istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Automator: update istio.io@ reference docs (#16106)

This commit is contained in:
Istio Automation 2024-12-16 21:13:58 -05:00 committed by GitHub
parent b2f903ac2e
commit 675a2183a7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
38 changed files with 15248 additions and 18808 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

430
content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
View File

@ -20,216 +20,42 @@ messages. All information should be static with respect to the error code.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageBase-type">
<td><code><a href="#AnalysisMessageBase-type">type</a></code></td>
<td><code><a href="#AnalysisMessageBase-Type">Type</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-type">type</a></code></div>
<div class="type"><a href="#AnalysisMessageBase-Type">Type</a></div>
</div></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-level">
<td><code><a href="#AnalysisMessageBase-level">level</a></code></td>
<td><code><a href="#AnalysisMessageBase-Level">Level</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-level">level</a></code></div>
<div class="type"><a href="#AnalysisMessageBase-Level">Level</a></div>
</div></td>
<td>
<p>Represents how severe a message is. Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-documentation_url">
<td><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A url pointing to the Istio documentation for this specific error type.
Should be of the form
<code>^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/</code>
Required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema">AnalysisMessageWeakSchema</h2>
<section>
<p>AnalysisMessageWeakSchema is the set of information that&rsquo;s needed to define a
weakly-typed schema. The purpose of this proto is to provide a mechanism for
validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
sure that we don&rsquo;t allow committing underspecified types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-message_base">
<td><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-description">
<td><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></td>
<td><code>string</code></td>
<td>
<p>A human readable description of what the error means. Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-template">
<td><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></td>
<td><code>string</code></td>
<td>
<p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
defining how to combine the args for a particular message into a log line.
Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-args">
<td><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></td>
<td><code><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></code></td>
<td>
<p>A description of the arguments for a particular message type</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="GenericAnalysisMessage">GenericAnalysisMessage</h2>
<section>
<p>GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
should be able to perform validation of arguments as needed by using the
message type information to look at the AnalysisMessageWeakSchema and examine the
list of args at runtime. Developers can also create stronger-typed versions
of GenericAnalysisMessage for well-known and stable message types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="GenericAnalysisMessage-message_base">
<td><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="GenericAnalysisMessage-args">
<td><code><a href="#GenericAnalysisMessage-args">args</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Any message-type specific arguments that need to get codified. Optional.</p>
</td>
<td>
No
</td>
</tr>
<tr id="GenericAnalysisMessage-resource_paths">
<td><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>A list of strings specifying the resource identifiers that were the cause
of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
tuple that uniquely identifies a particular resource. There doesn&rsquo;t seem to
be a single concept for this, but this is intuitively taken from
<a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
At least one is required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="InternalErrorAnalysisMessage">InternalErrorAnalysisMessage</h2>
<section>
<p>InternalErrorAnalysisMessage is a strongly-typed message representing some
error in Istio code that prevented us from performing analysis at all.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="InternalErrorAnalysisMessage-message_base">
<td><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="InternalErrorAnalysisMessage-detail">
<td><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></td>
<td><code>string</code></td>
<td>
<p>Any detail regarding specifics of the error. Should be human-readable.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageBase-Type">AnalysisMessageBase.Type</h2>
<h3 id="AnalysisMessageBase-Type">Type</h3>
<section>
<p>A unique identifier for the type of message. Name is intended to be
human-readable, code is intended to be machine readable. There should be a
@ -240,82 +66,36 @@ codes between message types.)</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageBase-Type-name">
<td><code><a href="#AnalysisMessageBase-Type-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-Type-code">
<td><code><a href="#AnalysisMessageBase-Type-code">code</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-code">code</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
type.) 0000-0100 are reserved. Required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema-ArgType">AnalysisMessageWeakSchema.ArgType</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-ArgType-name">
<td><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
<td><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></td>
<td><code>string</code></td>
<td>
<p>Required. Should be a golang type, used in code generation.
Ideally this will change to a less language-pinned type before this gets
out of alpha, but for compatibility with current istio/istio code it&rsquo;s
go_type for now.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageBase-Level">AnalysisMessageBase.Level</h2>
<h3 id="AnalysisMessageBase-Level">Level</h3>
<section>
<p>The values here are chosen so that more severe messages get sorted higher,
as well as leaving space in between to add more later</p>
@ -353,3 +133,179 @@ as well as leaving space in between to add more later</p>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema">AnalysisMessageWeakSchema</h2>
<section>
<p>AnalysisMessageWeakSchema is the set of information that&rsquo;s needed to define a
weakly-typed schema. The purpose of this proto is to provide a mechanism for
validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
sure that we don&rsquo;t allow committing underspecified types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-message_base">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-description">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A human readable description of what the error means. Required.</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-template">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
defining how to combine the args for a particular message into a log line.
Required.</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-args">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></div>
<div class="type"><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></div>
</div></td>
<td>
<p>A description of the arguments for a particular message type</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="AnalysisMessageWeakSchema-ArgType">ArgType</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-ArgType-name">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Should be a golang type, used in code generation.
Ideally this will change to a less language-pinned type before this gets
out of alpha, but for compatibility with current istio/istio code it&rsquo;s
go_type for now.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="GenericAnalysisMessage">GenericAnalysisMessage</h2>
<section>
<p>GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
should be able to perform validation of arguments as needed by using the
message type information to look at the AnalysisMessageWeakSchema and examine the
list of args at runtime. Developers can also create stronger-typed versions
of GenericAnalysisMessage for well-known and stable message types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="GenericAnalysisMessage-message_base">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="GenericAnalysisMessage-args">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-args">args</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
</div></td>
<td>
<p>Any message-type specific arguments that need to get codified. Optional.</p>
</td>
</tr>
<tr id="GenericAnalysisMessage-resource_paths">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of strings specifying the resource identifiers that were the cause
of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
tuple that uniquely identifies a particular resource. There doesn&rsquo;t seem to
be a single concept for this, but this is intuitively taken from
<a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
At least one is required.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="InternalErrorAnalysisMessage">InternalErrorAnalysisMessage</h2>
<section>
<p>InternalErrorAnalysisMessage is a strongly-typed message representing some
error in Istio code that prevented us from performing analysis at all.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="InternalErrorAnalysisMessage-message_base">
<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="InternalErrorAnalysisMessage-detail">
<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Any detail regarding specifics of the error. Should be human-readable.</p>
</td>
</tr>
</tbody>
</table>
</section>

7680
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

File diff suppressed because it is too large Load Diff

23
content/en/docs/reference/config/labels/index.html
View File

@ -289,6 +289,29 @@ indicates the type of traffic this waypoint can handle.</p>
</tr>
</tbody>
</table>
<h2 id="ServiceWorkloadName">service.istio.io/workload-name</h2>
<table class="annotations">
<tbody>
<tr>
<th>Name</th>
<td><code>service.istio.io/workload-name</code></td>
</tr>
<tr>
<th>Feature Status</th>
<td>Alpha</td>
</tr>
<tr>
<th>Resource Types</th>
<td>[Pod WorkloadEntry]</td>
</tr>
<tr>
<th>Description</th>
<td><p>The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource.
For example, a <code>Pod</code> resource may default to the <code>Deployment</code> name.</p>
</td>
</tr>
</tbody>
</table>
<h2 id="SidecarInject">sidecar.istio.io/inject</h2>
<table class="annotations">
<tbody>

76
content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
View File

@ -14,33 +14,27 @@ number_of_entries: 2
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioStatus-conditions">
<td><code><a href="#IstioStatus-conditions">conditions</a></code></td>
<td><code><a href="#IstioCondition">IstioCondition[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioStatus-conditions">conditions</a></code></div>
<div class="type"><a href="#IstioCondition">IstioCondition[]</a></div>
</div></td>
<td>
<p>Current service state of the resource.
More info: <a href="/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioStatus-validation_messages">
<td><code><a href="#IstioStatus-validation_messages">validationMessages</a></code></td>
<td><code><a href="/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioStatus-validation_messages">validationMessages</a></code></div>
<div class="type"><a href="/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
</div></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -52,88 +46,72 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioCondition-type">
<td><code><a href="#IstioCondition-type">type</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-type">type</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Type is the type of the condition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-status">
<td><code><a href="#IstioCondition-status">status</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-status">status</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Status is the status of the condition.
Can be True, False, Unknown.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-last_probe_time">
<td><code><a href="#IstioCondition-last_probe_time">lastProbeTime</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_probe_time">lastProbeTime</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
</div></td>
<td>
<p>Last time we probed the condition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-last_transition_time">
<td><code><a href="#IstioCondition-last_transition_time">lastTransitionTime</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_transition_time">lastTransitionTime</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
</div></td>
<td>
<p>Last time the condition transitioned from one status to another.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-reason">
<td><code><a href="#IstioCondition-reason">reason</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-reason">reason</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Unique, one-word, CamelCase reason for the condition&rsquo;s last transition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-message">
<td><code><a href="#IstioCondition-message">message</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-message">message</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Human-readable message indicating details about last transition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-observed_generation">
<td><code><a href="#IstioCondition-observed_generation">observedGeneration</a></code></td>
<td><code>int64</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-observed_generation">observedGeneration</a></code></div>
<div class="type">int64</div>
</div></td>
<td>
<p>Resource Generation to which the Condition refers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

2586
content/en/docs/reference/config/networking/destination-rule/index.html
View File

File diff suppressed because it is too large Load Diff

1050
content/en/docs/reference/config/networking/envoy-filter/index.html
View File

File diff suppressed because it is too large Load Diff

209
content/en/docs/reference/config/networking/gateway/index.html
View File

@ -175,26 +175,23 @@ receiving incoming or outgoing HTTP/TCP connections.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Gateway-servers">
<td><code><a href="#Gateway-servers">servers</a></code></td>
<td><code><a href="#Server">Server[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Gateway-servers">servers</a></code></div>
<div class="type"><a href="#Server">Server[]</a></div>
</div></td>
<td>
<p>A list of server specifications.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Gateway-selector">
<td><code><a href="#Gateway-selector">selector</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#Gateway-selector">selector</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which this gateway configuration should be applied.
@ -209,9 +206,6 @@ resource must reside in the same namespace as the gateway workload
instance.
If selector is nil, the Gateway will be applied to all workloads.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -276,27 +270,25 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Server-port">
<td><code><a href="#Server-port">port</a></code></td>
<td><code><a href="#Port">Port</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Server-port">port</a></code></div>
<div class="type"><a href="#Port">Port</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>The Port on which the proxy should listen for incoming
connections.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Server-bind">
<td><code><a href="#Server-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The ip or the Unix domain socket to which the listener should be bound
to. Format: <code>x.x.x.x</code> or <code>unix:///path/to/uds</code> or <code>unix://@foobar</code>
@ -307,14 +299,13 @@ This is typically used when a gateway needs to communicate to another mesh servi
e.g. publishing metrics. In such case, the server created with the
specified bind will not be available to external gateway clients.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Server-hosts">
<td><code><a href="#Server-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>One or more hosts exposed by this gateway.
While typically applicable to
@ -343,35 +334,28 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Server-tls">
<td><code><a href="#Server-tls">tls</a></code></td>
<td><code><a href="#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Server-tls">tls</a></code></div>
<div class="type"><a href="#ServerTLSSettings">ServerTLSSettings</a></div>
</div></td>
<td>
<p>Set of TLS related options that govern the server&rsquo;s behavior. Use
these options to control if all http requests should be redirected to
https, and the TLS modes to use.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Server-name">
<td><code><a href="#Server-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>An optional name of the server, when set must be unique across all servers.
This will be used for variety of purposes like prefixing stats generated with
this name etc.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -385,46 +369,41 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Port-number">
<td><code><a href="#Port-number">number</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Port-protocol">
<td><code><a href="#Port-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-protocol">protocol</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Port-name">
<td><code><a href="#Port-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -436,77 +415,66 @@ Yes
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServerTLSSettings-https_redirect">
<td><code><a href="#ServerTLSSettings-https_redirect">httpsRedirect</a></code></td>
<td><code>bool</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-https_redirect">httpsRedirect</a></code></div>
<div class="type">bool</div>
</div></td>
<td>
<p>If set to true, the load balancer will send a 301 redirect for
all http connections, asking the clients to use HTTPS.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-mode">
<td><code><a href="#ServerTLSSettings-mode">mode</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSmode">TLSmode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-mode">mode</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSmode">TLSmode</a></div>
</div></td>
<td>
<p>Optional: Indicates whether connections to this port should be
<p>Indicates whether connections to this port should be
secured using TLS. The value of this field determines how TLS is
enforced.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-server_certificate">
<td><code><a href="#ServerTLSSettings-server_certificate">serverCertificate</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-server_certificate">serverCertificate</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server-side TLS certificate to use.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-private_key">
<td><code><a href="#ServerTLSSettings-private_key">privateKey</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-private_key">privateKey</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server&rsquo;s private key.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-ca_certificates">
<td><code><a href="#ServerTLSSettings-ca_certificates">caCertificates</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_certificates">caCertificates</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>MUTUAL</code> or <code>OPTIONAL_MUTUAL</code>. The path to a file
containing certificate authority certificates to use in verifying a presented
client side certificate.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-ca_crl">
<td><code><a href="#ServerTLSSettings-ca_crl">caCrl</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_crl">caCrl</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>OPTIONAL: The path to the file containing the certificate revocation list (CRL)
to use in verifying a presented client side certificate. <code>CRL</code> is a list of certificates
@ -514,14 +482,12 @@ that have been revoked by the CA (Certificate Authority) before their scheduled
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
If omitted, the proxy will not verify the certificate against the <code>crl</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-credential_name">
<td><code><a href="#ServerTLSSettings-credential_name">credentialName</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-credential_name">credentialName</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>For gateways running on Kubernetes, the name of the secret that
holds the TLS certs including the CA certificates. Applicable
@ -536,27 +502,23 @@ and <code>ca.crl</code> for certificate revocation list is also supported.
Only one of server certificates and CA certificate
or credentialName can be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-subject_alt_names">
<td><code><a href="#ServerTLSSettings-subject_alt_names">subjectAltNames</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-subject_alt_names">subjectAltNames</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of alternate names to verify the subject identity in the
certificate presented by the client.
Requires TLS mode to be set to <code>MUTUAL</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-verify_certificate_spki">
<td><code><a href="#ServerTLSSettings-verify_certificate_spki">verifyCertificateSpki</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_spki">verifyCertificateSpki</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>An optional list of base64-encoded SHA-256 hashes of the SPKIs of
authorized client certificates.
@ -564,14 +526,12 @@ Note: When both verify_certificate_hash and verify_certificate_spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-verify_certificate_hash">
<td><code><a href="#ServerTLSSettings-verify_certificate_hash">verifyCertificateHash</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_hash">verifyCertificateHash</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>An optional list of hex-encoded SHA-256 hashes of the
authorized client certificates. Both simple and colon separated
@ -580,41 +540,35 @@ Note: When both verify_certificate_hash and verify_certificate_spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-min_protocol_version">
<td><code><a href="#ServerTLSSettings-min_protocol_version">minProtocolVersion</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-min_protocol_version">minProtocolVersion</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
</div></td>
<td>
<p>Optional: Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
<p>Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
TLS protocol versions below TLSV1_2 require setting compatible ciphers with the
<code>cipherSuites</code> setting as they no longer include compatible ciphers.</p>
<p>Note: Using TLS protocol versions below TLSV1_2 has serious security risks.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-max_protocol_version">
<td><code><a href="#ServerTLSSettings-max_protocol_version">maxProtocolVersion</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-max_protocol_version">maxProtocolVersion</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
</div></td>
<td>
<p>Optional: Maximum TLS protocol version.</p>
<p>Maximum TLS protocol version.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-cipher_suites">
<td><code><a href="#ServerTLSSettings-cipher_suites">cipherSuites</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-cipher_suites">cipherSuites</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>Optional: If specified, only support the specified cipher list.
<p>If specified, only support the specified cipher list.
Otherwise default to the default cipher list supported by Envoy
as specified <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">here</a>.
The supported list of ciphers are:</p>
@ -636,15 +590,12 @@ The supported list of ciphers are:</p>
<li><code>DES-CBC3-SHA</code></li>
</ul>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServerTLSSettings-TLSmode">ServerTLSSettings.TLSmode</h2>
<h3 id="ServerTLSSettings-TLSmode">TLSmode</h3>
<section>
<p>TLS modes enforced by the proxy</p>
@ -727,7 +678,7 @@ be specified for validating client certificates.</p>
</tbody>
</table>
</section>
<h2 id="ServerTLSSettings-TLSProtocol">ServerTLSSettings.TLSProtocol</h2>
<h3 id="ServerTLSSettings-TLSProtocol">TLSProtocol</h3>
<section>
<p>TLS protocol versions.</p>

46
content/en/docs/reference/config/networking/proxy-config/index.html
View File

@ -65,58 +65,48 @@ with the CR taking precedence over the annotation for overlapping fields. Simila
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-selector">
<td><code><a href="#ProxyConfig-selector">selector</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-selector">selector</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. Selectors specify the set of pods/VMs on which this <code>ProxyConfig</code> resource should be applied.
<p>Selectors specify the set of pods/VMs on which this <code>ProxyConfig</code> resource should be applied.
If not set, the <code>ProxyConfig</code> resource will be applied to all workloads in the namespace where this resource is defined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-concurrency">
<td><code><a href="#ProxyConfig-concurrency">concurrency</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-concurrency">concurrency</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
</div></td>
<td>
<p>The number of worker threads to run.
If unset, this will be automatically determined based on CPU limits.
If set to 0, all cores on the machine will be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-environment_variables">
<td><code><a href="#ProxyConfig-environment_variables">environmentVariables</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-environment_variables">environmentVariables</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>Additional environment variables for the proxy.
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap configuration and sent to the XDS server.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-image">
<td><code><a href="#ProxyConfig-image">image</a></code></td>
<td><code><a href="#ProxyImage">ProxyImage</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-image">image</a></code></div>
<div class="type"><a href="#ProxyImage">ProxyImage</a></div>
</div></td>
<td>
<p>Specifies the details of the proxy image.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -133,24 +123,20 @@ This information was previously part of the Values API.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyImage-image_type">
<td><code><a href="#ProxyImage-image_type">imageType</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyImage-image_type">imageType</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The image type of the image.
Istio publishes default, debug, and distroless images.
Other values are allowed if those image types (example: centos) are published to the specified hub.
supported values: default, debug, distroless.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

387
content/en/docs/reference/config/networking/service-entry/index.html
View File

