From 675a2183a7724020f71b3098f5a9ed2c7b91ac7e Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Mon, 16 Dec 2024 21:13:58 -0500 Subject: [PATCH] Automator: update istio.io@ reference docs (#16106) --- .../config/istio.analysis.v1alpha1/index.html | 430 +- .../config/istio.mesh.v1alpha1/index.html | 7680 ++++++++--------- .../docs/reference/config/labels/index.html | 23 + .../meta/v1beta1/istio-status/index.html | 76 +- .../networking/destination-rule/index.html | 2586 +++--- .../config/networking/envoy-filter/index.html | 1050 +-- .../config/networking/gateway/index.html | 209 +- .../config/networking/proxy-config/index.html | 46 +- .../networking/service-entry/index.html | 387 +- .../config/networking/sidecar/index.html | 248 +- .../networking/virtual-service/index.html | 1541 ++-- .../networking/workload-entry/index.html | 58 +- .../networking/workload-group/index.html | 280 +- .../proxy_extensions/wasm-plugin/index.html | 246 +- .../security/authorization-policy/index.html | 917 +- .../security/peer_authentication/index.html | 40 +- .../request_authentication/index.html | 160 +- .../reference/config/telemetry/index.html | 994 +-- .../config/type/workload-selector/index.html | 57 +- .../config/istio.analysis.v1alpha1/index.html | 430 +- .../config/istio.mesh.v1alpha1/index.html | 7680 ++++++++--------- .../docs/reference/config/labels/index.html | 23 + .../meta/v1beta1/istio-status/index.html | 76 +- .../networking/destination-rule/index.html | 2586 +++--- .../config/networking/envoy-filter/index.html | 1050 +-- .../config/networking/gateway/index.html | 209 +- .../config/networking/proxy-config/index.html | 46 +- .../networking/service-entry/index.html | 387 +- .../config/networking/sidecar/index.html | 248 +- .../networking/virtual-service/index.html | 1541 ++-- .../networking/workload-entry/index.html | 58 +- .../networking/workload-group/index.html | 280 +- .../proxy_extensions/wasm-plugin/index.html | 246 +- .../security/authorization-policy/index.html | 917 +- .../security/peer_authentication/index.html | 40 +- .../request_authentication/index.html | 160 +- .../reference/config/telemetry/index.html | 994 +-- .../config/type/workload-selector/index.html | 57 +- 38 files changed, 15248 insertions(+), 18808 deletions(-) diff --git a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html index d8746cc5ad..4d43621c47 100644 --- a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html +++ b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html @@ -20,216 +20,42 @@ messages. All information should be static with respect to the error code.

Field -Type Description -Required -type -Type +
type
+
Type
+
- -No - -level -Level +
level
+
Level
+

Represents how severe a message is. Required.

- - -No -documentationUrl -string +
documentationUrl
+
string
+

A url pointing to the Istio documentation for this specific error type. Should be of the form ^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/ Required.

- - -No -

AnalysisMessageWeakSchema

-
-

AnalysisMessageWeakSchema is the set of information that’s needed to define a -weakly-typed schema. The purpose of this proto is to provide a mechanism for -validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make -sure that we don’t allow committing underspecified types.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase -

Required

- -		 -No -
descriptionstring -

A human readable description of what the error means. Required.

- -		 -No -
templatestring -

A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing) -defining how to combine the args for a particular message into a log line. -Required.

- -		 -No -
argsArgType[] -

A description of the arguments for a particular message type

- -		 -No -
-
-

GenericAnalysisMessage

-
-

GenericAnalysisMessage is an instance of an AnalysisMessage defined by a -schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code -should be able to perform validation of arguments as needed by using the -message type information to look at the AnalysisMessageWeakSchema and examine the -list of args at runtime. Developers can also create stronger-typed versions -of GenericAnalysisMessage for well-known and stable message types.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase -

Required

- -		 -No -
argsStruct -

Any message-type specific arguments that need to get codified. Optional.

- -		 -No -
resourcePathsstring[] -

A list of strings specifying the resource identifiers that were the cause -of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME -tuple that uniquely identifies a particular resource. There doesn’t seem to -be a single concept for this, but this is intuitively taken from -https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology -At least one is required.

- -		 -No -
-
-

InternalErrorAnalysisMessage

-
-

InternalErrorAnalysisMessage is a strongly-typed message representing some -error in Istio code that prevented us from performing analysis at all.

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
messageBaseAnalysisMessageBase -

Required

- -		 -No -
detailstring -

Any detail regarding specifics of the error. Should be human-readable.

- -		 -No -
-
-

AnalysisMessageBase.Type

+

Type

A unique identifier for the type of message. Name is intended to be human-readable, code is intended to be machine readable. There should be a @@ -240,82 +66,36 @@ codes between message types.)

Field -Type Description -Required -name -string +
name
+
string
+

A human-readable name for the message type. e.g. “InternalError”, “PodMissingProxy”. This should be the same for all messages of the same type. Required.

