diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index f204eed5d2..a762b6167d 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio title: istioctl description: Istio control interface. generator: pkg-collateral-docs -number_of_entries: 76 +number_of_entries: 75 max_toc_level: 2 remove_toc_prefix: 'istioctl ' --- @@ -47,46 +47,6 @@ debug and diagnose their Istio mesh. -

istioctl auth

-

(auth is experimental. Use `istioctl experimental auth`)

-
istioctl auth [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>-nConfig namespace (default ``)

istioctl authn

A group of commands used to interact with Istio authentication policies. @@ -185,6 +145,46 @@ service "bar" : istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar +

istioctl authz

+

(authz is experimental. Use `istioctl experimental authz`)

+
istioctl authz [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>-nConfig namespace (default ``)

istioctl convert-ingress

Converts Ingresses into VirtualService configuration on a best effort basis. The output should be considered a starting point for your Istio configuration and probably require some minor modification. Warnings will be generated where configs cannot be converted perfectly. The input must be a Kubernetes Ingress. The conversion of v1alpha1 Istio rules has been removed from istioctl.

istioctl convert-ingress [flags]
@@ -878,6 +878,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
 'true' to enable service discovery, 'false' to disable it. Defaults to true if --use-kube is set, false otherwise. Analyzers requiring resources made available by enabling service discovery will be skipped.  (default ``)
 
 
+--failure-threshold <Level>
+
+The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warn Error]  (default `Warn`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -898,6 +903,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
 Config namespace  (default ``)
 
 
+--output-threshold <Level>
+
+The severity level of analysis at which to display messages. Valid values: [Info Warn Error]  (default `Info`)
+
+
 --use-kube
 -k
 Use live Kubernetes cluster for analysis 
@@ -927,11 +937,10 @@ istioctl experimental analyze -d true a.yaml b.yaml services.yaml
 istioctl experimental analyze -k -d false
-

istioctl experimental auth

-

Commands to inspect and interact with the authentication (TLS, JWT) and authorization (RBAC) policies in the mesh - check - check the TLS/JWT/RBAC settings based on the Envoy config +

istioctl experimental authz

+

Commands to inspect and interact with the authorization policies + check - check Envoy config dump for authorization configuration convert - convert v1alpha1 RBAC policies to v1beta1 authorization policies - validate - check for potential incorrect usage in authorization policy files.

@@ -969,29 +978,23 @@ istioctl experimental analyze -k -d false
-

Examples

-
  # Check the TLS/JWT/RBAC settings for pod httpbin-88ddbcfdd-nt5jb:
-  istioctl experimental auth check httpbin-88ddbcfdd-nt5jb
+
Examples

+
  # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
+  istioctl x authz check httpbin-88ddbcfdd-nt5jb
 
-  # Convert the v1alpha1 RBAC policies currently applied in the cluster to v1beta1 authorization policies:
-  istioctl experimental auth convert > v1beta1-authz.yaml
+  # Convert the v1alpha1 RBAC policies in the current cluster to v1beta1 authorization policies:
+  istioctl x authz convert > v1beta1-authz.yaml
 
 

-
istioctl experimental auth check

-
Check analyzes the TLS/JWT/RBAC settings directly based on the Envoy config. The Envoy config could
-be provided either by pod name or from a config dump file (the whole output of http://localhost:15000/config_dump
-of an Envoy instance).

-
Currently only the listeners with node IP and clusters on outbound direction are analyzed:
-- listeners with node IP generally tell how should other pods talk to the Envoy instance which include
-  the server side TLS/JWT/RBAC settings.

-
- clusters on outbound direction generally tell how should the Envoy instance talk to other pods which
-  include the client side TLS settings.

-
To check the TLS setting, you could run 'check' on both of the client and server pods and compare
-the cluster results of the client pod and the listener results of the server pod.

-
To check the JWT/RBAC setting, you could run 'check' only on your server pods and check the listener results.

+
istioctl experimental authz check

+
Check reads the Envoy config dump and checks the filter configuration
+related to authorization. For example, it shows whether or not the Envoy is configured
+with authorization and the rules used in the authorization.

+
The Envoy config dump could be provided either by pod name or from a config dump file
+(the whole output of http://localhost:15000/config_dump of an Envoy instance).