@ -351,15 +351,15 @@ service registry.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntry-hosts">
<td><code><a href="#ServiceEntry-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The hosts associated with the ServiceEntry. Could be a DNS
name with wildcard prefix.</p>
@ -385,14 +385,12 @@ service accounts associated with the pods of the service, the
SANs specified here will also be verified.</li>
</ol>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServiceEntry-addresses">
<td><code><a href="#ServiceEntry-addresses">addresses</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-addresses">addresses</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>The virtual IP addresses associated with the service. Could be CIDR
prefix. For HTTP traffic, generated route configurations will include http route
@ -409,65 +407,55 @@ simple TCP proxy, forwarding incoming traffic on a specified port to
the specified destination endpoint IP/host. Unix domain socket
addresses are not supported in this field.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-ports">
<td><code><a href="#ServiceEntry-ports">ports</a></code></td>
<td><code><a href="#ServicePort">ServicePort[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-ports">ports</a></code></div>
<div class="type"><a href="#ServicePort">ServicePort[]</a></div>
</div></td>
<td>
<p>The ports associated with the external service. If the
Endpoints are Unix domain socket addresses, there must be exactly one
port.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-location">
<td><code><a href="#ServiceEntry-location">location</a></code></td>
<td><code><a href="#ServiceEntry-Location">Location</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-location">location</a></code></div>
<div class="type"><a href="#ServiceEntry-Location">Location</a></div>
</div></td>
<td>
<p>Specify whether the service should be considered external to the mesh
or part of the mesh.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-resolution">
<td><code><a href="#ServiceEntry-resolution">resolution</a></code></td>
<td><code><a href="#ServiceEntry-Resolution">Resolution</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-resolution">resolution</a></code></div>
<div class="type"><a href="#ServiceEntry-Resolution">Resolution</a></div>
</div></td>
<td>
<p>Service resolution mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
accompanying IP addresses. In such cases, traffic to any IP on
said port will be allowed (i.e. <code>0.0.0.0:&lt;port&gt;</code>).</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-endpoints">
<td><code><a href="#ServiceEntry-endpoints">endpoints</a></code></td>
<td><code><a href="/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-endpoints">endpoints</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry[]</a></div>
</div></td>
<td>
<p>One or more endpoints associated with the service. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-workload_selector">
<td><code><a href="#ServiceEntry-workload_selector">workloadSelector</a></code></td>
<td><code><a href="/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-workload_selector">workloadSelector</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Applicable only for MESH_INTERNAL services. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified. Selects one
@ -476,14 +464,12 @@ or more Kubernetes pods or VM workloads (specified using
representing the VMs should be defined in the same namespace as
the ServiceEntry.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-export_to">
<td><code><a href="#ServiceEntry-export_to">exportTo</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-export_to">exportTo</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of namespaces to which this service is exported. Exporting a service
allows it to be used by sidecars, gateways and virtual services defined in
@ -499,14 +485,12 @@ defines an export to all namespaces.</p>
the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
of namespace names.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-subject_alt_names">
<td><code><a href="#ServiceEntry-subject_alt_names">subjectAltNames</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-subject_alt_names">subjectAltNames</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>If specified, the proxy will verify that the server certificate&rsquo;s
subject alternate name matches one of the specified values.</p>
@ -515,181 +499,12 @@ service account specified in the workloadEntry will also be used
to derive the additional subject alternate names that should be
verified.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServicePort">ServicePort</h2>
<section>
<p>ServicePort describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServicePort-number">
<td><code><a href="#ServicePort-number">number</a></code></td>
<td><code>uint32</code></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServicePort-protocol">
<td><code><a href="#ServicePort-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS implies the connection will be routed based on the SNI header to
the destination without terminating the TLS connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServicePort-name">
<td><code><a href="#ServicePort-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServicePort-target_port">
<td><code><a href="#ServicePort-target_port">targetPort</a></code></td>
<td><code>uint32</code></td>
<td>
<p>The port number on the endpoint where the traffic will be
received. If unset, default to <code>number</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryStatus-conditions">
<td><code><a href="#ServiceEntryStatus-conditions">conditions</a></code></td>
<td><code><a href="/docs/reference/config/meta/v1beta1/istio-status/#IstioCondition">IstioCondition[]</a></code></td>
<td>
<p>Current service state of ServiceEntry.
More info: <a href="/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-validation_messages">
<td><code><a href="#ServiceEntryStatus-validation_messages">validationMessages</a></code></td>
<td><code><a href="/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-observed_generation">
<td><code><a href="#ServiceEntryStatus-observed_generation">observedGeneration</a></code></td>
<td><code>int64</code></td>
<td>
<p>Resource Generation to which the Reconciled Condition refers.
When this value is not equal to the object&rsquo;s metadata generation, reconciled condition calculation for the current
generation is still in progress. See <a href="/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-addresses">
<td><code><a href="#ServiceEntryStatus-addresses">addresses</a></code></td>
<td><code><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></code></td>
<td>
<p>List of addresses which were assigned to this ServiceEntry.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
<section>
<p>A minor abstraction to allow for adding hostnames if relevant.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryAddress-value">
<td><code><a href="#ServiceEntryAddress-value">value</a></code></td>
<td><code>string</code></td>
<td>
<p>The address (e.g. 192.168.0.2)</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryAddress-host">
<td><code><a href="#ServiceEntryAddress-host">host</a></code></td>
<td><code>string</code></td>
<td>
<p>The host name associated with this address</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntry-Location">ServiceEntry.Location</h2>
<h3 id="ServiceEntry-Location">Location</h3>
<section>
<p>Location specifies whether the service is part of Istio mesh or
outside the mesh. Location determines the behavior of several
@ -725,7 +540,7 @@ Kubernetes based service mesh).</p>
</tbody>
</table>
</section>
<h2 id="ServiceEntry-Resolution">ServiceEntry.Resolution</h2>
<h3 id="ServiceEntry-Resolution">Resolution</h3>
<section>
<p>Resolution determines how the proxy will resolve the IP addresses of
the network endpoints associated with the service, so that it can
@ -797,3 +612,145 @@ cannot be used with Unix domain socket endpoints.</p>
</tbody>
</table>
</section>
<h2 id="ServicePort">ServicePort</h2>
<section>
<p>ServicePort describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServicePort-number">
<td><div class="field"><div class="name"><code><a href="#ServicePort-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
</tr>
<tr id="ServicePort-protocol">
<td><div class="field"><div class="name"><code><a href="#ServicePort-protocol">protocol</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS implies the connection will be routed based on the SNI header to
the destination without terminating the TLS connection.</p>
</td>
</tr>
<tr id="ServicePort-name">
<td><div class="field"><div class="name"><code><a href="#ServicePort-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
</tr>
<tr id="ServicePort-target_port">
<td><div class="field"><div class="name"><code><a href="#ServicePort-target_port">targetPort</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>The port number on the endpoint where the traffic will be
received. If unset, default to <code>number</code>.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryStatus-conditions">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-conditions">conditions</a></code></div>
<div class="type"><a href="/docs/reference/config/meta/v1beta1/istio-status/#IstioCondition">IstioCondition[]</a></div>
</div></td>
<td>
<p>Current service state of ServiceEntry.
More info: <a href="/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
</tr>
<tr id="ServiceEntryStatus-validation_messages">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-validation_messages">validationMessages</a></code></div>
<div class="type"><a href="/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
</div></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
</tr>
<tr id="ServiceEntryStatus-observed_generation">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-observed_generation">observedGeneration</a></code></div>
<div class="type">int64</div>
</div></td>
<td>
<p>Resource Generation to which the Reconciled Condition refers.
When this value is not equal to the object&rsquo;s metadata generation, reconciled condition calculation for the current
generation is still in progress. See <a href="/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
</td>
</tr>
<tr id="ServiceEntryStatus-addresses">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-addresses">addresses</a></code></div>
<div class="type"><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></div>
</div></td>
<td>
<p>List of addresses which were assigned to this ServiceEntry.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
<section>
<p>A minor abstraction to allow for adding hostnames if relevant.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryAddress-value">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The address (e.g. 192.168.0.2)</p>
</td>
</tr>
<tr id="ServiceEntryAddress-host">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The host name associated with this address</p>
</td>
</tr>
</tbody>
</table>
</section>

248
content/en/docs/reference/config/networking/sidecar/index.html
View File

@ -316,28 +316,25 @@ attached.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Sidecar-workload_selector">
<td><code><a href="#Sidecar-workload_selector">workloadSelector</a></code></td>
<td><code><a href="#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-workload_selector">workloadSelector</a></code></div>
<div class="type"><a href="#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which this
<code>Sidecar</code> configuration should be applied. If omitted, the <code>Sidecar</code>
configuration will be applied to all workload instances in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-ingress">
<td><code><a href="#Sidecar-ingress">ingress</a></code></td>
<td><code><a href="#IstioIngressListener">IstioIngressListener[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-ingress">ingress</a></code></div>
<div class="type"><a href="#IstioIngressListener">IstioIngressListener[]</a></div>
</div></td>
<td>
<p>Ingress specifies the configuration of the sidecar for processing
inbound traffic to the attached workload instance. If omitted, Istio will
@ -346,28 +343,24 @@ obtained from the orchestration platform (e.g., exposed ports, services,
etc.). If specified, inbound ports are configured if and only if the
workload instance is associated with a service.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-egress">
<td><code><a href="#Sidecar-egress">egress</a></code></td>
<td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-egress">egress</a></code></div>
<div class="type"><a href="#IstioEgressListener">IstioEgressListener[]</a></div>
</div></td>
<td>
<p>Egress specifies the configuration of the sidecar for processing
outbound traffic from the attached workload instance to other
services in the mesh. If not specified, inherits the system
detected defaults from the namespace-wide or the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-inbound_connection_pool">
<td><code><a href="#Sidecar-inbound_connection_pool">inboundConnectionPool</a></code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-inbound_connection_pool">inboundConnectionPool</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
</div></td>
<td>
<p>Settings controlling the volume of connections Envoy will accept from the network.
This default will apply for all inbound listeners and can be overridden per-port
@ -393,22 +386,17 @@ following precedence, highest to lowest:</p>
</ul>
<p>In every case, the connection pool settings are overridden, not merged.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-outbound_traffic_policy">
<td><code><a href="#Sidecar-outbound_traffic_policy">outboundTrafficPolicy</a></code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-outbound_traffic_policy">outboundTrafficPolicy</a></code></div>
<div class="type"><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></div>
</div></td>
<td>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -423,26 +411,24 @@ traffic listener on the sidecar proxy attached to a workload instance.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioIngressListener-port">
<td><code><a href="#IstioIngressListener-port">port</a></code></td>
<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-port">port</a></code></div>
<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>The port associated with the listener.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="IstioIngressListener-bind">
<td><code><a href="#IstioIngressListener-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP(IPv4 or IPv6) to which the listener should be bound.
Unix domain socket addresses are not allowed in
@ -451,26 +437,22 @@ automatically configure the defaults based on imported services
and the workload instances to which this configuration is applied
to.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-capture_mode">
<td><code><a href="#IstioIngressListener-capture_mode">captureMode</a></code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-capture_mode">captureMode</a></code></div>
<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
</div></td>
<td>
<p>The captureMode option dictates how traffic to the listener is
expected to be captured (or not).</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-default_endpoint">
<td><code><a href="#IstioIngressListener-default_endpoint">defaultEndpoint</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-default_endpoint">defaultEndpoint</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP endpoint or Unix domain socket to which
traffic should be forwarded to. This configuration can be used to
@ -481,27 +463,23 @@ connections. Arbitrary IPs are not supported. Format should be one of
<code>0.0.0.0:PORT</code>, <code>[::]:PORT</code> (forward to the instance IP),
or <code>unix:///path/to/socket</code> (forward to Unix domain socket).</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-tls">
<td><code><a href="#IstioIngressListener-tls">tls</a></code></td>
<td><code><a href="/docs/reference/config/networking/gateway/#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-tls">tls</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/gateway/#ServerTLSSettings">ServerTLSSettings</a></div>
</div></td>
<td>
<p>Set of TLS related options that will enable TLS termination on the
sidecar for requests originating from outside the mesh.
Currently supports only SIMPLE and MUTUAL TLS modes.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-connection_pool">
<td><code><a href="#IstioIngressListener-connection_pool">connectionPool</a></code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-connection_pool">connectionPool</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
</div></td>
<td>
<p>Settings controlling the volume of connections Envoy will accept from the network.
This setting overrides the top-level default <code>inboundConnectionPool</code> to configure
@ -511,9 +489,6 @@ This port level connection pool has the highest precedence in configuration,
overriding both the <code>Sidecar</code>&rsquo;s top level <code>InboundConnectionPool</code> as well as any
connection pooling settings from the <code>DestinationRule</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -528,15 +503,14 @@ listener on the sidecar proxy attached to a workload instance.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioEgressListener-port">
<td><code><a href="#IstioEgressListener-port">port</a></code></td>
<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-port">port</a></code></div>
<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
</div></td>
<td>
<p>The port associated with the listener. If using Unix domain socket,
use 0 as the port number, with a valid protocol. The port if
@ -548,14 +522,12 @@ specific ports while others have no port, the hosts exposed on a
listener port will be based on the listener with the most specific
port.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-bind">
<td><code><a href="#IstioEgressListener-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
@ -565,27 +537,24 @@ services, the workload instances to which this configuration is applied to and
the captureMode. If captureMode is <code>NONE</code>, bind will default to
127.0.0.1.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-capture_mode">
<td><code><a href="#IstioEgressListener-capture_mode">captureMode</a></code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-capture_mode">captureMode</a></code></div>
<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
</div></td>
<td>
<p>When the bind address is an IP, the captureMode option dictates
how traffic to the listener is expected to be captured (or not).
captureMode must be DEFAULT or <code>NONE</code> for Unix domain socket binds.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-hosts">
<td><code><a href="#IstioEgressListener-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>One or more service hosts exposed by the listener
in <code>namespace/dnsName</code> format. Services in the specified namespace
@ -612,9 +581,6 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -636,24 +602,20 @@ label based selection mechanism is supported.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadSelector-labels">
<td><code><a href="#WorkloadSelector-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadSelector-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which the configuration should be applied. The scope of
label search is restricted to the configuration namespace in which the
the resource is present.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -668,78 +630,21 @@ handling unknown outbound traffic from the application.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-mode">
<td><code><a href="#OutboundTrafficPolicy-mode">mode</a></code></td>
<td><code><a href="#OutboundTrafficPolicy-Mode">Mode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#OutboundTrafficPolicy-mode">mode</a></code></div>
<div class="type"><a href="#OutboundTrafficPolicy-Mode">Mode</a></div>
</div></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="SidecarPort">SidecarPort</h2>
<section>
<p>Port describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="SidecarPort-number">
<td><code><a href="#SidecarPort-number">number</a></code></td>
<td><code>uint32</code></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
No
</td>
</tr>
<tr id="SidecarPort-protocol">
<td><code><a href="#SidecarPort-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="SidecarPort-name">
<td><code><a href="#SidecarPort-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</h2>
<h3 id="OutboundTrafficPolicy-Mode">Mode</h3>
<section>
<table class="enum-values">
<thead>
@ -768,6 +673,51 @@ Unknown destination traffic will have limited functionality, however, such as re
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="SidecarPort">SidecarPort</h2>
<section>
<p>Port describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="SidecarPort-number">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-number">number</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
</tr>
<tr id="SidecarPort-protocol">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-protocol">protocol</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
</tr>
<tr id="SidecarPort-name">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
</tr>
</tbody>

1541
content/en/docs/reference/config/networking/virtual-service/index.html
View File

File diff suppressed because it is too large Load Diff

58
content/en/docs/reference/config/networking/workload-entry/index.html
View File

@ -128,15 +128,14 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadEntry-address">
<td><code><a href="#WorkloadEntry-address">address</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-address">address</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Address associated with the network endpoint without the
port. Domain names can be used if and only if the resolution is set
@ -144,14 +143,12 @@ to DNS, and must be fully-qualified without wildcards. Use the form
unix:///absolute/path/to/socket for Unix domain socket endpoints.
If address is empty, network must be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-ports">
<td><code><a href="#WorkloadEntry-ports">ports</a></code></td>
<td><code>map&lt;string,&nbsp;uint32&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-ports">ports</a></code></div>
<div class="type">map&lt;string,&nbsp;uint32&gt;</div>
</div></td>
<td>
<p>Set of ports associated with the endpoint. If the port map is
specified, it must be a map of servicePortName to this endpoint&rsquo;s
@ -166,25 +163,21 @@ the same port.</p>
<p><strong>NOTE 1:</strong> Do not use for <code>unix://</code> addresses.</p>
<p><strong>NOTE 2:</strong> endpoint port map takes precedence over targetPort.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-labels">
<td><code><a href="#WorkloadEntry-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels associated with the endpoint.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-network">
<td><code><a href="#WorkloadEntry-network">network</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-network">network</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Network enables Istio to group endpoints resident in the same L3
domain/network. All endpoints in the same network are assumed to be
@ -195,14 +188,12 @@ used to establish connectivity (usually using the
an advanced configuration used typically for spanning an Istio mesh
over multiple clusters. Required if address is not provided.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-locality">
<td><code><a href="#WorkloadEntry-locality">locality</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-locality">locality</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The locality associated with the endpoint. A locality corresponds
to a failure domain (e.g., country/region/zone). Arbitrary failure
@ -222,35 +213,28 @@ locality. Endpoint e2 could be the IP associated with a gateway
(that bridges networks n1 and n2), or the IP associated with a
standard service endpoint.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-weight">
<td><code><a href="#WorkloadEntry-weight">weight</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-weight">weight</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>The load balancing weight associated with the endpoint. Endpoints
with higher weights will receive proportionally higher traffic.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-service_account">
<td><code><a href="#WorkloadEntry-service_account">serviceAccount</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-service_account">serviceAccount</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The service account associated with the workload if a sidecar
is present in the workload. The service account must be present
in the same namespace as the configuration ( WorkloadEntry or a
ServiceEntry)</p>
</td>
<td>
No
</td>
</tr>
</tbody>

280
content/en/docs/reference/config/networking/workload-group/index.html
View File

