From 32b75b14ca8087958f44c35129c1edcd7ce935df Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Fri, 6 Nov 2020 08:07:21 -0800 Subject: [PATCH] Update ports usage doc (#8428) * update ports doc * fix * fix ports * lint * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky * Update content/en/docs/ops/deployment/requirements/index.md Co-authored-by: Frank Budinsky Co-authored-by: Frank Budinsky --- .../docs/ops/deployment/requirements/index.md | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/content/en/docs/ops/deployment/requirements/index.md b/content/en/docs/ops/deployment/requirements/index.md index 8e01cbfc4a..542e828ea9 100644 --- a/content/en/docs/ops/deployment/requirements/index.md +++ b/content/en/docs/ops/deployment/requirements/index.md @@ -88,22 +88,27 @@ To be part of a mesh, Kubernetes pods must satisfy the following requirements: ## Ports used by Istio -The following ports and protocols are used by Istio. +The following ports and protocols are used by the Istio sidecar proxy (Envoy). -| Port | Protocol | Used by | Description | +| Port | Protocol | Description | Pod-internal only | |----|----|----|----| -| 15000 | TCP | Envoy | Envoy admin port (commands/diagnostics) | -| 15001 | TCP | Envoy | Envoy Outbound | -| 15006 | TCP | Envoy | Envoy Inbound | -| 15008 | TCP | Envoy | Envoy Tunnel port (Inbound) | -| 15020 | HTTP | Envoy | Istio agent Prometheus telemetry | -| 15021 | HTTP | Envoy | Health checks | -| 15090 | HTTP | Envoy | Envoy Prometheus telemetry | -| 15010 | GRPC | Istiod | XDS and CA services (plaintext) | -| 15012 | GRPC | Istiod | XDS and CA services (TLS) | -| 8080 | HTTP | Istiod | Debug interface | -| 443 | HTTPS | Istiod | Webhooks | -| 15014 | HTTP | Istiod | Control plane monitoring | +| 15000 | TCP | Envoy admin port (commands/diagnostics) | Yes | +| 15001 | TCP | Envoy outbound | No | +| 15006 | TCP | Envoy inbound | No | +| 15008 | TCP | Envoy tunnel port (inbound) | No | +| 15020 | HTTP | Merged Prometheus telemetry from Istio agent, Envoy, and application | No | +| 15021 | HTTP | Health checks | No | +| 15090 | HTTP | Envoy Prometheus telemetry | No | + +The following ports and protocols are used by the Istio control plane (istiod). + +| Port | Protocol | Description | Local host only | +|----|----|----|----| +| 15010 | GRPC | XDS and CA services (Plaintext) | No | +| 15012 | GRPC | XDS and CA services (TLS, recommended for production use) | No | +| 8080 | HTTP | Debug interface (deprecated) | No | +| 443 | HTTPS | Webhooks | No | +| 15014 | HTTP | Control plane monitoring | No | To avoid port conflicts with sidecars, applications should not use any of the ports used by Envoy.