 
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
 

-
istioctl experimental auth check <pod-name>[.<pod-namespace>] [flags]
+
istioctl experimental authz check <pod-name>[.<pod-namespace>] [flags]
 

 
@@ -1015,7 +1018,7 @@ the cluster results of the client pod and the listener results of the server pod
 
-
+
@@ -1039,17 +1042,17 @@ the cluster results of the client pod and the listener results of the server pod
 

 

 --file <string>
 -fCheck the TLS/JWT/RBAC setting from the config dump file  (default ``)Check the Envoy config dump from a file  (default ``)
 

 

 --istioNamespace <string>

 
 

-
Examples

-
  # Check the TLS/JWT/RBAC policy status for pod httpbin-88ddbcfdd-nt5jb in namespace foo:
-  istioctl experimental auth check httpbin-88ddbcfdd-nt5jb.foo
+
Examples

+
  # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
+  istioctl x authz check httpbin-88ddbcfdd-nt5jb
 
-  # Check the TLS/JWT/RBAC policy status from a config dump file:
-  istioctl experimental auth check -f httpbin_config_dump.txt
+  # Check Envoy authorization configuration from a config dump file:
+  istioctl x authz check -f httpbin_config_dump.json
 

-
istioctl experimental auth convert

-
Convert converts Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
-API server to get all the information needed to complete the conversion, including the currently applied v1alpha1
-RBAC policies, the Istio config-map for root namespace configuration and the k8s Service translating the
+
istioctl experimental authz convert

+
Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. The command talks to Kubernetes
+API server to get all the information needed to complete the conversion, including the v1alpha1 RBAC policies in the current
+cluster, the Istio config-map for root namespace configuration and the k8s Service translating the
 service name to workload selector.

 
The tool can also be used in offline mode without talking to the Kubernetes API server. In this mode,
 all needed information is provided through the command line.

@@ -1061,7 +1064,7 @@ to workload selector).

 
Please always review the converted policies before applying them.

 
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
 

-
istioctl experimental auth convert [flags]
+
istioctl experimental authz convert [flags]
 

 
@@ -1119,66 +1122,14 @@ to workload selector).

 
 
 
 

-
Examples

-
  # Convert the v1alpha1 RBAC policy currently applied in the cluster:
-  istioctl experimental auth convert > v1beta1-authz.yaml
+
Examples

+
  # Convert the v1alpha1 RBAC policy in the current cluster:
+  istioctl x authz convert > v1beta1-authz.yaml
 
   # Convert the v1alpha1 RBAC policy provided through command line: 
-  istioctl experimental auth convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
+  istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
   --service services.yaml --meshConfigFile meshConfig.yaml > v1beta1-authz.yaml
 
-

-
istioctl experimental auth validate

-
This command goes through all authorization policy files and finds potential issues such as:
-						* ServiceRoleBinding refers to a non existing ServiceRole.
-						* ServiceRole not used.
-           It does not require access to the cluster as the validation is against local files.
-					

-
istioctl experimental auth validate <policy-file1,policy-file2,...> [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use  (default ``)
--file <stringSlice>-fAuthorization policy file  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>-nConfig namespace  (default ``)

-
Examples

-
istioctl experimental auth validate -f policy1.yaml,policy2.yaml
 

 
istioctl experimental convert-ingress

 
(convert-ingress has graduated.  Use `istioctl convert-ingress`)

@@ -1276,7 +1227,7 @@ to workload selector).

 
 --service-account <string>
 
-create a secret with this service account's credentials.  (default `istio-pilot-service-account`)
+create a secret with this service account's credentials.  (default `istio-reader-service-account`)
 
 
 
diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html
index ac2e26bd9d..c30245856b 100644
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@@ -29,6 +29,36 @@ Istio supports to control its behavior.
 		