@ -65,27 +65,25 @@ and as such doesn&rsquo;t configure host name for these workloads.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-metadata">
<td><code><a href="#WorkloadGroup-metadata">metadata</a></code></td>
<td><code><a href="#WorkloadGroup-ObjectMeta">ObjectMeta</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-metadata">metadata</a></code></div>
<div class="type"><a href="#WorkloadGroup-ObjectMeta">ObjectMeta</a></div>
</div></td>
<td>
<p>Metadata that will be used for all corresponding <code>WorkloadEntries</code>.
User labels for a workload group should be set here in <code>metadata</code> rather than in <code>template</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadGroup-template">
<td><code><a href="#WorkloadGroup-template">template</a></code></td>
<td><code><a href="/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-template">template</a></code></div>
<div class="type"><a href="/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>Template to be used for the generation of <code>WorkloadEntry</code> resources that belong to this <code>WorkloadGroup</code>.
Please note that <code>address</code> and <code>labels</code> fields should not be set in the template, and an empty <code>serviceAccount</code>
@ -93,21 +91,50 @@ should default to <code>default</code>. The workload identities (mTLS certificat
specified service account&rsquo;s token. Workload entries in this group will be in the same namespace as the
workload group, and inherit the labels and annotations from the above <code>metadata</code> field.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="WorkloadGroup-probe">
<td><code><a href="#WorkloadGroup-probe">probe</a></code></td>
<td><code><a href="#ReadinessProbe">ReadinessProbe</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-probe">probe</a></code></div>
<div class="type"><a href="#ReadinessProbe">ReadinessProbe</a></div>
</div></td>
<td>
<p><code>ReadinessProbe</code> describes the configuration the user must provide for healthchecking on their workload.
This configuration mirrors K8S in both syntax and logic for the most part.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="WorkloadGroup-ObjectMeta">ObjectMeta</h3>
<section>
<p><code>ObjectMeta</code> describes metadata that will be attached to a <code>WorkloadEntry</code>.
It is a subset of the supported Kubernetes metadata.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-ObjectMeta-labels">
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-ObjectMeta-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
No
<p>Labels to attach</p>
</td>
</tr>
<tr id="WorkloadGroup-ObjectMeta-annotations">
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-ObjectMeta-annotations">annotations</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>Annotations to attach</p>
</td>
</tr>
</tbody>
@ -119,114 +146,94 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ReadinessProbe-initial_delay_seconds">
<td><code><a href="#ReadinessProbe-initial_delay_seconds">initialDelaySeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-initial_delay_seconds">initialDelaySeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Number of seconds after the container has started before readiness probes are initiated.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-timeout_seconds">
<td><code><a href="#ReadinessProbe-timeout_seconds">timeoutSeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-timeout_seconds">timeoutSeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Number of seconds after which the probe times out.
Defaults to 1 second. Minimum value is 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-period_seconds">
<td><code><a href="#ReadinessProbe-period_seconds">periodSeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-period_seconds">periodSeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-success_threshold">
<td><code><a href="#ReadinessProbe-success_threshold">successThreshold</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-success_threshold">successThreshold</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-failure_threshold">
<td><code><a href="#ReadinessProbe-failure_threshold">failureThreshold</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-failure_threshold">failureThreshold</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Minimum consecutive failures for the probe to be considered failed after having succeeded.
Defaults to 3 seconds.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-http_get" class="oneof oneof-start">
<td><code><a href="#ReadinessProbe-http_get">httpGet</a></code></td>
<td><code><a href="#HTTPHealthCheckConfig">HTTPHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-http_get">httpGet</a></code></div>
<div class="type"><a href="#HTTPHealthCheckConfig">HTTPHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p><code>httpGet</code> is performed to a given endpoint
and the status/able to connect determines health.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-tcp_socket" class="oneof">
<td><code><a href="#ReadinessProbe-tcp_socket">tcpSocket</a></code></td>
<td><code><a href="#TCPHealthCheckConfig">TCPHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-tcp_socket">tcpSocket</a></code></div>
<div class="type"><a href="#TCPHealthCheckConfig">TCPHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>Health is determined by if the proxy is able to connect.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-exec" class="oneof">
<td><code><a href="#ReadinessProbe-exec">exec</a></code></td>
<td><code><a href="#ExecHealthCheckConfig">ExecHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-exec">exec</a></code></div>
<div class="type"><a href="#ExecHealthCheckConfig">ExecHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>Health is determined by how the command that is executed exited.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-grpc" class="oneof">
<td><code><a href="#ReadinessProbe-grpc">grpc</a></code></td>
<td><code><a href="#GrpcHealthCheckConfig">GrpcHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-grpc">grpc</a></code></div>
<div class="type"><a href="#GrpcHealthCheckConfig">GrpcHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>GRPC call is made and response/error is used to determine health.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -238,67 +245,56 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="HTTPHealthCheckConfig-path">
<td><code><a href="#HTTPHealthCheckConfig-path">path</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-path">path</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Path to access on the HTTP server.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-port">
<td><code><a href="#HTTPHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port on which the endpoint lives.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="HTTPHealthCheckConfig-host">
<td><code><a href="#HTTPHealthCheckConfig-host">host</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Host name to connect to, defaults to the pod IP. You probably want to set
&ldquo;Host&rdquo; in httpHeaders instead.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-scheme">
<td><code><a href="#HTTPHealthCheckConfig-scheme">scheme</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-scheme">scheme</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>HTTP or HTTPS, defaults to HTTP</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-http_headers">
<td><code><a href="#HTTPHealthCheckConfig-http_headers">httpHeaders</a></code></td>
<td><code><a href="#HTTPHeader">HTTPHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-http_headers">httpHeaders</a></code></div>
<div class="type"><a href="#HTTPHeader">HTTPHeader[]</a></div>
</div></td>
<td>
<p>Headers the proxy will pass on to make the request.
Allows repeated headers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -310,32 +306,26 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="GrpcHealthCheckConfig-port">
<td><code><a href="#GrpcHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#GrpcHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>Port on which the endpoint lives.</p>
</td>
<td>
No
</td>
</tr>
<tr id="GrpcHealthCheckConfig-service">
<td><code><a href="#GrpcHealthCheckConfig-service">service</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#GrpcHealthCheckConfig-service">service</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Service is the fully qualified name of the service to send the grpc health check request</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -347,32 +337,26 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="HTTPHeader-name">
<td><code><a href="#HTTPHeader-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHeader-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The header field name</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHeader-value">
<td><code><a href="#HTTPHeader-value">value</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHeader-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The header field value</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -384,32 +368,27 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="TCPHealthCheckConfig-host">
<td><code><a href="#TCPHealthCheckConfig-host">host</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#TCPHealthCheckConfig-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Host to connect to, defaults to localhost</p>
</td>
<td>
No
</td>
</tr>
<tr id="TCPHealthCheckConfig-port">
<td><code><a href="#TCPHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#TCPHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port of host</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -421,61 +400,18 @@ Yes
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ExecHealthCheckConfig-command">
<td><code><a href="#ExecHealthCheckConfig-command">command</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ExecHealthCheckConfig-command">command</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="WorkloadGroup-ObjectMeta">WorkloadGroup.ObjectMeta</h2>
<section>
<p><code>ObjectMeta</code> describes metadata that will be attached to a <code>WorkloadEntry</code>.
It is a subset of the supported Kubernetes metadata.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-ObjectMeta-labels">
<td><code><a href="#WorkloadGroup-ObjectMeta-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Labels to attach</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadGroup-ObjectMeta-annotations">
<td><code><a href="#WorkloadGroup-ObjectMeta-annotations">annotations</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Annotations to attach</p>
</td>
<td>
No
</td>
</tr>
</tbody>

246
content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
View File

@ -178,15 +178,14 @@ the Istio proxy through WebAssembly filters.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-selector">
<td><code><a href="#WasmPlugin-selector">selector</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-selector">selector</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which
this plugin configuration should be applied. If omitted, this
@ -196,16 +195,14 @@ namespace, it will be applied to all applicable workloads in any
namespace.</p>
<p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-targetRefs">
<td><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -221,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-url">
<td><code><a href="#WasmPlugin-url">url</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-url">url</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>URL of a Wasm module or OCI container. If no scheme is present,
defaults to <code>oci://</code>, referencing an OCI image. Other valid schemes
@ -236,14 +232,12 @@ are <code>file://</code> for referencing .wasm module files present locally
within the proxy container, and <code>http[s]://</code> for <code>.wasm</code> module files
hosted remotely.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="WasmPlugin-sha256">
<td><code><a href="#WasmPlugin-sha256">sha256</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-sha256">sha256</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>SHA256 checksum that will be used to verify Wasm module or OCI container.
If the <code>url</code> field already references a SHA256 (using the <code>@sha256:</code>
@ -251,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is
referenced by tag and this field is set, its checksum will be verified
against the contents of this field after pulling.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_policy">
<td><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></td>
<td><code><a href="#PullPolicy">PullPolicy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></div>
<div class="type"><a href="#PullPolicy">PullPolicy</a></div>
</div></td>
<td>
<p>The pull behaviour to be applied when fetching Wasm module by either
OCI image or <code>http/https</code>. Only relevant when referencing Wasm module without
@ -267,63 +259,53 @@ Defaults to <code>IfNotPresent</code>, except when an OCI image is referenced in
and the <code>latest</code> tag is used, in which case <code>Always</code> is the default,
mirroring Kubernetes behaviour.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_secret">
<td><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Credentials to use for OCI image pulling.
Name of a Kubernetes Secret in the same namespace as the <code>WasmPlugin</code> that
contains a Docker pull secret which is to be used to authenticate
against the registry when pulling the image.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_config">
<td><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
</div></td>
<td>
<p>The configuration that will be passed on to the plugin.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_name">
<td><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The plugin name to be used in the Envoy configuration (used to be called
<code>rootID</code>). Some .wasm modules might require this value to select the Wasm
plugin to execute.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-phase">
<td><code><a href="#WasmPlugin-phase">phase</a></code></td>
<td><code><a href="#PluginPhase">PluginPhase</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-phase">phase</a></code></div>
<div class="type"><a href="#PluginPhase">PluginPhase</a></div>
</div></td>
<td>
<p>Determines where in the filter chain this <code>WasmPlugin</code> is to be injected.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-priority">
<td><code><a href="#WasmPlugin-priority">priority</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-priority">priority</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
</div></td>
<td>
<p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -332,56 +314,90 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
value, the ordering will be deterministically derived from name and
namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-fail_strategy">
<td><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></td>
<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></div>
<div class="type"><a href="#FailStrategy">FailStrategy</a></div>
</div></td>
<td>
<p>Specifies the failure behavior for the plugin due to fatal errors.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-vm_config">
<td><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></td>
<td><code><a href="#VmConfig">VmConfig</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></div>
<div class="type"><a href="#VmConfig">VmConfig</a></div>
</div></td>
<td>
<p>Configuration for a Wasm VM.
More details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-match">
<td><code><a href="#WasmPlugin-match">match</a></code></td>
<td><code><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-match">match</a></code></div>
<div class="type"><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></div>
</div></td>
<td>
<p>Specifies the criteria to determine which traffic is passed to WasmPlugin.
If a traffic satisfies any of TrafficSelectors,
the traffic passes the WasmPlugin.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-type">
<td><code><a href="#WasmPlugin-type">type</a></code></td>
<td><code><a href="#PluginType">PluginType</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-type">type</a></code></div>
<div class="type"><a href="#PluginType">PluginType</a></div>
</div></td>
<td>
<p>Specifies the type of Wasm Extension to be used.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="WasmPlugin-TrafficSelector">TrafficSelector</h3>
<section>
<p>TrafficSelector provides a mechanism to select a specific traffic flow
for which this Wasm Plugin will be enabled.
When all the sub conditions in the TrafficSelector are satisfied, the
traffic will be selected.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-TrafficSelector-mode">
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadMode">WorkloadMode</a></div>
</div></td>
<td>
No
<p>Criteria for selecting traffic by their direction.
Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
respectively.
For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
</td>
</tr>
<tr id="WasmPlugin-TrafficSelector-ports">
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#PortSelector">PortSelector[]</a></div>
</div></td>
<td>
<p>Criteria for selecting traffic by their destination port.
More specifically, for the outbound traffic, the destination port would be
the port of the target service. On the other hand, for the inbound traffic,
the destination port is the port bound by the server process in the same Pod.</p>
<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
If not specified, this condition is evaluated to true for any port.</p>
</td>
</tr>
</tbody>
@ -396,22 +412,18 @@ more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/a
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="VmConfig-env">
<td><code><a href="#VmConfig-env">env</a></code></td>
<td><code><a href="#EnvVar">EnvVar[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#VmConfig-env">env</a></code></div>
<div class="type"><a href="#EnvVar">EnvVar[]</a></div>
</div></td>
<td>
<p>Specifies environment variables to be injected to this VM.
Note that if a key does not exist, it will be ignored.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -424,97 +436,39 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="EnvVar-name">
<td><code><a href="#EnvVar-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Name of the environment variable.
Must be a C_IDENTIFIER.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="EnvVar-value_from">
<td><code><a href="#EnvVar-value_from">valueFrom</a></code></td>
<td><code><a href="#EnvValueSource">EnvValueSource</a></code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-value_from">valueFrom</a></code></div>
<div class="type"><a href="#EnvValueSource">EnvValueSource</a></div>
</div></td>
<td>
<p>Source for the environment variable&rsquo;s value.</p>
</td>
<td>
No
</td>
</tr>
<tr id="EnvVar-value">
<td><code><a href="#EnvVar-value">value</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Value for the environment variable.
Only applicable if <code>valueFrom</code> is <code>HOST</code>.
Defaults to &ldquo;&rdquo;.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="WasmPlugin-TrafficSelector">WasmPlugin.TrafficSelector</h2>
<section>
<p>TrafficSelector provides a mechanism to select a specific traffic flow
for which this Wasm Plugin will be enabled.
When all the sub conditions in the TrafficSelector are satisfied, the
traffic will be selected.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-TrafficSelector-mode">
<td><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadMode">WorkloadMode</a></code></td>
<td>
<p>Criteria for selecting traffic by their direction.
Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
respectively.
For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-TrafficSelector-ports">
<td><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#PortSelector">PortSelector[]</a></code></td>
<td>
<p>Criteria for selecting traffic by their destination port.
More specifically, for the outbound traffic, the destination port would be
the port of the target service. On the other hand, for the inbound traffic,
the destination port is the port bound by the server process in the same Pod.</p>
<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
If not specified, this condition is evaluated to true for any port.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

917
content/en/docs/reference/config/security/authorization-policy/index.html
View File

