istiooperator
shortNames:
- iop
...
---
apiVersion: v1
kind: ServiceAccount
@ -196,7 +203,7 @@ spec:
serviceAccountName: istio-operator
containers:
- name: istio-operator
image: docker.io/istio/operator:1.5.0-beta.4
image: gcr.io/istio-testing/operator:1.6-dev
command:
- operator
- server