Update pod and deployment requirements (#6666)

* Update pod and deployment requirements

* add spelling

.spelling

@@ -305,6 +305,7 @@ iptables
 IPv4
 IPv6
 Istio
+Istiod
 istio-identity
 istio-mixer
 ISTIO-SECURITY-2019-003

content/en/docs/ops/deployment/requirements/index.md

@@ -24,17 +24,21 @@ aliases:
 To be part of a mesh, Kubernetes pods and services must satisfy the following
 requirements:
 
-- **Named service ports**: Service ports must be named. The port name key/value
-  pairs must have the following syntax: `name: <protocol>[-<suffix>]`. See
-  [Protocol Selection](/docs/ops/configuration/traffic-management/protocol-selection/) for
-  more details.
-
 - **Service association**: A pod must belong to at least one Kubernetes
   service even if the pod does NOT expose any port.
   If a pod belongs to multiple [Kubernetes services](https://kubernetes.io/docs/concepts/services-networking/service/),
   the services cannot use the same port number for different protocols, for
   instance HTTP and TCP.
 
+- **Application UIDs**: Ensure your pods do **not** run applications as a user
+  with the user ID (UID) value of **1337**.
+
+- **`NET_ADMIN` and `NET_RAW` capabilities**: If your cluster enforces pod security policies,
+  they must allow injected pods to add the `NET_ADMIN` and `NET_RAW` capabilities.
+  If you use the [Istio CNI Plugin](/docs/setup/additional-setup/cni/),
+  this requirement no longer applies. To learn more about the `NET_ADMIN` and `NET_RAW`
+  capabilities, see [Required pod capabilities](#required-pod-capabilities), below.
+
 - **Deployments with app and version labels**: We recommend adding an explicit
   `app` label and `version` label to deployments. Add the labels  to the
   deployment specification of pods deployed using the Kubernetes `Deployment`.
@@ -48,43 +52,39 @@ requirements:
     - The `version` label: This label indicates the version of the application
       corresponding to the particular deployment.
 
-- **Application UIDs**: Ensure your pods do **not** run applications as a user
+- **Named service ports**: Service ports may optionally be named to explicitly specify a protocol.
-  with the user ID (UID) value of **1337**.
+  See [Protocol Selection](/docs/ops/configuration/traffic-management/protocol-selection/) for
-
+  more details.
-- **`NET_ADMIN` and `NET_RAW` capabilities**: If your cluster enforces pod security policies,
-  they must allow injected pods to add the `NET_ADMIN` and `NET_RAW` capabilities.
-  If you use the [Istio CNI Plugin](/docs/setup/additional-setup/cni/),
-  this requirement no longer applies. To learn more about the `NET_ADMIN` and `NET_RAW`
-  capabilities, see [Required pod capabilities](#required-pod-capabilities), below.
 
 ## Ports used by Istio
 
-The following ports and protocols are used by Istio. Ensure that there are no
+The following ports and protocols are used by Istio.
-TCP headless services using a TCP port used by one of Istio's services.
 
 | Port | Protocol | Used by | Description |
 |----|----|----|----|
-| 8060 | HTTP | Citadel | GRPC server |
-| 8080 | HTTP | Citadel agent | SDS service monitoring |
-| 9090 | HTTP |  Prometheus | Prometheus |
-| 9091 | HTTP | Mixer | Policy/Telemetry |
-| 9876 | HTTP | Citadel, Citadel agent |  ControlZ user interface |
-| 9901 | GRPC | Galley| Mesh Configuration Protocol |
 | 15000 | TCP | Envoy | Envoy admin port (commands/diagnostics) |
 | 15001 | TCP | Envoy | Envoy Outbound |
 | 15006 | TCP | Envoy | Envoy Inbound |
-| 15004 | HTTP | Mixer, Pilot | Policy/Telemetry - `mTLS` |
+| 15020 | HTTP | Envoy | Health checks |
-| 15010 | HTTP | Pilot | Pilot service - XDS pilot - discovery |
+| 15090 | HTTP | Envoy | Prometheus telemetry |
-| 15011 | TCP | Pilot | Pilot service - `mTLS` - Proxy - discovery |
+| 15010 | GRPC | Istiod | XDS and CA services (plaintext) |
-| 15014 | HTTP | Citadel, Citadel agent, Galley, Mixer, Pilot, Sidecar Injector | Control plane monitoring |
+| 15011 | GRPC | Istiod | XDS and CA services (TLS, legacy) |
-| 15020 | HTTP | Ingress Gateway | Pilot health checks |
+| 15012 | GRPC | Istiod | XDS and CA services (TLS) |
+| 8080 | HTTP | Istiod | Debug interface |
+| 443 | HTTPS | Istiod | Webhooks |
+| 15014 | HTTP | Citadel, Citadel agent, Galley, Mixer, Istiod, Sidecar Injector | Control plane monitoring |
 | 15029 | HTTP | Kiali | Kiali User Interface |
 | 15030 | HTTP | Prometheus | Prometheus User Interface |
 | 15031 | HTTP | Grafana | Grafana User Interface |
 | 15032 | HTTP | Tracing | Tracing User Interface |
 | 15443 | TLS | Ingress and Egress Gateways | SNI |
-| 15090 | HTTP | Mixer | Proxy |
+| 9090 | HTTP |  Prometheus | Prometheus |
 | 42422 | TCP | Mixer | Telemetry - Prometheus |
+| 15004 | HTTP | Mixer, Pilot | Policy/Telemetry - `mTLS` |
+| 9091 | HTTP | Mixer | Policy/Telemetry |
+| 8060 | HTTP | Citadel | GRPC server |
+| 9876 | HTTP | Citadel, Citadel agent |  ControlZ user interface |
+| 9901 | GRPC | Galley| Mesh Configuration Protocol |
 
 ## Required pod capabilities