 			
 				
+					
+				
+					install.operator.istio.io/chart-owner
+					[Any]
+					Represents the name of the chart used to create this resource.
+				
+			
+		
+			
+				
+					
+				
+					install.operator.istio.io/owner-generation
+					[Any]
+					Represents the generation to which the resource was last reconciled.
+				
+			
+		
+			
+				
+					
+				
+					install.operator.istio.io/version
+					[Any]
+					Represents the Istio version associated with the resource
+				
+			
+		
+			
+				
 					
 				
 					kubernetes.io/ingress.class
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
index c049fd0286..12c4e2f7dc 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
@@ -6,7 +6,7 @@ description: Configuration for Istio control plane installation through the Oper
 location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-number_of_entries: 56
+number_of_entries: 59
 ---
 
IstioControlPlane is a schema for both defining and customizing Istio control plane installations.
 Running the operator with an empty user defined InstallSpec results in an control plane with default values, using the
@@ -271,7 +271,7 @@ No
 enabled
 TypeBoolValueForPB
 
-
Selects whether gateway feature is installed. Must be set for any sub-component to be installed.

+
Selects whether CNI feature is installed. Must be set for any sub-component to be installed.

 
 
 
@@ -485,6 +485,122 @@ No
 
 
 
+
CoreDNSComponentSpec

+

+
Configuration options for CoreDNS component.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
enabledTypeBoolValueForPB
+
+No
+
namespacestring
+
+No
+
k8sKubernetesResourcesSpec
+
+No
+

+

+
CoreDNSFeatureSpec

+

+
Configuration options for CoreDNS feature.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
enabledTypeBoolValueForPB
+
Selects whether CoreDNS feature is installed. Must be set for any sub-component to be installed.

+
+		
+No
+
componentsComponents
+
+No
+

+

+
CoreDNSFeatureSpec.Components

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namespacestring
+
Namespace that CoreDNS components are installed into.

+
+		
+No
+
coreDNSCoreDNSComponentSpec
+
+No
+

+

 
DeploymentStrategy

 

 
Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.

@@ -1145,6 +1261,15 @@ No
 No
 
 
+
+coreDNS
+CoreDNSFeatureSpec
+
+
+
+No
+
+
 
 values
 TypeMapStringInterface
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
deleted file mode 100644
index 0d8ccdbf97..0000000000
--- a/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
+++ /dev/null
@@ -1,271 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: SignalFx
-description: Adapter that sends metrics to SignalFx.
-location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/signalfx.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-supported_templates: metric,tracespan
-number_of_entries: 3
----
-
The signalfx adapter collects Istio metrics and trace spans and sends them
-to SignalFx.

-
-
This adapter supports the metric template
-and the tracespan template.

-
-
If sending trace spans, this adapter can make use of certain conventions in
-the tracespan format that is configured to send to this adapter.  Here is an
-example tracespan spec that will work well:

-
-
apiVersion: config.istio.io/v1alpha2
-kind: instance
-metadata:
-  name: signalfx
-spec:
-  compiledTemplate: tracespan
-  params:
-    traceId: request.headers["x-b3-traceid"] | ""
-    spanId: request.headers["x-b3-spanid"] | ""
-    parentSpanId: request.headers["x-b3-parentspanid"] | ""
-    # If the path contains query parameters, they will be split off and put into
-    # tags such that the span name sent to SignalFx will consist only of the path
-    # itself.
-    spanName: request.path | "/"
-    startTime: request.time
-    endTime: response.time
-    # If this is >=500, the span will get an 'error' tag
-    httpStatusCode: response.code | 0
-    clientSpan: context.reporter.kind == "outbound"
-    # Span tags below that do not have comments are useful but optional and will
-    # be passed to SignalFx unmodified. The tags that have comments are interpreted
-    # in a special manner, but are still optional.
-    spanTags:
-      # This is used to determine whether the span pertains to the client or
-      # server side of the request.
-      context.reporter.local: context.reporter.local
-      # This gets put into the remoteEndpoint.ipv4 field
-      destination.ip: destination.ip | ip("0.0.0.0")
-      # This gets flattened out to individual tags of the form
-      # 'destination.labels.<key>: <value>'.
-      destination.labels: destination.labels
-      # This gets put into the remoteEndpoint.name field
-      destination.name: destination.name | "unknown"
-      destination.namespace: destination.namespace | "unknown"
-      request.host: request.host | ""
-      request.method: request.method | ""
-      request.path: request.path | ""
-      request.size: request.size | 0
-      request.useragent: request.useragent | ""
-      response.size: response.size | 0
-      # This gets put into the localEndpoint.name field
-      source.name: source.name | "unknown"
-      # This gets put into the localEndpoint.ipv4 field
-      source.ip: source.ip | ip("0.0.0.0")
-      source.namespace: source.namespace | "unknown"
-      # This gets flattened out to individual tags of the form
-      # 'source.labels.<key>: <value>'.
-      source.labels: source.labels
-      source.version: source.labels["version"] | "unknown"
-

-
-
Params

-

-
Configuration format for the signalfx adapter.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
metricsMetricConfig[]
-
Required. The set of metrics to send to SignalFx. If an Istio metric is
-configured to be sent to this adapter, it must have a corresponding
-description here.