@ -204,32 +204,29 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-selector">
<td><code><a href="#AuthorizationPolicy-selector">selector</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-selector">selector</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
<p>The selector decides where to apply the authorization policy. The selector will match with workloads
in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
will additionally match with workloads in all namespaces.</p>
<p>If the selector and the targetRef are not set, the selector will match all workloads.</p>
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-targetRefs">
<td><code><a href="#AuthorizationPolicy-targetRefs">targetRefs</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -245,535 +242,64 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-rules">
<td><code><a href="#AuthorizationPolicy-rules">rules</a></code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-rules">rules</a></code></div>
<div class="type"><a href="#Rule">Rule[]</a></div>
</div></td>
<td>
<p>Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.</p>
<p>A list of rules to match the request. A match occurs when at least one rule matches the request.</p>
<p>If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
the action is ALLOW.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-action">
<td><code><a href="#AuthorizationPolicy-action">action</a></code></td>
<td><code><a href="#AuthorizationPolicy-Action">Action</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-action">action</a></code></div>
<div class="type"><a href="#AuthorizationPolicy-Action">Action</a></div>
</div></td>
<td>
<p>Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified.</p>
<p>The action to take if the request is matched with the rules. Default is ALLOW if not specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-provider" class="oneof oneof-start">
<td><code><a href="#AuthorizationPolicy-provider">provider</a></code></td>
<td><code><a href="#AuthorizationPolicy-ExtensionProvider">ExtensionProvider (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-provider">provider</a></code></div>
<div class="type"><a href="#AuthorizationPolicy-ExtensionProvider">ExtensionProvider (oneof)</a></div>
</div></td>
<td>
<p>Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, one operation and all conditions
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: <code>abc</code> will match on value <code>abc</code>.</li>
<li>Prefix match: <code>abc*</code> will match on value <code>abc</code> and <code>abcd</code>.</li>
<li>Suffix match: <code>*abc</code> will match on value <code>abc</code> and <code>xabc</code>.</li>
<li>Presence match: <code>*</code> will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><code><a href="#Rule-from">from</a></code></td>
<td><code><a href="#Rule-From">From[]</a></code></td>
<td>
<p>Optional. <code>from</code> specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-to">
<td><code><a href="#Rule-to">to</a></code></td>
<td><code><a href="#Rule-To">To[]</a></code></td>
<td>
<p>Optional. <code>to</code> specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-when">
<td><code><a href="#Rule-when">when</a></code></td>
<td><code><a href="#Condition">Condition[]</a></code></td>
<td>
<p>Optional. <code>when</code> specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is <code>admin</code> or <code>dev</code>
and the namespace is <code>prod</code> or <code>test</code> and the ip is not <code>203.0.113.4</code>.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
notIpBlocks: [&quot;203.0.113.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code><a href="#Source-principals">principals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
<code>&quot;&lt;TRUST_DOMAIN&gt;/ns/&lt;NAMESPACE&gt;/sa/&lt;SERVICE_ACCOUNT&gt;&quot;</code>, for example, <code>&quot;cluster.local/ns/default/sa/productpage&quot;</code>.
This field requires mTLS enabled and is the same as the <code>source.principal</code> attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_principals">
<td><code><a href="#Source-not_principals">notPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of peer identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-request_principals">
<td><code><a href="#Source-request_principals">requestPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of request identities derived from the JWT. The request identity is in the format of
<code>&quot;&lt;ISS&gt;/&lt;SUB&gt;&quot;</code>, for example, <code>&quot;example.com/sub-1&quot;</code>. This field requires request authentication enabled and is the
same as the <code>request.auth.principal</code> attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_request_principals">
<td><code><a href="#Source-not_request_principals">notRequestPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of request identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-namespaces">
<td><code><a href="#Source-namespaces">namespaces</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces derived from the peer certificate.
This field requires mTLS enabled and is the same as the <code>source.namespace</code> attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_namespaces">
<td><code><a href="#Source-not_namespaces">notNamespaces</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of namespaces.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code><a href="#Source-ip_blocks">ipBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. <code>203.0.113.4</code>) and
CIDR (e.g. <code>203.0.113.0/24</code>) are supported. This is the same as the <code>source.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><code><a href="#Source-not_ip_blocks">notIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of IP blocks.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-remote_ip_blocks">
<td><code><a href="#Source-remote_ip_blocks">remoteIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, populated from <code>X-Forwarded-For</code> header or proxy protocol.
To make use of this field, you must configure the <code>numTrustedProxies</code> field of the <code>gatewayTopology</code> under the <code>meshConfig</code>
when you install Istio or using an annotation on the ingress gateway. See the documentation here:
<a href="/docs/ops/configuration/traffic-management/network-topologies/">Configuring Gateway Network Topology</a>.
Single IP (e.g. <code>203.0.113.4</code>) and CIDR (e.g. <code>203.0.113.0/24</code>) are supported.
This is the same as the <code>remote.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_remote_ip_blocks">
<td><code><a href="#Source-not_remote_ip_blocks">notRemoteIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of remote IP blocks.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix <code>.example.com</code>
and the method is <code>GET</code> or <code>HEAD</code> and the path doesn&rsquo;t have prefix <code>/admin</code>.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
notPaths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code><a href="#Operation-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
See the <a href="/docs/ops/best-practices/security/#writing-host-match-policies">security best practices</a> for
recommended usage of this field.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_hosts">
<td><code><a href="#Operation-not_hosts">notHosts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-ports">
<td><code><a href="#Operation-ports">ports</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports as specified in the connection.</p>
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_ports">
<td><code><a href="#Operation-not_ports">notPorts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of ports as specified in the connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-methods">
<td><code><a href="#Operation-methods">methods</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods as specified in the HTTP request.
For gRPC service, this will always be <code>POST</code>.</p>
<p>If not set, any method is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_methods">
<td><code><a href="#Operation-not_methods">notMethods</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of methods as specified in the HTTP request.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-paths">
<td><code><a href="#Operation-paths">paths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths as specified in the HTTP request. See the <a href="/docs/reference/config/security/normalization/">Authorization Policy Normalization</a>
for details of the path normalization.
For gRPC service, this will be the fully-qualified name in the form of <code>/package.service/method</code>.</p>
<p>If a path in the list contains the <code>{*}</code> or <code>{**}</code> path template operator, it will be interpreted as an <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto">Envoy Uri Template</a>.
To be a valid path template, the path must not contain <code>*</code>, <code>{</code>, or <code>}</code> outside of a supported operator. No other characters are allowed in the path segment with the path template operator.</p>
<ul>
<li><code>{*}</code> matches a single glob that cannot extend beyond a path segment.</li>
<li><code>{**}</code> matches zero or more globs. If a path contains <code>{**}</code>, it must be the last operator.</li>
</ul>
<p>Examples:</p>
<ul>
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
</ul>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_paths">
<td><code><a href="#Operation-not_paths">notPaths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of paths.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code><a href="#Condition-key">key</a></code></td>
<td><code>string</code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Condition-values">
<td><code><a href="#Condition-values">values</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of allowed values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Condition-not_values">
<td><code><a href="#Condition-not_values">notValues</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthorizationPolicy-ExtensionProvider">AuthorizationPolicy.ExtensionProvider</h2>
<h3 id="AuthorizationPolicy-ExtensionProvider">ExtensionProvider</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-ExtensionProvider-name">
<td><code><a href="#AuthorizationPolicy-ExtensionProvider-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-ExtensionProvider-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-From">Rule.From</h2>
<section>
<p>From includes a list of sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><code><a href="#Rule-From-source">source</a></code></td>
<td><code><a href="#Source">Source</a></code></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-To">Rule.To</h2>
<section>
<p>To includes a list of operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><code><a href="#Rule-To-operation">operation</a></code></td>
<td><code><a href="#Operation">Operation</a></code></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthorizationPolicy-Action">AuthorizationPolicy.Action</h2>
<h3 id="AuthorizationPolicy-Action">Action</h3>
<section>
<p>Action specifies the operation to take.</p>
@ -842,3 +368,398 @@ spec:
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, one operation and all conditions
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: <code>abc</code> will match on value <code>abc</code>.</li>
<li>Prefix match: <code>abc*</code> will match on value <code>abc</code> and <code>abcd</code>.</li>
<li>Suffix match: <code>*abc</code> will match on value <code>abc</code> and <code>xabc</code>.</li>
<li>Presence match: <code>*</code> will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><div class="field"><div class="name"><code><a href="#Rule-from">from</a></code></div>
<div class="type"><a href="#Rule-From">From[]</a></div>
</div></td>
<td>
<p><code>from</code> specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
</tr>
<tr id="Rule-to">
<td><div class="field"><div class="name"><code><a href="#Rule-to">to</a></code></div>
<div class="type"><a href="#Rule-To">To[]</a></div>
</div></td>
<td>
<p><code>to</code> specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
</tr>
<tr id="Rule-when">
<td><div class="field"><div class="name"><code><a href="#Rule-when">when</a></code></div>
<div class="type"><a href="#Condition">Condition[]</a></div>
</div></td>
<td>
<p><code>when</code> specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="Rule-From">From</h3>
<section>
<p>From includes a list of sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><div class="field"><div class="name"><code><a href="#Rule-From-source">source</a></code></div>
<div class="type"><a href="#Source">Source</a></div>
</div></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="Rule-To">To</h3>
<section>
<p>To includes a list of operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><div class="field"><div class="name"><code><a href="#Rule-To-operation">operation</a></code></div>
<div class="type"><a href="#Operation">Operation</a></div>
</div></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is <code>admin</code> or <code>dev</code>
and the namespace is <code>prod</code> or <code>test</code> and the ip is not <code>203.0.113.4</code>.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
notIpBlocks: [&quot;203.0.113.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><div class="field"><div class="name"><code><a href="#Source-principals">principals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of peer identities derived from the peer certificate. The peer identity is in the format of
<code>&quot;&lt;TRUST_DOMAIN&gt;/ns/&lt;NAMESPACE&gt;/sa/&lt;SERVICE_ACCOUNT&gt;&quot;</code>, for example, <code>&quot;cluster.local/ns/default/sa/productpage&quot;</code>.
This field requires mTLS enabled and is the same as the <code>source.principal</code> attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
</tr>
<tr id="Source-not_principals">
<td><div class="field"><div class="name"><code><a href="#Source-not_principals">notPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of peer identities.</p>
</td>
</tr>
<tr id="Source-request_principals">
<td><div class="field"><div class="name"><code><a href="#Source-request_principals">requestPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of request identities derived from the JWT. The request identity is in the format of
<code>&quot;&lt;ISS&gt;/&lt;SUB&gt;&quot;</code>, for example, <code>&quot;example.com/sub-1&quot;</code>. This field requires request authentication enabled and is the
same as the <code>request.auth.principal</code> attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
</tr>
<tr id="Source-not_request_principals">
<td><div class="field"><div class="name"><code><a href="#Source-not_request_principals">notRequestPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of request identities.</p>
</td>
</tr>
<tr id="Source-namespaces">
<td><div class="field"><div class="name"><code><a href="#Source-namespaces">namespaces</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of namespaces derived from the peer certificate.
This field requires mTLS enabled and is the same as the <code>source.namespace</code> attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
</tr>
<tr id="Source-not_namespaces">
<td><div class="field"><div class="name"><code><a href="#Source-not_namespaces">notNamespaces</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of namespaces.</p>
</td>
</tr>
<tr id="Source-ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-ip_blocks">ipBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. <code>203.0.113.4</code>) and
CIDR (e.g. <code>203.0.113.0/24</code>) are supported. This is the same as the <code>source.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-not_ip_blocks">notIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of IP blocks.</p>
</td>
</tr>
<tr id="Source-remote_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-remote_ip_blocks">remoteIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of IP blocks, populated from <code>X-Forwarded-For</code> header or proxy protocol.
To make use of this field, you must configure the <code>numTrustedProxies</code> field of the <code>gatewayTopology</code> under the <code>meshConfig</code>
when you install Istio or using an annotation on the ingress gateway. See the documentation here:
<a href="/docs/ops/configuration/traffic-management/network-topologies/">Configuring Gateway Network Topology</a>.
Single IP (e.g. <code>203.0.113.4</code>) and CIDR (e.g. <code>203.0.113.0/24</code>) are supported.
This is the same as the <code>remote.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
</tr>
<tr id="Source-not_remote_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-not_remote_ip_blocks">notRemoteIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of remote IP blocks.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix <code>.example.com</code>
and the method is <code>GET</code> or <code>HEAD</code> and the path doesn&rsquo;t have prefix <code>/admin</code>.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
notPaths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><div class="field"><div class="name"><code><a href="#Operation-hosts">hosts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of hosts as specified in the HTTP request. The match is case-insensitive.
See the <a href="/docs/ops/best-practices/security/#writing-host-match-policies">security best practices</a> for
recommended usage of this field.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_hosts">
<td><div class="field"><div class="name"><code><a href="#Operation-not_hosts">notHosts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.</p>
</td>
</tr>
<tr id="Operation-ports">
<td><div class="field"><div class="name"><code><a href="#Operation-ports">ports</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of ports as specified in the connection.</p>
<p>If not set, any port is allowed.</p>
</td>
</tr>
<tr id="Operation-not_ports">
<td><div class="field"><div class="name"><code><a href="#Operation-not_ports">notPorts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of ports as specified in the connection.</p>
</td>
</tr>
<tr id="Operation-methods">
<td><div class="field"><div class="name"><code><a href="#Operation-methods">methods</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of methods as specified in the HTTP request.
For gRPC service, this will always be <code>POST</code>.</p>
<p>If not set, any method is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_methods">
<td><div class="field"><div class="name"><code><a href="#Operation-not_methods">notMethods</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of methods as specified in the HTTP request.</p>
</td>
</tr>
<tr id="Operation-paths">
<td><div class="field"><div class="name"><code><a href="#Operation-paths">paths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of paths as specified in the HTTP request. See the <a href="/docs/reference/config/security/normalization/">Authorization Policy Normalization</a>
for details of the path normalization.
For gRPC service, this will be the fully-qualified name in the form of <code>/package.service/method</code>.</p>
<p>If a path in the list contains the <code>{*}</code> or <code>{**}</code> path template operator, it will be interpreted as an <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto">Envoy Uri Template</a>.
To be a valid path template, the path must not contain <code>*</code>, <code>{</code>, or <code>}</code> outside of a supported operator. No other characters are allowed in the path segment with the path template operator.</p>
<ul>
<li><code>{*}</code> matches a single glob that cannot extend beyond a path segment.</li>
<li><code>{**}</code> matches zero or more globs. If a path contains <code>{**}</code>, it must be the last operator.</li>
</ul>
<p>Examples:</p>
<ul>
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
</ul>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_paths">
<td><div class="field"><div class="name"><code><a href="#Operation-not_paths">notPaths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of paths.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><div class="field"><div class="name"><code><a href="#Condition-key">key</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of an Istio attribute.
See the <a href="/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
</tr>
<tr id="Condition-values">
<td><div class="field"><div class="name"><code><a href="#Condition-values">values</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of allowed values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
</tr>
<tr id="Condition-not_values">
<td><div class="field"><div class="name"><code><a href="#Condition-not_values">notValues</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
</tr>
</tbody>
</table>
</section>

40
content/en/docs/reference/config/security/peer_authentication/index.html
View File

@ -95,54 +95,46 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-selector">
<td><code><a href="#PeerAuthentication-selector">selector</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-selector">selector</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the
same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.</p>
<p>If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied
to all workloads in the mesh.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-mtls">
<td><code><a href="#PeerAuthentication-mtls">mtls</a></code></td>
<td><code><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-mtls">mtls</a></code></div>
<div class="type"><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></div>
</div></td>
<td>
<p>Mutual TLS settings for workload. If not defined, inherit from parent.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-port_level_mtls">
<td><code><a href="#PeerAuthentication-port_level_mtls">portLevelMtls</a></code></td>
<td><code>map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-port_level_mtls">portLevelMtls</a></code></div>
<div class="type">map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</div>
</div></td>
<td>
<p>Port specific mutual TLS settings. These only apply when a workload selector
is specified. The port refers to the port of the workload, not the port of the
Kubernetes service.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS">PeerAuthentication.MutualTLS</h2>
<h3 id="PeerAuthentication-MutualTLS">MutualTLS</h3>
<section>
<p>Mutual TLS settings.</p>
@ -150,27 +142,23 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-mode">
<td><code><a href="#PeerAuthentication-MutualTLS-mode">mode</a></code></td>
<td><code><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-MutualTLS-mode">mode</a></code></div>
<div class="type"><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></div>
</div></td>
<td>
<p>Defines the mTLS mode used for peer authentication.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS-Mode">PeerAuthentication.MutualTLS.Mode</h2>
<h4 id="PeerAuthentication-MutualTLS-Mode">Mode</h4>
<section>
<table class="enum-values">
<thead>

160
content/en/docs/reference/config/security/request_authentication/index.html
View File

@ -202,32 +202,29 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RequestAuthentication-selector">
<td><code><a href="#RequestAuthentication-selector">selector</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-selector">selector</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
<p>The selector decides where to apply the request authentication policy. The selector will match with workloads
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
the selector will additionally match with workloads in all namespaces.</p>
<p>If not set, the selector will match all workloads.</p>
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-targetRefs">
<td><code><a href="#RequestAuthentication-targetRefs">targetRefs</a></code></td>
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -243,14 +240,12 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-jwt_rules">
<td><code><a href="#RequestAuthentication-jwt_rules">jwtRules</a></code></td>
<td><code><a href="#JWTRule">JWTRule[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-jwt_rules">jwtRules</a></code></div>
<div class="type"><a href="#JWTRule">JWTRule[]</a></div>
</div></td>
<td>
<p>Define the list of JWTs that can be validated at the selected workloads&rsquo; proxy. A valid token
will be used to extract the authenticated identity.
@ -260,9 +255,6 @@ be rejected.
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -296,15 +288,15 @@ fromHeaders:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTRule-issuer">
<td><code><a href="#JWTRule-issuer">issuer</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-issuer">issuer</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Identifies the issuer that issued the JWT. See
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">issuer</a>
@ -312,14 +304,12 @@ A JWT with different <code>iss</code> claim will be rejected.</p>
<p>Example: <code>https://foobar.auth0.com</code>
Example: <code>1234567-compute@developer.gserviceaccount.com</code></p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTRule-audiences">
<td><code><a href="#JWTRule-audiences">audiences</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-audiences">audiences</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>The list of JWT
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.3">audiences</a>
@ -332,14 +322,12 @@ audiences will be accepted.</p>
bookstore_web.apps.example.com
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks_uri">
<td><code><a href="#JWTRule-jwks_uri">jwksUri</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-jwks_uri">jwksUri</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>URL of the provider&rsquo;s public key set to validate signature of the
JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
@ -351,27 +339,23 @@ Google service account).</p>
<p>Example: <code>https://www.googleapis.com/oauth2/v1/certs</code></p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks">
<td><code><a href="#JWTRule-jwks">jwks</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-jwks">jwks</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>JSON Web Key Set of public keys to validate signature of the JWT.
See <a href="https://auth0.com/docs/jwks">https://auth0.com/docs/jwks</a>.</p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_headers">
<td><code><a href="#JWTRule-from_headers">fromHeaders</a></code></td>
<td><code><a href="#JWTHeader">JWTHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_headers">fromHeaders</a></code></div>
<div class="type"><a href="#JWTHeader">JWTHeader[]</a></div>
</div></td>
<td>
<p>List of header locations from which JWT is expected. For example, below is the location spec
if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have <code>Bearer</code> prefix:</p>
@ -382,14 +366,12 @@ if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_params">
<td><code><a href="#JWTRule-from_params">fromParams</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_params">fromParams</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>List of query parameters from which JWT is expected. For example, if JWT is provided via query
parameter <code>my_token</code> (e.g <code>/path?my_token=&lt;JWT&gt;</code>), the config is:</p>
@ -399,27 +381,23 @@ parameter <code>my_token</code> (e.g <code>/path?my_token=&lt;JWT&gt;</code>), t
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_payload_to_header">
<td><code><a href="#JWTRule-output_payload_to_header">outputPayloadToHeader</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-output_payload_to_header">outputPayloadToHeader</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>This field specifies the header name to output a successfully verified JWT payload to the
backend. The forwarded data is <code>base64_encoded(jwt_payload_in_JSON)</code>. If it is not specified,
the payload will not be emitted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_cookies">
<td><code><a href="#JWTRule-from_cookies">fromCookies</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_cookies">fromCookies</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>List of cookie names from which JWT is expected. //
For example, if config is:</p>
@ -430,25 +408,21 @@ For example, if config is:</p>
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-forward_original_token">
<td><code><a href="#JWTRule-forward_original_token">forwardOriginalToken</a></code></td>
<td><code>bool</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-forward_original_token">forwardOriginalToken</a></code></div>
<div class="type">bool</div>
</div></td>
<td>
<p>If set to true, the original token will be kept for the upstream request. Default is false.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_claim_to_headers">
<td><code><a href="#JWTRule-output_claim_to_headers">outputClaimToHeaders</a></code></td>
<td><code><a href="#ClaimToHeader">ClaimToHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-output_claim_to_headers">outputClaimToHeaders</a></code></div>
<div class="type"><a href="#ClaimToHeader">ClaimToHeader[]</a></div>
</div></td>
<td>
<p>This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
This differs from the <code>output_payload_to_header</code> by allowing outputting individual claims instead of the whole payload.
@ -463,21 +437,16 @@ The header specified in each operation in the list must be unique. Nested claims
</code></pre>
<p>[Experimental] This feature is a experimental feature.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-timeout">
<td><code><a href="#JWTRule-timeout">timeout</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-timeout">timeout</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></div>
</div></td>
<td>
<p>The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
will spend waiting for the JWKS to be fetched. Default is 5s.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -491,34 +460,29 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTHeader-name">
<td><code><a href="#JWTHeader-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTHeader-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The HTTP header name.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTHeader-prefix">
<td><code><a href="#JWTHeader-prefix">prefix</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTHeader-prefix">prefix</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The prefix that should be stripped before decoding the token.
For example, for <code>Authorization: Bearer &lt;token&gt;</code>, prefix=<code>Bearer</code> with a space at the end.
If the header doesn&rsquo;t have this exact prefix, it is considered invalid.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -532,33 +496,29 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ClaimToHeader-header">
<td><code><a href="#ClaimToHeader-header">header</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ClaimToHeader-header">header</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of the header to be created. The header will be overridden if it already exists in the request.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ClaimToHeader-claim">
<td><code><a href="#ClaimToHeader-claim">claim</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ClaimToHeader-claim">claim</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of the claim to be copied from. Only claim of type string/int/bool is supported.
The header will not be there if the claim does not exist or the type of the claim is not supported.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>

994
content/en/docs/reference/config/telemetry/index.html
View File

File diff suppressed because it is too large Load Diff

57
content/en/docs/reference/config/type/workload-selector/index.html
View File

@ -21,23 +21,19 @@ selected. Currently, only label based selection mechanism is supported.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadSelector-match_labels">
<td><code><a href="#WorkloadSelector-match_labels">matchLabels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadSelector-match_labels">matchLabels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -52,21 +48,18 @@ a listener having a specific port.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PortSelector-number">
<td><code><a href="#PortSelector-number">number</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#PortSelector-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port number</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -107,55 +100,47 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PolicyTargetReference-group">
<td><code><a href="#PolicyTargetReference-group">group</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-group">group</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>group is the group of the target resource.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PolicyTargetReference-kind">
<td><code><a href="#PolicyTargetReference-kind">kind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-kind">kind</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>kind is kind of the target resource.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="PolicyTargetReference-name">
<td><code><a href="#PolicyTargetReference-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>name is the name of the target resource.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="PolicyTargetReference-namespace">
<td><code><a href="#PolicyTargetReference-namespace">namespace</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-namespace">namespace</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>namespace is the namespace of the referent. When unspecified, the local
namespace is inferred.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