-
-		
-No
-
ingestUrlstring
-
Optional. The URL of the SignalFx ingest server to use.  Will default to
-the global ingest server if not specified.

-
-		
-No
-
accessTokenstring
-
Required. The access token for the SignalFx organization that should
-receive the metrics.

-
-		
-No
-
datapointIntervalDuration
-
Optional. Specifies how frequently to send metrics to SignalFx.  Metrics
-reported to this adapter are collected and reported as a timeseries.
-This will be rounded to the nearest second and rounded values less than
-one second are not valid. Defaults to 10 seconds if not specified.

-
-		
-No
-
enableMetricsbool
-
Optional.  If set to false, metrics won’t be sent (but trace spans will
-be sent, unless otherwise disabled).

-
-		
-No
-
enableTracingbool
-
Optional.  If set to false, trace spans won’t be sent (but metrics will
-be sent, unless otherwise disabled).

-
-		
-No
-
tracingBufferSizeuint32
-
Optional.  The number of trace spans that the adapter will buffer before
-dropping them.  This defaults to 1000 spans but can be configured higher
-if needed.  An error message will be logged if spans are dropped.

-
-		
-No
-
tracingSampleProbabilitydouble
-
Optional. The uniform probability ([0.0, 1.0]) that a given span gets
-sampled if its parent was not already sampled.  Child spans will always
-be sampled if their parent is.  If not provided, defaults to sending all
-spans.

-
-		
-No
-

-

-
Params.MetricConfig

-

-
Describes what metrics should be sent to SignalFx and in what form.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
namestring
-
Required.  The name of the metric as it is sent to the adapter.  In
-Kubernetes this is of the form <name>.metric.<namespace> where
-<name> is the name field of the metric resource, and <namespace>
-is the namespace of the metric resource.

-
-		
-No
-
typeType
-
The metric type of the metric

-
-		
-No
-

-

-
Params.MetricConfig.Type

-

-
Describes what kind of metric this is.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
NONE
-
None is the default and is invalid

-
-
COUNTER
-
Values with the same set of dimensions will be added together
-as a continuously incrementing value.

-
-
HISTOGRAM
-
A histogram distribution.  This will result in several metrics
-emitted for each unique set of dimensions.

-
-

-

diff --git a/content/en/news/2018/announcing-1.0/index.md b/content/en/news/2018/announcing-1.0/index.md
index 42ba373936..007d9e86af 100644
--- a/content/en/news/2018/announcing-1.0/index.md
+++ b/content/en/news/2018/announcing-1.0/index.md
@@ -99,7 +99,7 @@ in addition to the server-side telemetry.
 
 #### Adapters
 
-- **SignalFX**. There is a new [`signalfx`](/docs/reference/config/policy-and-telemetry/adapters/signalfx/) adapter.
+- **SignalFX**. There is a new `signalfx` adapter.
 
 - **Stackdriver**. The [`stackdriver`](/docs/reference/config/policy-and-telemetry/adapters/stackdriver/) adapter has been substantially enhanced in this
 release to add new features and improve performance.
diff --git a/content/zh/news/2018/announcing-1.0/index.md b/content/zh/news/2018/announcing-1.0/index.md
index 5390f76095..9fbcddd8a8 100644
--- a/content/zh/news/2018/announcing-1.0/index.md
+++ b/content/zh/news/2018/announcing-1.0/index.md
@@ -99,7 +99,7 @@ in addition to the server-side telemetry.
 
 #### Adapters
 
-- **SignalFX**. There is a new [`signalfx`](/docs/reference/config/policy-and-telemetry/adapters/signalfx/) adapter.
+- **SignalFX**. There is a new `signalfx` adapter.
 
 - **Stackdriver**. The [`stackdriver`](/docs/reference/config/policy-and-telemetry/adapters/stackdriver/) adapter has been substantially enhanced in this
 release to add new features and improve performance.
diff --git a/data/analysis.yaml b/data/analysis.yaml
index e7038d2a62..c13c7bc8e8 100644
--- a/data/analysis.yaml
+++ b/data/analysis.yaml
@@ -113,3 +113,38 @@ messages:
         type: string
       - name: host
         type: string
+
+  - name: "ConflictingSidecarWorkloadSelectors"
+    code: IST0110
+    level: Error
+    description: "A Sidecar resource selects the same workloads as another Sidecar resource"
+    template: "The Sidecars %v in namespace %q select the same workload pod %q, which can lead to undefined behavior."
+    args:
+      - name: conflitingSidecars
+        type: "[]string"
+      - name: namespace
+        type: string
+      - name: workloadPod
+        type: string
+
+  - name: "MultipleSidecarsWithoutWorkloadSelectors"
+    code: IST0111
+    level: Error
+    description: "More than one sidecar resource in a namespace has no workload selector"
+    template: "The Sidecars %v in namespace %q have no workload selector, which can lead to undefined behavior."
+    args:
+      - name: conflitingSidecars
+        type: "[]string"
+      - name: namespace
+        type: string
+
+  - name: "VirtualServiceDestinationPortSelectorRequired"
+    code: IST0112
+    level: Error
+    description: "A VirtualService routes to a service with more than one port exposed, but does not specify which to use."
+    template: "This VirtualService routes to a service %q that exposes multiple ports %v. Specifying a port in the destination is required to disambiguate."
+    args:
+      - name: destHost
+        type: string
+      - name: destPorts
+        type: "[]int"
diff --git a/examples/examples__bookinfo.snippets.txt b/examples/examples__bookinfo.snippets.txt
index c9ad258fd4..bad519fc45 100644
--- a/examples/examples__bookinfo.snippets.txt
+++ b/examples/examples__bookinfo.snippets.txt
@@ -14,11 +14,11 @@ $endsnippet
 
 $snippet verify_service.sh_output.txt syntax="text"
 NAME          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
-details       ClusterIP   10.101.120.116           9080/TCP   1s
-kubernetes    ClusterIP   10.96.0.1                443/TCP    8m48s
-productpage   ClusterIP   10.109.229.155           9080/TCP   0s
-ratings       ClusterIP   10.105.61.20             9080/TCP   1s
-reviews       ClusterIP   10.104.30.214            9080/TCP   0s
+details       ClusterIP   10.104.210.169           9080/TCP   1s
+kubernetes    ClusterIP   10.96.0.1                443/TCP    9m27s
+productpage   ClusterIP   10.104.178.50            9080/TCP   0s
+ratings       ClusterIP   10.97.49.198             9080/TCP   0s
+reviews       ClusterIP   10.103.202.170           9080/TCP   0s
 
 $endsnippet
 
@@ -28,12 +28,12 @@ $endsnippet
 
 $snippet verify_pods.sh_output.txt syntax="text"
 NAME                              READY   STATUS    RESTARTS   AGE
-details-v1-74f858558f-sp2zc       2/2     Running   0          39s
-productpage-v1-76589d9fdc-krrxc   2/2     Running   0          38s
-ratings-v1-7855f5bcb9-c6vjp       2/2     Running   0          39s
-reviews-v1-64bc5454b9-qsfww       2/2     Running   0          39s
-reviews-v2-76c64d4bdf-95h6m       2/2     Running   0          39s
-reviews-v3-5545c7c78f-9ptfw       2/2     Running   0          39s
+details-v1-74f858558f-fxjvw       2/2     Running   0          41s
+productpage-v1-76589d9fdc-bmbrs   2/2     Running   0          41s
+ratings-v1-7855f5bcb9-tc8d7       2/2     Running   0          40s
+reviews-v1-64bc5454b9-mbrgq       2/2     Running   0          40s
+reviews-v2-76c64d4bdf-5rrkj       2/2     Running   0          41s
+reviews-v3-5545c7c78f-fwjs6       2/2     Running   0          41s
 