430
content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
View File

@ -20,216 +20,42 @@ messages. All information should be static with respect to the error code.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageBase-type">
<td><code><a href="#AnalysisMessageBase-type">type</a></code></td>
<td><code><a href="#AnalysisMessageBase-Type">Type</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-type">type</a></code></div>
<div class="type"><a href="#AnalysisMessageBase-Type">Type</a></div>
</div></td>
<td>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-level">
<td><code><a href="#AnalysisMessageBase-level">level</a></code></td>
<td><code><a href="#AnalysisMessageBase-Level">Level</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-level">level</a></code></div>
<div class="type"><a href="#AnalysisMessageBase-Level">Level</a></div>
</div></td>
<td>
<p>Represents how severe a message is. Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-documentation_url">
<td><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A url pointing to the Istio documentation for this specific error type.
Should be of the form
<code>^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/</code>
Required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema">AnalysisMessageWeakSchema</h2>
<section>
<p>AnalysisMessageWeakSchema is the set of information that&rsquo;s needed to define a
weakly-typed schema. The purpose of this proto is to provide a mechanism for
validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
sure that we don&rsquo;t allow committing underspecified types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-message_base">
<td><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-description">
<td><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></td>
<td><code>string</code></td>
<td>
<p>A human readable description of what the error means. Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-template">
<td><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></td>
<td><code>string</code></td>
<td>
<p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
defining how to combine the args for a particular message into a log line.
Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-args">
<td><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></td>
<td><code><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></code></td>
<td>
<p>A description of the arguments for a particular message type</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="GenericAnalysisMessage">GenericAnalysisMessage</h2>
<section>
<p>GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
should be able to perform validation of arguments as needed by using the
message type information to look at the AnalysisMessageWeakSchema and examine the
list of args at runtime. Developers can also create stronger-typed versions
of GenericAnalysisMessage for well-known and stable message types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="GenericAnalysisMessage-message_base">
<td><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="GenericAnalysisMessage-args">
<td><code><a href="#GenericAnalysisMessage-args">args</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Any message-type specific arguments that need to get codified. Optional.</p>
</td>
<td>
No
</td>
</tr>
<tr id="GenericAnalysisMessage-resource_paths">
<td><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>A list of strings specifying the resource identifiers that were the cause
of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
tuple that uniquely identifies a particular resource. There doesn&rsquo;t seem to
be a single concept for this, but this is intuitively taken from
<a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
At least one is required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="InternalErrorAnalysisMessage">InternalErrorAnalysisMessage</h2>
<section>
<p>InternalErrorAnalysisMessage is a strongly-typed message representing some
error in Istio code that prevented us from performing analysis at all.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="InternalErrorAnalysisMessage-message_base">
<td><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></td>
<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="InternalErrorAnalysisMessage-detail">
<td><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></td>
<td><code>string</code></td>
<td>
<p>Any detail regarding specifics of the error. Should be human-readable.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageBase-Type">AnalysisMessageBase.Type</h2>
<h3 id="AnalysisMessageBase-Type">Type</h3>
<section>
<p>A unique identifier for the type of message. Name is intended to be
human-readable, code is intended to be machine readable. There should be a
@ -240,82 +66,36 @@ codes between message types.)</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageBase-Type-name">
<td><code><a href="#AnalysisMessageBase-Type-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
Required.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageBase-Type-code">
<td><code><a href="#AnalysisMessageBase-Type-code">code</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-code">code</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
type.) 0000-0100 are reserved. Required.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema-ArgType">AnalysisMessageWeakSchema.ArgType</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-ArgType-name">
<td><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Required</p>
</td>
<td>
No
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
<td><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></td>
<td><code>string</code></td>
<td>
<p>Required. Should be a golang type, used in code generation.
Ideally this will change to a less language-pinned type before this gets
out of alpha, but for compatibility with current istio/istio code it&rsquo;s
go_type for now.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageBase-Level">AnalysisMessageBase.Level</h2>
<h3 id="AnalysisMessageBase-Level">Level</h3>
<section>
<p>The values here are chosen so that more severe messages get sorted higher,
as well as leaving space in between to add more later</p>
@ -353,3 +133,179 @@ as well as leaving space in between to add more later</p>
</tbody>
</table>
</section>
<h2 id="AnalysisMessageWeakSchema">AnalysisMessageWeakSchema</h2>
<section>
<p>AnalysisMessageWeakSchema is the set of information that&rsquo;s needed to define a
weakly-typed schema. The purpose of this proto is to provide a mechanism for
validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
sure that we don&rsquo;t allow committing underspecified types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-message_base">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-description">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A human readable description of what the error means. Required.</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-template">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
defining how to combine the args for a particular message into a log line.
Required.</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-args">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></div>
<div class="type"><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></div>
</div></td>
<td>
<p>A description of the arguments for a particular message type</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="AnalysisMessageWeakSchema-ArgType">ArgType</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AnalysisMessageWeakSchema-ArgType-name">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Should be a golang type, used in code generation.
Ideally this will change to a less language-pinned type before this gets
out of alpha, but for compatibility with current istio/istio code it&rsquo;s
go_type for now.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="GenericAnalysisMessage">GenericAnalysisMessage</h2>
<section>
<p>GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
should be able to perform validation of arguments as needed by using the
message type information to look at the AnalysisMessageWeakSchema and examine the
list of args at runtime. Developers can also create stronger-typed versions
of GenericAnalysisMessage for well-known and stable message types.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="GenericAnalysisMessage-message_base">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="GenericAnalysisMessage-args">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-args">args</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
</div></td>
<td>
<p>Any message-type specific arguments that need to get codified. Optional.</p>
</td>
</tr>
<tr id="GenericAnalysisMessage-resource_paths">
<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of strings specifying the resource identifiers that were the cause
of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
tuple that uniquely identifies a particular resource. There doesn&rsquo;t seem to
be a single concept for this, but this is intuitively taken from
<a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
At least one is required.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="InternalErrorAnalysisMessage">InternalErrorAnalysisMessage</h2>
<section>
<p>InternalErrorAnalysisMessage is a strongly-typed message representing some
error in Istio code that prevented us from performing analysis at all.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="InternalErrorAnalysisMessage-message_base">
<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></div>
<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
</div></td>
<td>
<p>Required</p>
</td>
</tr>
<tr id="InternalErrorAnalysisMessage-detail">
<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Any detail regarding specifics of the error. Should be human-readable.</p>
</td>
</tr>
</tbody>
</table>
</section>

7680
content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

File diff suppressed because it is too large Load Diff

23
content/zh/docs/reference/config/labels/index.html
View File

@ -289,6 +289,29 @@ indicates the type of traffic this waypoint can handle.</p>
</tr>
</tbody>
</table>
<h2 id="ServiceWorkloadName">service.istio.io/workload-name</h2>
<table class="annotations">
<tbody>
<tr>
<th>Name</th>
<td><code>service.istio.io/workload-name</code></td>
</tr>
<tr>
<th>Feature Status</th>
<td>Alpha</td>
</tr>
<tr>
<th>Resource Types</th>
<td>[Pod WorkloadEntry]</td>
</tr>
<tr>
<th>Description</th>
<td><p>The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource.
For example, a <code>Pod</code> resource may default to the <code>Deployment</code> name.</p>
</td>
</tr>
</tbody>
</table>
<h2 id="SidecarInject">sidecar.istio.io/inject</h2>
<table class="annotations">
<tbody>

76
content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
View File

@ -14,33 +14,27 @@ number_of_entries: 2
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioStatus-conditions">
<td><code><a href="#IstioStatus-conditions">conditions</a></code></td>
<td><code><a href="#IstioCondition">IstioCondition[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioStatus-conditions">conditions</a></code></div>
<div class="type"><a href="#IstioCondition">IstioCondition[]</a></div>
</div></td>
<td>
<p>Current service state of the resource.
More info: <a href="/zh/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioStatus-validation_messages">
<td><code><a href="#IstioStatus-validation_messages">validationMessages</a></code></td>
<td><code><a href="/zh/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioStatus-validation_messages">validationMessages</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
</div></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -52,88 +46,72 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioCondition-type">
<td><code><a href="#IstioCondition-type">type</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-type">type</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Type is the type of the condition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-status">
<td><code><a href="#IstioCondition-status">status</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-status">status</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Status is the status of the condition.
Can be True, False, Unknown.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-last_probe_time">
<td><code><a href="#IstioCondition-last_probe_time">lastProbeTime</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_probe_time">lastProbeTime</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
</div></td>
<td>
<p>Last time we probed the condition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-last_transition_time">
<td><code><a href="#IstioCondition-last_transition_time">lastTransitionTime</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_transition_time">lastTransitionTime</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
</div></td>
<td>
<p>Last time the condition transitioned from one status to another.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-reason">
<td><code><a href="#IstioCondition-reason">reason</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-reason">reason</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Unique, one-word, CamelCase reason for the condition&rsquo;s last transition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-message">
<td><code><a href="#IstioCondition-message">message</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-message">message</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Human-readable message indicating details about last transition.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioCondition-observed_generation">
<td><code><a href="#IstioCondition-observed_generation">observedGeneration</a></code></td>
<td><code>int64</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioCondition-observed_generation">observedGeneration</a></code></div>
<div class="type">int64</div>
</div></td>
<td>
<p>Resource Generation to which the Condition refers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

2586
content/zh/docs/reference/config/networking/destination-rule/index.html
View File

File diff suppressed because it is too large Load Diff

1050
content/zh/docs/reference/config/networking/envoy-filter/index.html
View File

File diff suppressed because it is too large Load Diff

209
content/zh/docs/reference/config/networking/gateway/index.html
View File

@ -175,26 +175,23 @@ receiving incoming or outgoing HTTP/TCP connections.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Gateway-servers">
<td><code><a href="#Gateway-servers">servers</a></code></td>
<td><code><a href="#Server">Server[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Gateway-servers">servers</a></code></div>
<div class="type"><a href="#Server">Server[]</a></div>
</div></td>
<td>
<p>A list of server specifications.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Gateway-selector">
<td><code><a href="#Gateway-selector">selector</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#Gateway-selector">selector</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which this gateway configuration should be applied.
@ -209,9 +206,6 @@ resource must reside in the same namespace as the gateway workload
instance.
If selector is nil, the Gateway will be applied to all workloads.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -276,27 +270,25 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Server-port">
<td><code><a href="#Server-port">port</a></code></td>
<td><code><a href="#Port">Port</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Server-port">port</a></code></div>
<div class="type"><a href="#Port">Port</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>The Port on which the proxy should listen for incoming
connections.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Server-bind">
<td><code><a href="#Server-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The ip or the Unix domain socket to which the listener should be bound
to. Format: <code>x.x.x.x</code> or <code>unix:///path/to/uds</code> or <code>unix://@foobar</code>
@ -307,14 +299,13 @@ This is typically used when a gateway needs to communicate to another mesh servi
e.g. publishing metrics. In such case, the server created with the
specified bind will not be available to external gateway clients.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Server-hosts">
<td><code><a href="#Server-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>One or more hosts exposed by this gateway.
While typically applicable to
@ -343,35 +334,28 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Server-tls">
<td><code><a href="#Server-tls">tls</a></code></td>
<td><code><a href="#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Server-tls">tls</a></code></div>
<div class="type"><a href="#ServerTLSSettings">ServerTLSSettings</a></div>
</div></td>
<td>
<p>Set of TLS related options that govern the server&rsquo;s behavior. Use
these options to control if all http requests should be redirected to
https, and the TLS modes to use.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Server-name">
<td><code><a href="#Server-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Server-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>An optional name of the server, when set must be unique across all servers.
This will be used for variety of purposes like prefixing stats generated with
this name etc.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -385,46 +369,41 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Port-number">
<td><code><a href="#Port-number">number</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Port-protocol">
<td><code><a href="#Port-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-protocol">protocol</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Port-name">
<td><code><a href="#Port-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#Port-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -436,77 +415,66 @@ Yes
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServerTLSSettings-https_redirect">
<td><code><a href="#ServerTLSSettings-https_redirect">httpsRedirect</a></code></td>
<td><code>bool</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-https_redirect">httpsRedirect</a></code></div>
<div class="type">bool</div>
</div></td>
<td>
<p>If set to true, the load balancer will send a 301 redirect for
all http connections, asking the clients to use HTTPS.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-mode">
<td><code><a href="#ServerTLSSettings-mode">mode</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSmode">TLSmode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-mode">mode</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSmode">TLSmode</a></div>
</div></td>
<td>
<p>Optional: Indicates whether connections to this port should be
<p>Indicates whether connections to this port should be
secured using TLS. The value of this field determines how TLS is
enforced.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-server_certificate">
<td><code><a href="#ServerTLSSettings-server_certificate">serverCertificate</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-server_certificate">serverCertificate</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server-side TLS certificate to use.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-private_key">
<td><code><a href="#ServerTLSSettings-private_key">privateKey</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-private_key">privateKey</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server&rsquo;s private key.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-ca_certificates">
<td><code><a href="#ServerTLSSettings-ca_certificates">caCertificates</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_certificates">caCertificates</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>MUTUAL</code> or <code>OPTIONAL_MUTUAL</code>. The path to a file
containing certificate authority certificates to use in verifying a presented
client side certificate.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-ca_crl">
<td><code><a href="#ServerTLSSettings-ca_crl">caCrl</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_crl">caCrl</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>OPTIONAL: The path to the file containing the certificate revocation list (CRL)
to use in verifying a presented client side certificate. <code>CRL</code> is a list of certificates
@ -514,14 +482,12 @@ that have been revoked by the CA (Certificate Authority) before their scheduled
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
If omitted, the proxy will not verify the certificate against the <code>crl</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-credential_name">
<td><code><a href="#ServerTLSSettings-credential_name">credentialName</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-credential_name">credentialName</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>For gateways running on Kubernetes, the name of the secret that
holds the TLS certs including the CA certificates. Applicable
@ -536,27 +502,23 @@ and <code>ca.crl</code> for certificate revocation list is also supported.
Only one of server certificates and CA certificate
or credentialName can be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-subject_alt_names">
<td><code><a href="#ServerTLSSettings-subject_alt_names">subjectAltNames</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-subject_alt_names">subjectAltNames</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of alternate names to verify the subject identity in the
certificate presented by the client.
Requires TLS mode to be set to <code>MUTUAL</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-verify_certificate_spki">
<td><code><a href="#ServerTLSSettings-verify_certificate_spki">verifyCertificateSpki</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_spki">verifyCertificateSpki</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>An optional list of base64-encoded SHA-256 hashes of the SPKIs of
authorized client certificates.
@ -564,14 +526,12 @@ Note: When both verify_certificate_hash and verify_certificate_spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-verify_certificate_hash">
<td><code><a href="#ServerTLSSettings-verify_certificate_hash">verifyCertificateHash</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_hash">verifyCertificateHash</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>An optional list of hex-encoded SHA-256 hashes of the
authorized client certificates. Both simple and colon separated
@ -580,41 +540,35 @@ Note: When both verify_certificate_hash and verify_certificate_spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-min_protocol_version">
<td><code><a href="#ServerTLSSettings-min_protocol_version">minProtocolVersion</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-min_protocol_version">minProtocolVersion</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
</div></td>
<td>
<p>Optional: Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
<p>Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
TLS protocol versions below TLSV1_2 require setting compatible ciphers with the
<code>cipherSuites</code> setting as they no longer include compatible ciphers.</p>
<p>Note: Using TLS protocol versions below TLSV1_2 has serious security risks.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-max_protocol_version">
<td><code><a href="#ServerTLSSettings-max_protocol_version">maxProtocolVersion</a></code></td>
<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-max_protocol_version">maxProtocolVersion</a></code></div>
<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
</div></td>
<td>
<p>Optional: Maximum TLS protocol version.</p>
<p>Maximum TLS protocol version.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServerTLSSettings-cipher_suites">
<td><code><a href="#ServerTLSSettings-cipher_suites">cipherSuites</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-cipher_suites">cipherSuites</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>Optional: If specified, only support the specified cipher list.
<p>If specified, only support the specified cipher list.
Otherwise default to the default cipher list supported by Envoy
as specified <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">here</a>.
The supported list of ciphers are:</p>
@ -636,15 +590,12 @@ The supported list of ciphers are:</p>
<li><code>DES-CBC3-SHA</code></li>
</ul>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServerTLSSettings-TLSmode">ServerTLSSettings.TLSmode</h2>
<h3 id="ServerTLSSettings-TLSmode">TLSmode</h3>
<section>
<p>TLS modes enforced by the proxy</p>
@ -727,7 +678,7 @@ be specified for validating client certificates.</p>
</tbody>
</table>
</section>
<h2 id="ServerTLSSettings-TLSProtocol">ServerTLSSettings.TLSProtocol</h2>
<h3 id="ServerTLSSettings-TLSProtocol">TLSProtocol</h3>
<section>
<p>TLS protocol versions.</p>

46
content/zh/docs/reference/config/networking/proxy-config/index.html
View File

@ -65,58 +65,48 @@ with the CR taking precedence over the annotation for overlapping fields. Simila
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-selector">
<td><code><a href="#ProxyConfig-selector">selector</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-selector">selector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. Selectors specify the set of pods/VMs on which this <code>ProxyConfig</code> resource should be applied.
<p>Selectors specify the set of pods/VMs on which this <code>ProxyConfig</code> resource should be applied.
If not set, the <code>ProxyConfig</code> resource will be applied to all workloads in the namespace where this resource is defined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-concurrency">
<td><code><a href="#ProxyConfig-concurrency">concurrency</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-concurrency">concurrency</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
</div></td>
<td>
<p>The number of worker threads to run.
If unset, this will be automatically determined based on CPU limits.
If set to 0, all cores on the machine will be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-environment_variables">
<td><code><a href="#ProxyConfig-environment_variables">environmentVariables</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-environment_variables">environmentVariables</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>Additional environment variables for the proxy.
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap configuration and sent to the XDS server.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-image">
<td><code><a href="#ProxyConfig-image">image</a></code></td>
<td><code><a href="#ProxyImage">ProxyImage</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-image">image</a></code></div>
<div class="type"><a href="#ProxyImage">ProxyImage</a></div>
</div></td>
<td>
<p>Specifies the details of the proxy image.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -133,24 +123,20 @@ This information was previously part of the Values API.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ProxyImage-image_type">
<td><code><a href="#ProxyImage-image_type">imageType</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ProxyImage-image_type">imageType</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The image type of the image.
Istio publishes default, debug, and distroless images.
Other values are allowed if those image types (example: centos) are published to the specified hub.
supported values: default, debug, distroless.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

387
content/zh/docs/reference/config/networking/service-entry/index.html
View File

@ -351,15 +351,15 @@ service registry.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntry-hosts">
<td><code><a href="#ServiceEntry-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The hosts associated with the ServiceEntry. Could be a DNS
name with wildcard prefix.</p>
@ -385,14 +385,12 @@ service accounts associated with the pods of the service, the
SANs specified here will also be verified.</li>
</ol>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServiceEntry-addresses">
<td><code><a href="#ServiceEntry-addresses">addresses</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-addresses">addresses</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>The virtual IP addresses associated with the service. Could be CIDR
prefix. For HTTP traffic, generated route configurations will include http route
@ -409,65 +407,55 @@ simple TCP proxy, forwarding incoming traffic on a specified port to
the specified destination endpoint IP/host. Unix domain socket
addresses are not supported in this field.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-ports">
<td><code><a href="#ServiceEntry-ports">ports</a></code></td>
<td><code><a href="#ServicePort">ServicePort[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-ports">ports</a></code></div>
<div class="type"><a href="#ServicePort">ServicePort[]</a></div>
</div></td>
<td>
<p>The ports associated with the external service. If the
Endpoints are Unix domain socket addresses, there must be exactly one
port.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-location">
<td><code><a href="#ServiceEntry-location">location</a></code></td>
<td><code><a href="#ServiceEntry-Location">Location</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-location">location</a></code></div>
<div class="type"><a href="#ServiceEntry-Location">Location</a></div>
</div></td>
<td>
<p>Specify whether the service should be considered external to the mesh
or part of the mesh.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-resolution">
<td><code><a href="#ServiceEntry-resolution">resolution</a></code></td>
<td><code><a href="#ServiceEntry-Resolution">Resolution</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-resolution">resolution</a></code></div>
<div class="type"><a href="#ServiceEntry-Resolution">Resolution</a></div>
</div></td>
<td>
<p>Service resolution mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
accompanying IP addresses. In such cases, traffic to any IP on
said port will be allowed (i.e. <code>0.0.0.0:&lt;port&gt;</code>).</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-endpoints">
<td><code><a href="#ServiceEntry-endpoints">endpoints</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-endpoints">endpoints</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry[]</a></div>
</div></td>
<td>
<p>One or more endpoints associated with the service. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-workload_selector">
<td><code><a href="#ServiceEntry-workload_selector">workloadSelector</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-workload_selector">workloadSelector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/sidecar/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Applicable only for MESH_INTERNAL services. Only one of
<code>endpoints</code> or <code>workloadSelector</code> can be specified. Selects one
@ -476,14 +464,12 @@ or more Kubernetes pods or VM workloads (specified using
representing the VMs should be defined in the same namespace as
the ServiceEntry.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-export_to">
<td><code><a href="#ServiceEntry-export_to">exportTo</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-export_to">exportTo</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of namespaces to which this service is exported. Exporting a service
allows it to be used by sidecars, gateways and virtual services defined in
@ -499,14 +485,12 @@ defines an export to all namespaces.</p>
the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
of namespace names.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntry-subject_alt_names">
<td><code><a href="#ServiceEntry-subject_alt_names">subjectAltNames</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ServiceEntry-subject_alt_names">subjectAltNames</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>If specified, the proxy will verify that the server certificate&rsquo;s
subject alternate name matches one of the specified values.</p>
@ -515,181 +499,12 @@ service account specified in the workloadEntry will also be used
to derive the additional subject alternate names that should be
verified.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServicePort">ServicePort</h2>
<section>
<p>ServicePort describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServicePort-number">
<td><code><a href="#ServicePort-number">number</a></code></td>
<td><code>uint32</code></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServicePort-protocol">
<td><code><a href="#ServicePort-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS implies the connection will be routed based on the SNI header to
the destination without terminating the TLS connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServicePort-name">
<td><code><a href="#ServicePort-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ServicePort-target_port">
<td><code><a href="#ServicePort-target_port">targetPort</a></code></td>
<td><code>uint32</code></td>
<td>
<p>The port number on the endpoint where the traffic will be
received. If unset, default to <code>number</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryStatus-conditions">
<td><code><a href="#ServiceEntryStatus-conditions">conditions</a></code></td>
<td><code><a href="/zh/docs/reference/config/meta/v1beta1/istio-status/#IstioCondition">IstioCondition[]</a></code></td>
<td>
<p>Current service state of ServiceEntry.
More info: <a href="/zh/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-validation_messages">
<td><code><a href="#ServiceEntryStatus-validation_messages">validationMessages</a></code></td>
<td><code><a href="/zh/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-observed_generation">
<td><code><a href="#ServiceEntryStatus-observed_generation">observedGeneration</a></code></td>
<td><code>int64</code></td>
<td>
<p>Resource Generation to which the Reconciled Condition refers.
When this value is not equal to the object&rsquo;s metadata generation, reconciled condition calculation for the current
generation is still in progress. See <a href="/latest/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryStatus-addresses">
<td><code><a href="#ServiceEntryStatus-addresses">addresses</a></code></td>
<td><code><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></code></td>
<td>
<p>List of addresses which were assigned to this ServiceEntry.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
<section>
<p>A minor abstraction to allow for adding hostnames if relevant.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryAddress-value">
<td><code><a href="#ServiceEntryAddress-value">value</a></code></td>
<td><code>string</code></td>
<td>
<p>The address (e.g. 192.168.0.2)</p>
</td>
<td>
No
</td>
</tr>
<tr id="ServiceEntryAddress-host">
<td><code><a href="#ServiceEntryAddress-host">host</a></code></td>
<td><code>string</code></td>
<td>
<p>The host name associated with this address</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntry-Location">ServiceEntry.Location</h2>
<h3 id="ServiceEntry-Location">Location</h3>
<section>
<p>Location specifies whether the service is part of Istio mesh or
outside the mesh. Location determines the behavior of several
@ -725,7 +540,7 @@ Kubernetes based service mesh).</p>
</tbody>
</table>
</section>
<h2 id="ServiceEntry-Resolution">ServiceEntry.Resolution</h2>
<h3 id="ServiceEntry-Resolution">Resolution</h3>
<section>
<p>Resolution determines how the proxy will resolve the IP addresses of
the network endpoints associated with the service, so that it can
@ -797,3 +612,145 @@ cannot be used with Unix domain socket endpoints.</p>
</tbody>
</table>
</section>
<h2 id="ServicePort">ServicePort</h2>
<section>
<p>ServicePort describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServicePort-number">
<td><div class="field"><div class="name"><code><a href="#ServicePort-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
</tr>
<tr id="ServicePort-protocol">
<td><div class="field"><div class="name"><code><a href="#ServicePort-protocol">protocol</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS implies the connection will be routed based on the SNI header to
the destination without terminating the TLS connection.</p>
</td>
</tr>
<tr id="ServicePort-name">
<td><div class="field"><div class="name"><code><a href="#ServicePort-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
</tr>
<tr id="ServicePort-target_port">
<td><div class="field"><div class="name"><code><a href="#ServicePort-target_port">targetPort</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>The port number on the endpoint where the traffic will be
received. If unset, default to <code>number</code>.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryStatus-conditions">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-conditions">conditions</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/meta/v1beta1/istio-status/#IstioCondition">IstioCondition[]</a></div>
</div></td>
<td>
<p>Current service state of ServiceEntry.
More info: <a href="/zh/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
</td>
</tr>
<tr id="ServiceEntryStatus-validation_messages">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-validation_messages">validationMessages</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/istio.analysis.v1alpha1/#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
</div></td>
<td>
<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
</td>
</tr>
<tr id="ServiceEntryStatus-observed_generation">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-observed_generation">observedGeneration</a></code></div>
<div class="type">int64</div>
</div></td>
<td>
<p>Resource Generation to which the Reconciled Condition refers.
When this value is not equal to the object&rsquo;s metadata generation, reconciled condition calculation for the current
generation is still in progress. See <a href="/latest/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
</td>
</tr>
<tr id="ServiceEntryStatus-addresses">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-addresses">addresses</a></code></div>
<div class="type"><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></div>
</div></td>
<td>
<p>List of addresses which were assigned to this ServiceEntry.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
<section>
<p>A minor abstraction to allow for adding hostnames if relevant.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ServiceEntryAddress-value">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The address (e.g. 192.168.0.2)</p>
</td>
</tr>
<tr id="ServiceEntryAddress-host">
<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The host name associated with this address</p>
</td>
</tr>
</tbody>
</table>
</section>

248
content/zh/docs/reference/config/networking/sidecar/index.html
View File

@ -316,28 +316,25 @@ attached.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Sidecar-workload_selector">
<td><code><a href="#Sidecar-workload_selector">workloadSelector</a></code></td>
<td><code><a href="#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-workload_selector">workloadSelector</a></code></div>
<div class="type"><a href="#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which this
<code>Sidecar</code> configuration should be applied. If omitted, the <code>Sidecar</code>
configuration will be applied to all workload instances in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-ingress">
<td><code><a href="#Sidecar-ingress">ingress</a></code></td>
<td><code><a href="#IstioIngressListener">IstioIngressListener[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-ingress">ingress</a></code></div>
<div class="type"><a href="#IstioIngressListener">IstioIngressListener[]</a></div>
</div></td>
<td>
<p>Ingress specifies the configuration of the sidecar for processing
inbound traffic to the attached workload instance. If omitted, Istio will
@ -346,28 +343,24 @@ obtained from the orchestration platform (e.g., exposed ports, services,
etc.). If specified, inbound ports are configured if and only if the
workload instance is associated with a service.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-egress">
<td><code><a href="#Sidecar-egress">egress</a></code></td>
<td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-egress">egress</a></code></div>
<div class="type"><a href="#IstioEgressListener">IstioEgressListener[]</a></div>
</div></td>
<td>
<p>Egress specifies the configuration of the sidecar for processing
outbound traffic from the attached workload instance to other
services in the mesh. If not specified, inherits the system
detected defaults from the namespace-wide or the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-inbound_connection_pool">
<td><code><a href="#Sidecar-inbound_connection_pool">inboundConnectionPool</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-inbound_connection_pool">inboundConnectionPool</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
</div></td>
<td>
<p>Settings controlling the volume of connections Envoy will accept from the network.
This default will apply for all inbound listeners and can be overridden per-port
@ -393,22 +386,17 @@ following precedence, highest to lowest:</p>
</ul>
<p>In every case, the connection pool settings are overridden, not merged.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-outbound_traffic_policy">
<td><code><a href="#Sidecar-outbound_traffic_policy">outboundTrafficPolicy</a></code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#Sidecar-outbound_traffic_policy">outboundTrafficPolicy</a></code></div>
<div class="type"><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></div>
</div></td>
<td>
<p>Set the default behavior of the sidecar for handling outbound
traffic from the application.</p>
<p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -423,26 +411,24 @@ traffic listener on the sidecar proxy attached to a workload instance.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioIngressListener-port">
<td><code><a href="#IstioIngressListener-port">port</a></code></td>
<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-port">port</a></code></div>
<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>The port associated with the listener.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="IstioIngressListener-bind">
<td><code><a href="#IstioIngressListener-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP(IPv4 or IPv6) to which the listener should be bound.
Unix domain socket addresses are not allowed in
@ -451,26 +437,22 @@ automatically configure the defaults based on imported services
and the workload instances to which this configuration is applied
to.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-capture_mode">
<td><code><a href="#IstioIngressListener-capture_mode">captureMode</a></code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-capture_mode">captureMode</a></code></div>
<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
</div></td>
<td>
<p>The captureMode option dictates how traffic to the listener is
expected to be captured (or not).</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-default_endpoint">
<td><code><a href="#IstioIngressListener-default_endpoint">defaultEndpoint</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-default_endpoint">defaultEndpoint</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP endpoint or Unix domain socket to which
traffic should be forwarded to. This configuration can be used to
@ -481,27 +463,23 @@ connections. Arbitrary IPs are not supported. Format should be one of
<code>0.0.0.0:PORT</code>, <code>[::]:PORT</code> (forward to the instance IP),
or <code>unix:///path/to/socket</code> (forward to Unix domain socket).</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-tls">
<td><code><a href="#IstioIngressListener-tls">tls</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/gateway/#ServerTLSSettings">ServerTLSSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-tls">tls</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/gateway/#ServerTLSSettings">ServerTLSSettings</a></div>
</div></td>
<td>
<p>Set of TLS related options that will enable TLS termination on the
sidecar for requests originating from outside the mesh.
Currently supports only SIMPLE and MUTUAL TLS modes.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-connection_pool">
<td><code><a href="#IstioIngressListener-connection_pool">connectionPool</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-connection_pool">connectionPool</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
</div></td>
<td>
<p>Settings controlling the volume of connections Envoy will accept from the network.
This setting overrides the top-level default <code>inboundConnectionPool</code> to configure
@ -511,9 +489,6 @@ This port level connection pool has the highest precedence in configuration,
overriding both the <code>Sidecar</code>&rsquo;s top level <code>InboundConnectionPool</code> as well as any
connection pooling settings from the <code>DestinationRule</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -528,15 +503,14 @@ listener on the sidecar proxy attached to a workload instance.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioEgressListener-port">
<td><code><a href="#IstioEgressListener-port">port</a></code></td>
<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-port">port</a></code></div>
<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
</div></td>
<td>
<p>The port associated with the listener. If using Unix domain socket,
use 0 as the port number, with a valid protocol. The port if
@ -548,14 +522,12 @@ specific ports while others have no port, the hosts exposed on a
listener port will be based on the listener with the most specific
port.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-bind">
<td><code><a href="#IstioEgressListener-bind">bind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-bind">bind</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
@ -565,27 +537,24 @@ services, the workload instances to which this configuration is applied to and
the captureMode. If captureMode is <code>NONE</code>, bind will default to
127.0.0.1.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-capture_mode">
<td><code><a href="#IstioEgressListener-capture_mode">captureMode</a></code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-capture_mode">captureMode</a></code></div>
<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
</div></td>
<td>
<p>When the bind address is an IP, the captureMode option dictates
how traffic to the listener is expected to be captured (or not).
captureMode must be DEFAULT or <code>NONE</code> for Unix domain socket binds.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-hosts">
<td><code><a href="#IstioEgressListener-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-hosts">hosts</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>One or more service hosts exposed by the listener
in <code>namespace/dnsName</code> format. Services in the specified namespace
@ -612,9 +581,6 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -636,24 +602,20 @@ label based selection mechanism is supported.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadSelector-labels">
<td><code><a href="#WorkloadSelector-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadSelector-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which the configuration should be applied. The scope of
label search is restricted to the configuration namespace in which the
the resource is present.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -668,78 +630,21 @@ handling unknown outbound traffic from the application.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-mode">
<td><code><a href="#OutboundTrafficPolicy-mode">mode</a></code></td>
<td><code><a href="#OutboundTrafficPolicy-Mode">Mode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#OutboundTrafficPolicy-mode">mode</a></code></div>
<div class="type"><a href="#OutboundTrafficPolicy-Mode">Mode</a></div>
</div></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="SidecarPort">SidecarPort</h2>
<section>
<p>Port describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="SidecarPort-number">
<td><code><a href="#SidecarPort-number">number</a></code></td>
<td><code>uint32</code></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
<td>
No
</td>
</tr>
<tr id="SidecarPort-protocol">
<td><code><a href="#SidecarPort-protocol">protocol</a></code></td>
<td><code>string</code></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="SidecarPort-name">
<td><code><a href="#SidecarPort-name">name</a></code></td>
<td><code>string</code></td>
<td>
<p>Label assigned to the port.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</h2>
<h3 id="OutboundTrafficPolicy-Mode">Mode</h3>
<section>
<table class="enum-values">
<thead>
@ -768,6 +673,51 @@ Unknown destination traffic will have limited functionality, however, such as re
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="SidecarPort">SidecarPort</h2>
<section>
<p>Port describes the properties of a specific port of a service.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="SidecarPort-number">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-number">number</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>A valid non-negative integer port number.</p>
</td>
</tr>
<tr id="SidecarPort-protocol">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-protocol">protocol</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The protocol exposed on the port.
MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS can be either used to terminate non-HTTP based connections on a specific port
or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
</td>
</tr>
<tr id="SidecarPort-name">
<td><div class="field"><div class="name"><code><a href="#SidecarPort-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Label assigned to the port.</p>
</td>
</tr>
</tbody>

1541
content/zh/docs/reference/config/networking/virtual-service/index.html
View File

File diff suppressed because it is too large Load Diff

58
content/zh/docs/reference/config/networking/workload-entry/index.html
View File

@ -128,15 +128,14 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadEntry-address">
<td><code><a href="#WorkloadEntry-address">address</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-address">address</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Address associated with the network endpoint without the
port. Domain names can be used if and only if the resolution is set
@ -144,14 +143,12 @@ to DNS, and must be fully-qualified without wildcards. Use the form
unix:///absolute/path/to/socket for Unix domain socket endpoints.
If address is empty, network must be specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-ports">
<td><code><a href="#WorkloadEntry-ports">ports</a></code></td>
<td><code>map&lt;string,&nbsp;uint32&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-ports">ports</a></code></div>
<div class="type">map&lt;string,&nbsp;uint32&gt;</div>
</div></td>
<td>
<p>Set of ports associated with the endpoint. If the port map is
specified, it must be a map of servicePortName to this endpoint&rsquo;s
@ -166,25 +163,21 @@ the same port.</p>
<p><strong>NOTE 1:</strong> Do not use for <code>unix://</code> addresses.</p>
<p><strong>NOTE 2:</strong> endpoint port map takes precedence over targetPort.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-labels">
<td><code><a href="#WorkloadEntry-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels associated with the endpoint.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-network">
<td><code><a href="#WorkloadEntry-network">network</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-network">network</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Network enables Istio to group endpoints resident in the same L3
domain/network. All endpoints in the same network are assumed to be
@ -195,14 +188,12 @@ used to establish connectivity (usually using the
an advanced configuration used typically for spanning an Istio mesh
over multiple clusters. Required if address is not provided.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-locality">
<td><code><a href="#WorkloadEntry-locality">locality</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-locality">locality</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The locality associated with the endpoint. A locality corresponds
to a failure domain (e.g., country/region/zone). Arbitrary failure
@ -222,35 +213,28 @@ locality. Endpoint e2 could be the IP associated with a gateway
(that bridges networks n1 and n2), or the IP associated with a
standard service endpoint.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-weight">
<td><code><a href="#WorkloadEntry-weight">weight</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-weight">weight</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>The load balancing weight associated with the endpoint. Endpoints
with higher weights will receive proportionally higher traffic.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadEntry-service_account">
<td><code><a href="#WorkloadEntry-service_account">serviceAccount</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-service_account">serviceAccount</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The service account associated with the workload if a sidecar
is present in the workload. The service account must be present
in the same namespace as the configuration ( WorkloadEntry or a
ServiceEntry)</p>
</td>
<td>
No
</td>
</tr>
</tbody>

280
content/zh/docs/reference/config/networking/workload-group/index.html
View File

@ -65,27 +65,25 @@ and as such doesn&rsquo;t configure host name for these workloads.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-metadata">
<td><code><a href="#WorkloadGroup-metadata">metadata</a></code></td>
<td><code><a href="#WorkloadGroup-ObjectMeta">ObjectMeta</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-metadata">metadata</a></code></div>
<div class="type"><a href="#WorkloadGroup-ObjectMeta">ObjectMeta</a></div>
</div></td>
<td>
<p>Metadata that will be used for all corresponding <code>WorkloadEntries</code>.
User labels for a workload group should be set here in <code>metadata</code> rather than in <code>template</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadGroup-template">
<td><code><a href="#WorkloadGroup-template">template</a></code></td>
<td><code><a href="/zh/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-template">template</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/networking/workload-entry/#WorkloadEntry">WorkloadEntry</a></div>
<div class="required">Required</div>
</div></td>
<td>
<p>Template to be used for the generation of <code>WorkloadEntry</code> resources that belong to this <code>WorkloadGroup</code>.
Please note that <code>address</code> and <code>labels</code> fields should not be set in the template, and an empty <code>serviceAccount</code>
@ -93,21 +91,50 @@ should default to <code>default</code>. The workload identities (mTLS certificat
specified service account&rsquo;s token. Workload entries in this group will be in the same namespace as the
workload group, and inherit the labels and annotations from the above <code>metadata</code> field.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="WorkloadGroup-probe">
<td><code><a href="#WorkloadGroup-probe">probe</a></code></td>
<td><code><a href="#ReadinessProbe">ReadinessProbe</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-probe">probe</a></code></div>
<div class="type"><a href="#ReadinessProbe">ReadinessProbe</a></div>
</div></td>
<td>
<p><code>ReadinessProbe</code> describes the configuration the user must provide for healthchecking on their workload.
This configuration mirrors K8S in both syntax and logic for the most part.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="WorkloadGroup-ObjectMeta">ObjectMeta</h3>
<section>
<p><code>ObjectMeta</code> describes metadata that will be attached to a <code>WorkloadEntry</code>.
It is a subset of the supported Kubernetes metadata.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-ObjectMeta-labels">
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-ObjectMeta-labels">labels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
No
<p>Labels to attach</p>
</td>
</tr>
<tr id="WorkloadGroup-ObjectMeta-annotations">
<td><div class="field"><div class="name"><code><a href="#WorkloadGroup-ObjectMeta-annotations">annotations</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>Annotations to attach</p>
</td>
</tr>
</tbody>
@ -119,114 +146,94 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ReadinessProbe-initial_delay_seconds">
<td><code><a href="#ReadinessProbe-initial_delay_seconds">initialDelaySeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-initial_delay_seconds">initialDelaySeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Number of seconds after the container has started before readiness probes are initiated.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-timeout_seconds">
<td><code><a href="#ReadinessProbe-timeout_seconds">timeoutSeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-timeout_seconds">timeoutSeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Number of seconds after which the probe times out.
Defaults to 1 second. Minimum value is 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-period_seconds">
<td><code><a href="#ReadinessProbe-period_seconds">periodSeconds</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-period_seconds">periodSeconds</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>How often (in seconds) to perform the probe.
Default to 10 seconds. Minimum value is 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-success_threshold">
<td><code><a href="#ReadinessProbe-success_threshold">successThreshold</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-success_threshold">successThreshold</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Minimum consecutive successes for the probe to be considered successful after having failed.
Defaults to 1 second.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-failure_threshold">
<td><code><a href="#ReadinessProbe-failure_threshold">failureThreshold</a></code></td>
<td><code>int32</code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-failure_threshold">failureThreshold</a></code></div>
<div class="type">int32</div>
</div></td>
<td>
<p>Minimum consecutive failures for the probe to be considered failed after having succeeded.
Defaults to 3 seconds.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-http_get" class="oneof oneof-start">
<td><code><a href="#ReadinessProbe-http_get">httpGet</a></code></td>
<td><code><a href="#HTTPHealthCheckConfig">HTTPHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-http_get">httpGet</a></code></div>
<div class="type"><a href="#HTTPHealthCheckConfig">HTTPHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p><code>httpGet</code> is performed to a given endpoint
and the status/able to connect determines health.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-tcp_socket" class="oneof">
<td><code><a href="#ReadinessProbe-tcp_socket">tcpSocket</a></code></td>
<td><code><a href="#TCPHealthCheckConfig">TCPHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-tcp_socket">tcpSocket</a></code></div>
<div class="type"><a href="#TCPHealthCheckConfig">TCPHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>Health is determined by if the proxy is able to connect.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-exec" class="oneof">
<td><code><a href="#ReadinessProbe-exec">exec</a></code></td>
<td><code><a href="#ExecHealthCheckConfig">ExecHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-exec">exec</a></code></div>
<div class="type"><a href="#ExecHealthCheckConfig">ExecHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>Health is determined by how the command that is executed exited.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ReadinessProbe-grpc" class="oneof">
<td><code><a href="#ReadinessProbe-grpc">grpc</a></code></td>
<td><code><a href="#GrpcHealthCheckConfig">GrpcHealthCheckConfig (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#ReadinessProbe-grpc">grpc</a></code></div>
<div class="type"><a href="#GrpcHealthCheckConfig">GrpcHealthCheckConfig (oneof)</a></div>
</div></td>
<td>
<p>GRPC call is made and response/error is used to determine health.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -238,67 +245,56 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="HTTPHealthCheckConfig-path">
<td><code><a href="#HTTPHealthCheckConfig-path">path</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-path">path</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Path to access on the HTTP server.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-port">
<td><code><a href="#HTTPHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port on which the endpoint lives.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="HTTPHealthCheckConfig-host">
<td><code><a href="#HTTPHealthCheckConfig-host">host</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Host name to connect to, defaults to the pod IP. You probably want to set
&ldquo;Host&rdquo; in httpHeaders instead.</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-scheme">
<td><code><a href="#HTTPHealthCheckConfig-scheme">scheme</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-scheme">scheme</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>HTTP or HTTPS, defaults to HTTP</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHealthCheckConfig-http_headers">
<td><code><a href="#HTTPHealthCheckConfig-http_headers">httpHeaders</a></code></td>
<td><code><a href="#HTTPHeader">HTTPHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHealthCheckConfig-http_headers">httpHeaders</a></code></div>
<div class="type"><a href="#HTTPHeader">HTTPHeader[]</a></div>
</div></td>
<td>
<p>Headers the proxy will pass on to make the request.
Allows repeated headers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -310,32 +306,26 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="GrpcHealthCheckConfig-port">
<td><code><a href="#GrpcHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#GrpcHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>Port on which the endpoint lives.</p>
</td>
<td>
No
</td>
</tr>
<tr id="GrpcHealthCheckConfig-service">
<td><code><a href="#GrpcHealthCheckConfig-service">service</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#GrpcHealthCheckConfig-service">service</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Service is the fully qualified name of the service to send the grpc health check request</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -347,32 +337,26 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="HTTPHeader-name">
<td><code><a href="#HTTPHeader-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHeader-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The header field name</p>
</td>
<td>
No
</td>
</tr>
<tr id="HTTPHeader-value">
<td><code><a href="#HTTPHeader-value">value</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#HTTPHeader-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The header field value</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -384,32 +368,27 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="TCPHealthCheckConfig-host">
<td><code><a href="#TCPHealthCheckConfig-host">host</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#TCPHealthCheckConfig-host">host</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Host to connect to, defaults to localhost</p>
</td>
<td>
No
</td>
</tr>
<tr id="TCPHealthCheckConfig-port">
<td><code><a href="#TCPHealthCheckConfig-port">port</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#TCPHealthCheckConfig-port">port</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port of host</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -421,61 +400,18 @@ Yes
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ExecHealthCheckConfig-command">
<td><code><a href="#ExecHealthCheckConfig-command">command</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#ExecHealthCheckConfig-command">command</a></code></div>
<div class="type">string[]</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="WorkloadGroup-ObjectMeta">WorkloadGroup.ObjectMeta</h2>
<section>
<p><code>ObjectMeta</code> describes metadata that will be attached to a <code>WorkloadEntry</code>.
It is a subset of the supported Kubernetes metadata.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadGroup-ObjectMeta-labels">
<td><code><a href="#WorkloadGroup-ObjectMeta-labels">labels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Labels to attach</p>
</td>
<td>
No
</td>
</tr>
<tr id="WorkloadGroup-ObjectMeta-annotations">
<td><code><a href="#WorkloadGroup-ObjectMeta-annotations">annotations</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Annotations to attach</p>
</td>
<td>
No
</td>
</tr>
</tbody>