 $endsnippet
 
diff --git a/examples/tasks__security__authorization_for_http_services.snippets.txt b/examples/tasks__security__authorization_for_http_services.snippets.txt
deleted file mode 100644
index ae889740ea..0000000000
--- a/examples/tasks__security__authorization_for_http_services.snippets.txt
+++ /dev/null
@@ -1,157 +0,0 @@
-# Created by TestAuthorizationForHTTPServices. DO NOT EDIT THIS FILE MANUALLY!
-
-$snippet enabling_istio_authorization.sh syntax="bash"
-$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
-$endsnippet
-
-$snippet enforcing_namespace_level_access_control_apply.sh syntax="bash"
-$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
-$endsnippet
-
-$snippet enforcing_namespace_level_access_control_apply.sh_output.txt syntax="text"
-servicerole.rbac.istio.io/service-viewer created
-servicerolebinding.rbac.istio.io/bind-service-viewer created
-
-$endsnippet
-
-$snippet enforcing_namespace_level_access_control_delete.sh syntax="bash"
-$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step1_apply.sh syntax="bash"
-$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step2_apply.sh syntax="bash"
-$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step3_apply.sh syntax="bash"
-$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
-$endsnippet
-
-$snippet remove_istio_authorization_policy.sh syntax="bash"
-$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
-$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
-$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
-$endsnippet
-
-$snippet remove_istio_authorization_policy_alternative.sh syntax="bash"
-$ kubectl delete servicerole --all
-$ kubectl delete servicerolebinding --all
-$endsnippet
-
-$snippet disabling_istio_authorization.sh syntax="bash"
-$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
-$endsnippet
-
-$snippet enforcing_namespace_level_access_control_service-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: service-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["*"]
-    methods: ["GET"]
-    constraints:
-    - key: "destination.labels[app]"
-      values: ["productpage", "details", "reviews", "ratings"]
-$endsnippet
-
-$snippet enforcing_namespace_level_access_control_bind-service-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: bind-service-viewer
-  namespace: default
-spec:
-  subjects:
-  - properties:
-      source.namespace: "istio-system"
-  - properties:
-      source.namespace: "default"
-  roleRef:
-    kind: ServiceRole
-    name: "service-viewer"
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step1_productpage-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: productpage-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["productpage.default.svc.cluster.local"]
-    methods: ["GET"]
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step1_bind-productpage-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: bind-productpage-viewer
-  namespace: default
-spec:
-  subjects:
-  - user: "*"
-  roleRef:
-    kind: ServiceRole
-    name: "productpage-viewer"
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step2_details-reviews-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: details-reviews-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
-    methods: ["GET"]
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step2_bind-details-reviews.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: bind-details-reviews
-  namespace: default
-spec:
-  subjects:
-  - user: "cluster.local/ns/default/sa/bookinfo-productpage"
-  roleRef:
-    kind: ServiceRole
-    name: "details-reviews-viewer"
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step3_ratings-viewer.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: ratings-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["ratings.default.svc.cluster.local"]
-    methods: ["GET"]
-$endsnippet
-
-$snippet enforcing_service_level_access_control_step3_bind-ratings.yaml syntax="yaml"
-apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: bind-ratings
-  namespace: default
-spec:
-  subjects:
-  - user: "cluster.local/ns/default/sa/bookinfo-reviews"
-  roleRef:
-    kind: ServiceRole
-    name: "ratings-viewer"
-$endsnippet
-
diff --git a/examples/tasks__security__mututal_tls_migration.snippets.txt b/examples/tasks__security__mututal_tls_migration.snippets.txt
index 26a6bf325f..9f29283ee1 100644
--- a/examples/tasks__security__mututal_tls_migration.snippets.txt
+++ b/examples/tasks__security__mututal_tls_migration.snippets.txt
@@ -21,7 +21,7 @@ $endsnippet
 $snippet verify_initial_policies.sh syntax="bash" outputis="text"
 $ kubectl get policies.authentication.istio.io --all-namespaces
 NAMESPACE      NAME                          AGE
-istio-system   grafana-ports-mtls-disabled   3m22s
+istio-system   grafana-ports-mtls-disabled   89s
 $endsnippet
 