246
content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
View File

@ -178,15 +178,14 @@ the Istio proxy through WebAssembly filters.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-selector">
<td><code><a href="#WasmPlugin-selector">selector</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-selector">selector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which
this plugin configuration should be applied. If omitted, this
@ -196,16 +195,14 @@ namespace, it will be applied to all applicable workloads in any
namespace.</p>
<p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-targetRefs">
<td><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -221,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-url">
<td><code><a href="#WasmPlugin-url">url</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-url">url</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>URL of a Wasm module or OCI container. If no scheme is present,
defaults to <code>oci://</code>, referencing an OCI image. Other valid schemes
@ -236,14 +232,12 @@ are <code>file://</code> for referencing .wasm module files present locally
within the proxy container, and <code>http[s]://</code> for <code>.wasm</code> module files
hosted remotely.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="WasmPlugin-sha256">
<td><code><a href="#WasmPlugin-sha256">sha256</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-sha256">sha256</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>SHA256 checksum that will be used to verify Wasm module or OCI container.
If the <code>url</code> field already references a SHA256 (using the <code>@sha256:</code>
@ -251,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is
referenced by tag and this field is set, its checksum will be verified
against the contents of this field after pulling.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_policy">
<td><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></td>
<td><code><a href="#PullPolicy">PullPolicy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></div>
<div class="type"><a href="#PullPolicy">PullPolicy</a></div>
</div></td>
<td>
<p>The pull behaviour to be applied when fetching Wasm module by either
OCI image or <code>http/https</code>. Only relevant when referencing Wasm module without
@ -267,63 +259,53 @@ Defaults to <code>IfNotPresent</code>, except when an OCI image is referenced in
and the <code>latest</code> tag is used, in which case <code>Always</code> is the default,
mirroring Kubernetes behaviour.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-image_pull_secret">
<td><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Credentials to use for OCI image pulling.
Name of a Kubernetes Secret in the same namespace as the <code>WasmPlugin</code> that
contains a Docker pull secret which is to be used to authenticate
against the registry when pulling the image.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_config">
<td><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
</div></td>
<td>
<p>The configuration that will be passed on to the plugin.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-plugin_name">
<td><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The plugin name to be used in the Envoy configuration (used to be called
<code>rootID</code>). Some .wasm modules might require this value to select the Wasm
plugin to execute.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-phase">
<td><code><a href="#WasmPlugin-phase">phase</a></code></td>
<td><code><a href="#PluginPhase">PluginPhase</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-phase">phase</a></code></div>
<div class="type"><a href="#PluginPhase">PluginPhase</a></div>
</div></td>
<td>
<p>Determines where in the filter chain this <code>WasmPlugin</code> is to be injected.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-priority">
<td><code><a href="#WasmPlugin-priority">priority</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-priority">priority</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
</div></td>
<td>
<p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -332,56 +314,90 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
value, the ordering will be deterministically derived from name and
namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-fail_strategy">
<td><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></td>
<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></div>
<div class="type"><a href="#FailStrategy">FailStrategy</a></div>
</div></td>
<td>
<p>Specifies the failure behavior for the plugin due to fatal errors.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-vm_config">
<td><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></td>
<td><code><a href="#VmConfig">VmConfig</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></div>
<div class="type"><a href="#VmConfig">VmConfig</a></div>
</div></td>
<td>
<p>Configuration for a Wasm VM.
More details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-match">
<td><code><a href="#WasmPlugin-match">match</a></code></td>
<td><code><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-match">match</a></code></div>
<div class="type"><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></div>
</div></td>
<td>
<p>Specifies the criteria to determine which traffic is passed to WasmPlugin.
If a traffic satisfies any of TrafficSelectors,
the traffic passes the WasmPlugin.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-type">
<td><code><a href="#WasmPlugin-type">type</a></code></td>
<td><code><a href="#PluginType">PluginType</a></code></td>
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-type">type</a></code></div>
<div class="type"><a href="#PluginType">PluginType</a></div>
</div></td>
<td>
<p>Specifies the type of Wasm Extension to be used.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="WasmPlugin-TrafficSelector">TrafficSelector</h3>
<section>
<p>TrafficSelector provides a mechanism to select a specific traffic flow
for which this Wasm Plugin will be enabled.
When all the sub conditions in the TrafficSelector are satisfied, the
traffic will be selected.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-TrafficSelector-mode">
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadMode">WorkloadMode</a></div>
</div></td>
<td>
No
<p>Criteria for selecting traffic by their direction.
Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
respectively.
For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
</td>
</tr>
<tr id="WasmPlugin-TrafficSelector-ports">
<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#PortSelector">PortSelector[]</a></div>
</div></td>
<td>
<p>Criteria for selecting traffic by their destination port.
More specifically, for the outbound traffic, the destination port would be
the port of the target service. On the other hand, for the inbound traffic,
the destination port is the port bound by the server process in the same Pod.</p>
<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
If not specified, this condition is evaluated to true for any port.</p>
</td>
</tr>
</tbody>
@ -396,22 +412,18 @@ more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/a
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="VmConfig-env">
<td><code><a href="#VmConfig-env">env</a></code></td>
<td><code><a href="#EnvVar">EnvVar[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#VmConfig-env">env</a></code></div>
<div class="type"><a href="#EnvVar">EnvVar[]</a></div>
</div></td>
<td>
<p>Specifies environment variables to be injected to this VM.
Note that if a key does not exist, it will be ignored.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -424,97 +436,39 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="EnvVar-name">
<td><code><a href="#EnvVar-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Name of the environment variable.
Must be a C_IDENTIFIER.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="EnvVar-value_from">
<td><code><a href="#EnvVar-value_from">valueFrom</a></code></td>
<td><code><a href="#EnvValueSource">EnvValueSource</a></code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-value_from">valueFrom</a></code></div>
<div class="type"><a href="#EnvValueSource">EnvValueSource</a></div>
</div></td>
<td>
<p>Source for the environment variable&rsquo;s value.</p>
</td>
<td>
No
</td>
</tr>
<tr id="EnvVar-value">
<td><code><a href="#EnvVar-value">value</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#EnvVar-value">value</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Value for the environment variable.
Only applicable if <code>valueFrom</code> is <code>HOST</code>.
Defaults to &ldquo;&rdquo;.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="WasmPlugin-TrafficSelector">WasmPlugin.TrafficSelector</h2>
<section>
<p>TrafficSelector provides a mechanism to select a specific traffic flow
for which this Wasm Plugin will be enabled.
When all the sub conditions in the TrafficSelector are satisfied, the
traffic will be selected.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WasmPlugin-TrafficSelector-mode">
<td><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadMode">WorkloadMode</a></code></td>
<td>
<p>Criteria for selecting traffic by their direction.
Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
respectively.
For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="WasmPlugin-TrafficSelector-ports">
<td><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PortSelector">PortSelector[]</a></code></td>
<td>
<p>Criteria for selecting traffic by their destination port.
More specifically, for the outbound traffic, the destination port would be
the port of the target service. On the other hand, for the inbound traffic,
the destination port is the port bound by the server process in the same Pod.</p>
<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
If not specified, this condition is evaluated to true for any port.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

917
content/zh/docs/reference/config/security/authorization-policy/index.html
View File

@ -204,32 +204,29 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-selector">
<td><code><a href="#AuthorizationPolicy-selector">selector</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-selector">selector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
<p>The selector decides where to apply the authorization policy. The selector will match with workloads
in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
will additionally match with workloads in all namespaces.</p>
<p>If the selector and the targetRef are not set, the selector will match all workloads.</p>
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-targetRefs">
<td><code><a href="#AuthorizationPolicy-targetRefs">targetRefs</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -245,535 +242,64 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-rules">
<td><code><a href="#AuthorizationPolicy-rules">rules</a></code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-rules">rules</a></code></div>
<div class="type"><a href="#Rule">Rule[]</a></div>
</div></td>
<td>
<p>Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.</p>
<p>A list of rules to match the request. A match occurs when at least one rule matches the request.</p>
<p>If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
the action is ALLOW.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-action">
<td><code><a href="#AuthorizationPolicy-action">action</a></code></td>
<td><code><a href="#AuthorizationPolicy-Action">Action</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-action">action</a></code></div>
<div class="type"><a href="#AuthorizationPolicy-Action">Action</a></div>
</div></td>
<td>
<p>Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified.</p>
<p>The action to take if the request is matched with the rules. Default is ALLOW if not specified.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AuthorizationPolicy-provider" class="oneof oneof-start">
<td><code><a href="#AuthorizationPolicy-provider">provider</a></code></td>
<td><code><a href="#AuthorizationPolicy-ExtensionProvider">ExtensionProvider (oneof)</a></code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-provider">provider</a></code></div>
<div class="type"><a href="#AuthorizationPolicy-ExtensionProvider">ExtensionProvider (oneof)</a></div>
</div></td>
<td>
<p>Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, one operation and all conditions
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: <code>abc</code> will match on value <code>abc</code>.</li>
<li>Prefix match: <code>abc*</code> will match on value <code>abc</code> and <code>abcd</code>.</li>
<li>Suffix match: <code>*abc</code> will match on value <code>abc</code> and <code>xabc</code>.</li>
<li>Presence match: <code>*</code> will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><code><a href="#Rule-from">from</a></code></td>
<td><code><a href="#Rule-From">From[]</a></code></td>
<td>
<p>Optional. <code>from</code> specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-to">
<td><code><a href="#Rule-to">to</a></code></td>
<td><code><a href="#Rule-To">To[]</a></code></td>
<td>
<p>Optional. <code>to</code> specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-when">
<td><code><a href="#Rule-when">when</a></code></td>
<td><code><a href="#Condition">Condition[]</a></code></td>
<td>
<p>Optional. <code>when</code> specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is <code>admin</code> or <code>dev</code>
and the namespace is <code>prod</code> or <code>test</code> and the ip is not <code>203.0.113.4</code>.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
notIpBlocks: [&quot;203.0.113.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code><a href="#Source-principals">principals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
<code>&quot;&lt;TRUST_DOMAIN&gt;/ns/&lt;NAMESPACE&gt;/sa/&lt;SERVICE_ACCOUNT&gt;&quot;</code>, for example, <code>&quot;cluster.local/ns/default/sa/productpage&quot;</code>.
This field requires mTLS enabled and is the same as the <code>source.principal</code> attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_principals">
<td><code><a href="#Source-not_principals">notPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of peer identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-request_principals">
<td><code><a href="#Source-request_principals">requestPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of request identities derived from the JWT. The request identity is in the format of
<code>&quot;&lt;ISS&gt;/&lt;SUB&gt;&quot;</code>, for example, <code>&quot;example.com/sub-1&quot;</code>. This field requires request authentication enabled and is the
same as the <code>request.auth.principal</code> attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_request_principals">
<td><code><a href="#Source-not_request_principals">notRequestPrincipals</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of request identities.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-namespaces">
<td><code><a href="#Source-namespaces">namespaces</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces derived from the peer certificate.
This field requires mTLS enabled and is the same as the <code>source.namespace</code> attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_namespaces">
<td><code><a href="#Source-not_namespaces">notNamespaces</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of namespaces.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code><a href="#Source-ip_blocks">ipBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. <code>203.0.113.4</code>) and
CIDR (e.g. <code>203.0.113.0/24</code>) are supported. This is the same as the <code>source.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><code><a href="#Source-not_ip_blocks">notIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of IP blocks.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-remote_ip_blocks">
<td><code><a href="#Source-remote_ip_blocks">remoteIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, populated from <code>X-Forwarded-For</code> header or proxy protocol.
To make use of this field, you must configure the <code>numTrustedProxies</code> field of the <code>gatewayTopology</code> under the <code>meshConfig</code>
when you install Istio or using an annotation on the ingress gateway. See the documentation here:
<a href="/latest/docs/ops/configuration/traffic-management/network-topologies/">Configuring Gateway Network Topology</a>.
Single IP (e.g. <code>203.0.113.4</code>) and CIDR (e.g. <code>203.0.113.0/24</code>) are supported.
This is the same as the <code>remote.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Source-not_remote_ip_blocks">
<td><code><a href="#Source-not_remote_ip_blocks">notRemoteIpBlocks</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of remote IP blocks.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix <code>.example.com</code>
and the method is <code>GET</code> or <code>HEAD</code> and the path doesn&rsquo;t have prefix <code>/admin</code>.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
notPaths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code><a href="#Operation-hosts">hosts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
See the <a href="/latest/docs/ops/best-practices/security/#writing-host-match-policies">security best practices</a> for
recommended usage of this field.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_hosts">
<td><code><a href="#Operation-not_hosts">notHosts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-ports">
<td><code><a href="#Operation-ports">ports</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports as specified in the connection.</p>
<p>If not set, any port is allowed.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_ports">
<td><code><a href="#Operation-not_ports">notPorts</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of ports as specified in the connection.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-methods">
<td><code><a href="#Operation-methods">methods</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods as specified in the HTTP request.
For gRPC service, this will always be <code>POST</code>.</p>
<p>If not set, any method is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_methods">
<td><code><a href="#Operation-not_methods">notMethods</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of methods as specified in the HTTP request.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-paths">
<td><code><a href="#Operation-paths">paths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths as specified in the HTTP request. See the <a href="/latest/docs/reference/config/security/normalization/">Authorization Policy Normalization</a>
for details of the path normalization.
For gRPC service, this will be the fully-qualified name in the form of <code>/package.service/method</code>.</p>
<p>If a path in the list contains the <code>{*}</code> or <code>{**}</code> path template operator, it will be interpreted as an <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto">Envoy Uri Template</a>.
To be a valid path template, the path must not contain <code>*</code>, <code>{</code>, or <code>}</code> outside of a supported operator. No other characters are allowed in the path segment with the path template operator.</p>
<ul>
<li><code>{*}</code> matches a single glob that cannot extend beyond a path segment.</li>
<li><code>{**}</code> matches zero or more globs. If a path contains <code>{**}</code>, it must be the last operator.</li>
</ul>
<p>Examples:</p>
<ul>
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
</ul>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Operation-not_paths">
<td><code><a href="#Operation-not_paths">notPaths</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of paths.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code><a href="#Condition-key">key</a></code></td>
<td><code>string</code></td>
<td>
<p>The name of an Istio attribute.
See the <a href="/zh/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Condition-values">
<td><code><a href="#Condition-values">values</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of allowed values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Condition-not_values">
<td><code><a href="#Condition-not_values">notValues</a></code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of negative match of values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthorizationPolicy-ExtensionProvider">AuthorizationPolicy.ExtensionProvider</h2>
<h3 id="AuthorizationPolicy-ExtensionProvider">ExtensionProvider</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-ExtensionProvider-name">
<td><code><a href="#AuthorizationPolicy-ExtensionProvider-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#AuthorizationPolicy-ExtensionProvider-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-From">Rule.From</h2>
<section>
<p>From includes a list of sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><code><a href="#Rule-From-source">source</a></code></td>
<td><code><a href="#Source">Source</a></code></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-To">Rule.To</h2>
<section>
<p>To includes a list of operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><code><a href="#Rule-To-operation">operation</a></code></td>
<td><code><a href="#Operation">Operation</a></code></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AuthorizationPolicy-Action">AuthorizationPolicy.Action</h2>
<h3 id="AuthorizationPolicy-Action">Action</h3>
<section>
<p>Action specifies the operation to take.</p>
@ -842,3 +368,398 @@ spec:
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, one operation and all conditions
matches the request. An empty rule is always matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:</p>
<ul>
<li>Exact match: <code>abc</code> will match on value <code>abc</code>.</li>
<li>Prefix match: <code>abc*</code> will match on value <code>abc</code> and <code>abcd</code>.</li>
<li>Suffix match: <code>*abc</code> will match on value <code>abc</code> and <code>xabc</code>.</li>
<li>Presence match: <code>*</code> will match when value is not empty.</li>
</ul>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><div class="field"><div class="name"><code><a href="#Rule-from">from</a></code></div>
<div class="type"><a href="#Rule-From">From[]</a></div>
</div></td>
<td>
<p><code>from</code> specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
</tr>
<tr id="Rule-to">
<td><div class="field"><div class="name"><code><a href="#Rule-to">to</a></code></div>
<div class="type"><a href="#Rule-To">To[]</a></div>
</div></td>
<td>
<p><code>to</code> specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
</tr>
<tr id="Rule-when">
<td><div class="field"><div class="name"><code><a href="#Rule-when">when</a></code></div>
<div class="type"><a href="#Condition">Condition[]</a></div>
</div></td>
<td>
<p><code>when</code> specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="Rule-From">From</h3>
<section>
<p>From includes a list of sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><div class="field"><div class="name"><code><a href="#Rule-From-source">source</a></code></div>
<div class="type"><a href="#Source">Source</a></div>
</div></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="Rule-To">To</h3>
<section>
<p>To includes a list of operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><div class="field"><div class="name"><code><a href="#Rule-To-operation">operation</a></code></div>
<div class="type"><a href="#Operation">Operation</a></div>
</div></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request. Fields in the source are
ANDed together.</p>
<p>For example, the following source matches if the principal is <code>admin</code> or <code>dev</code>
and the namespace is <code>prod</code> or <code>test</code> and the ip is not <code>203.0.113.4</code>.</p>
<pre><code class="language-yaml">principals: [&quot;admin&quot;, &quot;dev&quot;]
namespaces: [&quot;prod&quot;, &quot;test&quot;]
notIpBlocks: [&quot;203.0.113.4&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><div class="field"><div class="name"><code><a href="#Source-principals">principals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of peer identities derived from the peer certificate. The peer identity is in the format of
<code>&quot;&lt;TRUST_DOMAIN&gt;/ns/&lt;NAMESPACE&gt;/sa/&lt;SERVICE_ACCOUNT&gt;&quot;</code>, for example, <code>&quot;cluster.local/ns/default/sa/productpage&quot;</code>.
This field requires mTLS enabled and is the same as the <code>source.principal</code> attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
</tr>
<tr id="Source-not_principals">
<td><div class="field"><div class="name"><code><a href="#Source-not_principals">notPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of peer identities.</p>
</td>
</tr>
<tr id="Source-request_principals">
<td><div class="field"><div class="name"><code><a href="#Source-request_principals">requestPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of request identities derived from the JWT. The request identity is in the format of
<code>&quot;&lt;ISS&gt;/&lt;SUB&gt;&quot;</code>, for example, <code>&quot;example.com/sub-1&quot;</code>. This field requires request authentication enabled and is the
same as the <code>request.auth.principal</code> attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
</tr>
<tr id="Source-not_request_principals">
<td><div class="field"><div class="name"><code><a href="#Source-not_request_principals">notRequestPrincipals</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of request identities.</p>
</td>
</tr>
<tr id="Source-namespaces">
<td><div class="field"><div class="name"><code><a href="#Source-namespaces">namespaces</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of namespaces derived from the peer certificate.
This field requires mTLS enabled and is the same as the <code>source.namespace</code> attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
</tr>
<tr id="Source-not_namespaces">
<td><div class="field"><div class="name"><code><a href="#Source-not_namespaces">notNamespaces</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of namespaces.</p>
</td>
</tr>
<tr id="Source-ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-ip_blocks">ipBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. <code>203.0.113.4</code>) and
CIDR (e.g. <code>203.0.113.0/24</code>) are supported. This is the same as the <code>source.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
</tr>
<tr id="Source-not_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-not_ip_blocks">notIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of IP blocks.</p>
</td>
</tr>
<tr id="Source-remote_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-remote_ip_blocks">remoteIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of IP blocks, populated from <code>X-Forwarded-For</code> header or proxy protocol.
To make use of this field, you must configure the <code>numTrustedProxies</code> field of the <code>gatewayTopology</code> under the <code>meshConfig</code>
when you install Istio or using an annotation on the ingress gateway. See the documentation here:
<a href="/latest/docs/ops/configuration/traffic-management/network-topologies/">Configuring Gateway Network Topology</a>.
Single IP (e.g. <code>203.0.113.4</code>) and CIDR (e.g. <code>203.0.113.0/24</code>) are supported.
This is the same as the <code>remote.ip</code> attribute.</p>
<p>If not set, any IP is allowed.</p>
</td>
</tr>
<tr id="Source-not_remote_ip_blocks">
<td><div class="field"><div class="name"><code><a href="#Source-not_remote_ip_blocks">notRemoteIpBlocks</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of remote IP blocks.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request. Fields in the operation are
ANDed together.</p>
<p>For example, the following operation matches if the host has suffix <code>.example.com</code>
and the method is <code>GET</code> or <code>HEAD</code> and the path doesn&rsquo;t have prefix <code>/admin</code>.</p>
<pre><code class="language-yaml">hosts: [&quot;*.example.com&quot;]
methods: [&quot;GET&quot;, &quot;HEAD&quot;]
notPaths: [&quot;/admin*&quot;]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><div class="field"><div class="name"><code><a href="#Operation-hosts">hosts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of hosts as specified in the HTTP request. The match is case-insensitive.
See the <a href="/latest/docs/ops/best-practices/security/#writing-host-match-policies">security best practices</a> for
recommended usage of this field.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_hosts">
<td><div class="field"><div class="name"><code><a href="#Operation-not_hosts">notHosts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.</p>
</td>
</tr>
<tr id="Operation-ports">
<td><div class="field"><div class="name"><code><a href="#Operation-ports">ports</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of ports as specified in the connection.</p>
<p>If not set, any port is allowed.</p>
</td>
</tr>
<tr id="Operation-not_ports">
<td><div class="field"><div class="name"><code><a href="#Operation-not_ports">notPorts</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of ports as specified in the connection.</p>
</td>
</tr>
<tr id="Operation-methods">
<td><div class="field"><div class="name"><code><a href="#Operation-methods">methods</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of methods as specified in the HTTP request.
For gRPC service, this will always be <code>POST</code>.</p>
<p>If not set, any method is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_methods">
<td><div class="field"><div class="name"><code><a href="#Operation-not_methods">notMethods</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of methods as specified in the HTTP request.</p>
</td>
</tr>
<tr id="Operation-paths">
<td><div class="field"><div class="name"><code><a href="#Operation-paths">paths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of paths as specified in the HTTP request. See the <a href="/latest/docs/reference/config/security/normalization/">Authorization Policy Normalization</a>
for details of the path normalization.
For gRPC service, this will be the fully-qualified name in the form of <code>/package.service/method</code>.</p>
<p>If a path in the list contains the <code>{*}</code> or <code>{**}</code> path template operator, it will be interpreted as an <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/path/match/uri_template/v3/uri_template_match.proto">Envoy Uri Template</a>.
To be a valid path template, the path must not contain <code>*</code>, <code>{</code>, or <code>}</code> outside of a supported operator. No other characters are allowed in the path segment with the path template operator.</p>
<ul>
<li><code>{*}</code> matches a single glob that cannot extend beyond a path segment.</li>
<li><code>{**}</code> matches zero or more globs. If a path contains <code>{**}</code>, it must be the last operator.</li>
</ul>
<p>Examples:</p>
<ul>
<li><code>/foo/{*}</code> matches <code>/foo/bar</code> but not <code>/foo/bar/baz</code></li>
<li><code>/foo/{**}/</code> matches <code>/foo/bar/</code>, <code>/foo/bar/baz.txt</code>, and <code>/foo//</code> but not <code>/foo/bar</code></li>
<li><code>/foo/{*}/bar/{**}</code> matches <code>/foo/buzz/bar/</code> and <code>/foo/buzz/bar/baz</code></li>
<li><code>/*/baz/{*}</code> is not a valid path template since it includes <code>*</code> outside of a supported operator</li>
<li><code>/**/baz/{*}</code> is not a valid path template since it includes <code>**</code> outside of a supported operator</li>
<li><code>/{**}/foo/{*}</code> is not a valid path template since <code>{**}</code> is not the last operator</li>
<li><code>/foo/{*}.txt</code> is invalid since there are characters other than <code>{*}</code> in the path segment</li>
</ul>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-not_paths">
<td><div class="field"><div class="name"><code><a href="#Operation-not_paths">notPaths</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of paths.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><div class="field"><div class="name"><code><a href="#Condition-key">key</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of an Istio attribute.
See the <a href="/zh/docs/reference/config/security/conditions/">full list of supported attributes</a>.</p>
</td>
</tr>
<tr id="Condition-values">
<td><div class="field"><div class="name"><code><a href="#Condition-values">values</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of allowed values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
</tr>
<tr id="Condition-not_values">
<td><div class="field"><div class="name"><code><a href="#Condition-not_values">notValues</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>A list of negative match of values for the attribute.
Note: at least one of <code>values</code> or <code>notValues</code> must be set.</p>
</td>
</tr>
</tbody>
</table>
</section>

40
content/zh/docs/reference/config/security/peer_authentication/index.html
View File

@ -95,54 +95,46 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-selector">
<td><code><a href="#PeerAuthentication-selector">selector</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-selector">selector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the
same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.</p>
<p>If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied
to all workloads in the mesh.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-mtls">
<td><code><a href="#PeerAuthentication-mtls">mtls</a></code></td>
<td><code><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-mtls">mtls</a></code></div>
<div class="type"><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></div>
</div></td>
<td>
<p>Mutual TLS settings for workload. If not defined, inherit from parent.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-port_level_mtls">
<td><code><a href="#PeerAuthentication-port_level_mtls">portLevelMtls</a></code></td>
<td><code>map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-port_level_mtls">portLevelMtls</a></code></div>
<div class="type">map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</div>
</div></td>
<td>
<p>Port specific mutual TLS settings. These only apply when a workload selector
is specified. The port refers to the port of the workload, not the port of the
Kubernetes service.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS">PeerAuthentication.MutualTLS</h2>
<h3 id="PeerAuthentication-MutualTLS">MutualTLS</h3>
<section>
<p>Mutual TLS settings.</p>
@ -150,27 +142,23 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-mode">
<td><code><a href="#PeerAuthentication-MutualTLS-mode">mode</a></code></td>
<td><code><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></code></td>
<td><div class="field"><div class="name"><code><a href="#PeerAuthentication-MutualTLS-mode">mode</a></code></div>
<div class="type"><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></div>
</div></td>
<td>
<p>Defines the mTLS mode used for peer authentication.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS-Mode">PeerAuthentication.MutualTLS.Mode</h2>
<h4 id="PeerAuthentication-MutualTLS-Mode">Mode</h4>
<section>
<table class="enum-values">
<thead>

160
content/zh/docs/reference/config/security/request_authentication/index.html
View File

@ -202,32 +202,29 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="RequestAuthentication-selector">
<td><code><a href="#RequestAuthentication-selector">selector</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-selector">selector</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></div>
</div></td>
<td>
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
<p>The selector decides where to apply the request authentication policy. The selector will match with workloads
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
the selector will additionally match with workloads in all namespaces.</p>
<p>If not set, the selector will match all workloads.</p>
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-targetRefs">
<td><code><a href="#RequestAuthentication-targetRefs">targetRefs</a></code></td>
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-targetRefs">targetRefs</a></code></div>
<div class="type"><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></div>
</div></td>
<td>
<p>Optional. The targetRefs specifies a list of resources the policy should be
<p>The targetRefs specifies a list of resources the policy should be
applied to. The targeted resources specified will determine which workloads
the policy applies to.</p>
<p>Currently, the following resource attachment types are supported:</p>
@ -243,14 +240,12 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
</td>
<td>
No
</td>
</tr>
<tr id="RequestAuthentication-jwt_rules">
<td><code><a href="#RequestAuthentication-jwt_rules">jwtRules</a></code></td>
<td><code><a href="#JWTRule">JWTRule[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#RequestAuthentication-jwt_rules">jwtRules</a></code></div>
<div class="type"><a href="#JWTRule">JWTRule[]</a></div>
</div></td>
<td>
<p>Define the list of JWTs that can be validated at the selected workloads&rsquo; proxy. A valid token
will be used to extract the authenticated identity.
@ -260,9 +255,6 @@ be rejected.
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -296,15 +288,15 @@ fromHeaders:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTRule-issuer">
<td><code><a href="#JWTRule-issuer">issuer</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-issuer">issuer</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Identifies the issuer that issued the JWT. See
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.1">issuer</a>
@ -312,14 +304,12 @@ A JWT with different <code>iss</code> claim will be rejected.</p>
<p>Example: <code>https://foobar.auth0.com</code>
Example: <code>1234567-compute@developer.gserviceaccount.com</code></p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTRule-audiences">
<td><code><a href="#JWTRule-audiences">audiences</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-audiences">audiences</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>The list of JWT
<a href="https://tools.ietf.org/html/rfc7519#section-4.1.3">audiences</a>
@ -332,14 +322,12 @@ audiences will be accepted.</p>
bookstore_web.apps.example.com
</code></pre>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks_uri">
<td><code><a href="#JWTRule-jwks_uri">jwksUri</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-jwks_uri">jwksUri</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>URL of the provider&rsquo;s public key set to validate signature of the
JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
@ -351,27 +339,23 @@ Google service account).</p>
<p>Example: <code>https://www.googleapis.com/oauth2/v1/certs</code></p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-jwks">
<td><code><a href="#JWTRule-jwks">jwks</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-jwks">jwks</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>JSON Web Key Set of public keys to validate signature of the JWT.
See <a href="https://auth0.com/docs/jwks">https://auth0.com/docs/jwks</a>.</p>
<p>Note: Only one of <code>jwksUri</code> and <code>jwks</code> should be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_headers">
<td><code><a href="#JWTRule-from_headers">fromHeaders</a></code></td>
<td><code><a href="#JWTHeader">JWTHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_headers">fromHeaders</a></code></div>
<div class="type"><a href="#JWTHeader">JWTHeader[]</a></div>
</div></td>
<td>
<p>List of header locations from which JWT is expected. For example, below is the location spec
if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have <code>Bearer</code> prefix:</p>
@ -382,14 +366,12 @@ if JWT is expected to be found in <code>x-jwt-assertion</code> header, and have
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_params">
<td><code><a href="#JWTRule-from_params">fromParams</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_params">fromParams</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>List of query parameters from which JWT is expected. For example, if JWT is provided via query
parameter <code>my_token</code> (e.g <code>/path?my_token=&lt;JWT&gt;</code>), the config is:</p>
@ -399,27 +381,23 @@ parameter <code>my_token</code> (e.g <code>/path?my_token=&lt;JWT&gt;</code>), t
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_payload_to_header">
<td><code><a href="#JWTRule-output_payload_to_header">outputPayloadToHeader</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-output_payload_to_header">outputPayloadToHeader</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>This field specifies the header name to output a successfully verified JWT payload to the
backend. The forwarded data is <code>base64_encoded(jwt_payload_in_JSON)</code>. If it is not specified,
the payload will not be emitted.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-from_cookies">
<td><code><a href="#JWTRule-from_cookies">fromCookies</a></code></td>
<td><code>string[]</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-from_cookies">fromCookies</a></code></div>
<div class="type">string[]</div>
</div></td>
<td>
<p>List of cookie names from which JWT is expected. //
For example, if config is:</p>
@ -430,25 +408,21 @@ For example, if config is:</p>
<p>Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-forward_original_token">
<td><code><a href="#JWTRule-forward_original_token">forwardOriginalToken</a></code></td>
<td><code>bool</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-forward_original_token">forwardOriginalToken</a></code></div>
<div class="type">bool</div>
</div></td>
<td>
<p>If set to true, the original token will be kept for the upstream request. Default is false.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-output_claim_to_headers">
<td><code><a href="#JWTRule-output_claim_to_headers">outputClaimToHeaders</a></code></td>
<td><code><a href="#ClaimToHeader">ClaimToHeader[]</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-output_claim_to_headers">outputClaimToHeaders</a></code></div>
<div class="type"><a href="#ClaimToHeader">ClaimToHeader[]</a></div>
</div></td>
<td>
<p>This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
This differs from the <code>output_payload_to_header</code> by allowing outputting individual claims instead of the whole payload.
@ -463,21 +437,16 @@ The header specified in each operation in the list must be unique. Nested claims
</code></pre>
<p>[Experimental] This feature is a experimental feature.</p>
</td>
<td>
No
</td>
</tr>
<tr id="JWTRule-timeout">
<td><code><a href="#JWTRule-timeout">timeout</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td><div class="field"><div class="name"><code><a href="#JWTRule-timeout">timeout</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></div>
</div></td>
<td>
<p>The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
will spend waiting for the JWKS to be fetched. Default is 5s.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -491,34 +460,29 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="JWTHeader-name">
<td><code><a href="#JWTHeader-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTHeader-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The HTTP header name.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="JWTHeader-prefix">
<td><code><a href="#JWTHeader-prefix">prefix</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#JWTHeader-prefix">prefix</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>The prefix that should be stripped before decoding the token.
For example, for <code>Authorization: Bearer &lt;token&gt;</code>, prefix=<code>Bearer</code> with a space at the end.
If the header doesn&rsquo;t have this exact prefix, it is considered invalid.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -532,33 +496,29 @@ No
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="ClaimToHeader-header">
<td><code><a href="#ClaimToHeader-header">header</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ClaimToHeader-header">header</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of the header to be created. The header will be overridden if it already exists in the request.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="ClaimToHeader-claim">
<td><code><a href="#ClaimToHeader-claim">claim</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#ClaimToHeader-claim">claim</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>The name of the claim to be copied from. Only claim of type string/int/bool is supported.
The header will not be there if the claim does not exist or the type of the claim is not supported.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>

994
content/zh/docs/reference/config/telemetry/index.html
View File

File diff suppressed because it is too large Load Diff

57
content/zh/docs/reference/config/type/workload-selector/index.html
View File

@ -21,23 +21,19 @@ selected. Currently, only label based selection mechanism is supported.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadSelector-match_labels">
<td><code><a href="#WorkloadSelector-match_labels">matchLabels</a></code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td><div class="field"><div class="name"><code><a href="#WorkloadSelector-match_labels">matchLabels</a></code></div>
<div class="type">map&lt;string,&nbsp;string&gt;</div>
</div></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -52,21 +48,18 @@ a listener having a specific port.</p>
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PortSelector-number">
<td><code><a href="#PortSelector-number">number</a></code></td>
<td><code>uint32</code></td>
<td><div class="field"><div class="name"><code><a href="#PortSelector-number">number</a></code></div>
<div class="type">uint32</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Port number</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
@ -107,55 +100,47 @@ spec:
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PolicyTargetReference-group">
<td><code><a href="#PolicyTargetReference-group">group</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-group">group</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>group is the group of the target resource.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PolicyTargetReference-kind">
<td><code><a href="#PolicyTargetReference-kind">kind</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-kind">kind</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>kind is kind of the target resource.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="PolicyTargetReference-name">
<td><code><a href="#PolicyTargetReference-name">name</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-name">name</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>name is the name of the target resource.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="PolicyTargetReference-namespace">
<td><code><a href="#PolicyTargetReference-namespace">namespace</a></code></td>
<td><code>string</code></td>
<td><div class="field"><div class="name"><code><a href="#PolicyTargetReference-namespace">namespace</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>namespace is the namespace of the referent. When unspecified, the local
namespace is inferred.</p>
</td>
<td>
No
</td>
</tr>
</tbody>