 $snippet configure_mtls_destinationrule.sh syntax="bash"
diff --git a/examples/tasks__traffic_management__mirroring.snippets.txt b/examples/tasks__traffic_management__mirroring.snippets.txt
index f19d2a1be1..7a7974a6a5 100644
--- a/examples/tasks__traffic_management__mirroring.snippets.txt
+++ b/examples/tasks__traffic_management__mirroring.snippets.txt
@@ -138,20 +138,20 @@ $endsnippet
 $snippet check_logs_v1_1.sh syntax="bash" outputis="text"
 $ export V1_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})
 $ kubectl -n istio-io-mirror logs ${V1_POD} -c httpbin
-[2019-11-05 18:48:27 +0000] [1] [INFO] Starting gunicorn 19.9.0
-[2019-11-05 18:48:27 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
-[2019-11-05 18:48:27 +0000] [1] [INFO] Using worker: sync
-[2019-11-05 18:48:27 +0000] [8] [INFO] Booting worker with pid: 8
-127.0.0.1 - - [05/Nov/2019:18:48:45 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
+[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
+[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
+[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
+[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
+127.0.0.1 - - [08/Nov/2019:20:42:31 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
 $endsnippet
 
 $snippet check_logs_v2_1.sh syntax="bash" outputis="text"
 $ export V2_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})
 $ kubectl -n istio-io-mirror logs ${V2_POD} -c httpbin
-[2019-11-05 18:48:28 +0000] [1] [INFO] Starting gunicorn 19.9.0
-[2019-11-05 18:48:28 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
-[2019-11-05 18:48:28 +0000] [1] [INFO] Using worker: sync
-[2019-11-05 18:48:28 +0000] [9] [INFO] Booting worker with pid: 9
+[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
+[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
+[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
+[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
 $endsnippet
 
 $snippet mirror_vs.sh syntax="bash"
@@ -184,22 +184,22 @@ $endsnippet
 $snippet check_logs_v1_2.sh syntax="bash" outputis="text"
 $ export V1_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v1 -o jsonpath={.items..metadata.name})
 $ kubectl -n istio-io-mirror logs ${V1_POD} -c httpbin
-[2019-11-05 18:48:27 +0000] [1] [INFO] Starting gunicorn 19.9.0
-[2019-11-05 18:48:27 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
-[2019-11-05 18:48:27 +0000] [1] [INFO] Using worker: sync
-[2019-11-05 18:48:27 +0000] [8] [INFO] Booting worker with pid: 8
-127.0.0.1 - - [05/Nov/2019:18:48:45 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
-127.0.0.1 - - [05/Nov/2019:18:48:56 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
+[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
+[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
+[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
+[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
+127.0.0.1 - - [08/Nov/2019:20:42:31 +0000] "GET /ISTIO_IO_MIRROR_TEST_1 HTTP/1.1" 404 233 "-" "curl/7.35.0"
+127.0.0.1 - - [08/Nov/2019:20:42:42 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
 $endsnippet
 
 $snippet check_logs_v2_2.sh syntax="bash" outputis="text"
 $ export V2_POD=$(kubectl -n istio-io-mirror get pod -l app=httpbin,version=v2 -o jsonpath={.items..metadata.name})
 $ kubectl -n istio-io-mirror logs ${V2_POD} -c httpbin
-[2019-11-05 18:48:28 +0000] [1] [INFO] Starting gunicorn 19.9.0
-[2019-11-05 18:48:28 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
-[2019-11-05 18:48:28 +0000] [1] [INFO] Using worker: sync
-[2019-11-05 18:48:28 +0000] [9] [INFO] Booting worker with pid: 9
-127.0.0.1 - - [05/Nov/2019:18:48:56 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
+[2019-11-08 20:42:04 +0000] [1] [INFO] Starting gunicorn 19.9.0
+[2019-11-08 20:42:04 +0000] [1] [INFO] Listening at: http://0.0.0.0:80 (1)
+[2019-11-08 20:42:04 +0000] [1] [INFO] Using worker: sync
+[2019-11-08 20:42:04 +0000] [8] [INFO] Booting worker with pid: 8
+127.0.0.1 - - [08/Nov/2019:20:42:42 +0000] "GET /ISTIO_IO_MIRROR_TEST_2 HTTP/1.1" 404 233 "-" "curl/7.35.0"
 $endsnippet
 
 $snippet remove_rules.sh syntax="bash"