- - -No -code -string +
code
+
string
+

A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify the message type. (e.g. “IST0001” is mapped to the “InternalError” message type.) 0000-0100 are reserved. Required.

- - -No
-

AnalysisMessageWeakSchema.ArgType

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

Required

- -		 -No -
goTypestring -

Required. Should be a golang type, used in code generation. -Ideally this will change to a less language-pinned type before this gets -out of alpha, but for compatibility with current istio/istio code it’s -go_type for now.

- -		 -No -
-
-

AnalysisMessageBase.Level

+

Level

The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later

@@ -353,3 +133,179 @@ as well as leaving space in between to add more later

+

AnalysisMessageWeakSchema

+
+

AnalysisMessageWeakSchema is the set of information that’s needed to define a +weakly-typed schema. The purpose of this proto is to provide a mechanism for +validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make +sure that we don’t allow committing underspecified types.

+ + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
messageBase
+
AnalysisMessageBase
+
 +

Required

+ +
description
+
string
+
 +

A human readable description of what the error means. Required.

+ +
template
+
string
+
 +

A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing) +defining how to combine the args for a particular message into a log line. +Required.

+ +
args
+
ArgType[]
+
 +

A description of the arguments for a particular message type

+ +
+
+

ArgType

+
+ + + + + + + + + + + + + + + + + +
FieldDescription
name
+
string
+
 +

Required

+ +
goType
+
string
+
 +

Should be a golang type, used in code generation. +Ideally this will change to a less language-pinned type before this gets +out of alpha, but for compatibility with current istio/istio code it’s +go_type for now.

+ +
+
+

GenericAnalysisMessage

+
+

GenericAnalysisMessage is an instance of an AnalysisMessage defined by a +schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code +should be able to perform validation of arguments as needed by using the +message type information to look at the AnalysisMessageWeakSchema and examine the +list of args at runtime. Developers can also create stronger-typed versions +of GenericAnalysisMessage for well-known and stable message types.

+ + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
messageBase
+
AnalysisMessageBase
+
 +

Required

+ +
args
+
Struct
+
 +

Any message-type specific arguments that need to get codified. Optional.

+ +
resourcePaths
+
string[]
+
 +

A list of strings specifying the resource identifiers that were the cause +of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME +tuple that uniquely identifies a particular resource. There doesn’t seem to +be a single concept for this, but this is intuitively taken from +https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology +At least one is required.

+ +
+
+

InternalErrorAnalysisMessage

+
+

InternalErrorAnalysisMessage is a strongly-typed message representing some +error in Istio code that prevented us from performing analysis at all.

+ + + + + + + + + + + + + + + + + + +
FieldDescription
messageBase
+
AnalysisMessageBase
+
 +

Required

+ +
detail
+
string
+
 +

Any detail regarding specifics of the error. Should be human-readable.

+ +
+
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html index 461fb74d8d..244c97d4a0 100644 --- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html +++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html @@ -19,110 +19,93 @@ number_of_entries: 78 Field -Type Description -Required -proxyListenPort -int32 +
proxyListenPort
+
int32
+

Port on which Envoy should listen for all outbound traffic to other services. Default port is 15001.

- - -No -proxyInboundListenPort -int32 +
proxyInboundListenPort
+
int32
+

Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. Default port is 15006.

- - -No -proxyHttpPort -int32 +
proxyHttpPort
+
int32
+

Port on which Envoy should listen for HTTP PROXY requests if set.

- - -No -connectTimeout -Duration +
connectTimeout
+
Duration
+

Connection timeout used by Envoy. (MUST be >=1ms) Default timeout is 10s.

- - -No -tcpKeepalive -TcpKeepalive +
tcpKeepalive
+
TcpKeepalive
+

If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

- - -No -ingressClass -string +
ingressClass
+
string
+

Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of kubernetes.io/ingress.class annotation.

- - -No -ingressService -string +
ingressService
+
string
+

Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value istio-ingressgateway is used.

- - -No -ingressControllerMode -IngressControllerMode +
ingressControllerMode
+
IngressControllerMode
+

Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is STRICT.

- - -No -ingressSelector -string +
ingressSelector
+
string
+

Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR. @@ -130,90 +113,76 @@ By default, ingressgateway is used, which will select the default I istio: ingressgateway labels. It is recommended that this is the same value as ingressService.

- - -No -enableTracing -bool +
enableTracing
+
bool
+

Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

- - -No -accessLogFile -string +
accessLogFile
+
string
+

File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

- - -No -accessLogFormat -string +
accessLogFormat
+
string
+

Format for the proxy access log Empty value results in proxy’s default access log format

- - -No -accessLogEncoding -AccessLogEncoding +
accessLogEncoding
+
AccessLogEncoding
+

Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.

- - -No -enableEnvoyAccessLogService -bool +
enableEnvoyAccessLogService
+
bool
+

This flag enables Envoy’s gRPC Access Log Service. See Access Log Service for details about Envoy’s gRPC Access Log Service API. Default value is false.

- - -No -disableEnvoyListenerLog -bool +
disableEnvoyListenerLog
+
bool
+

This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy’s listener access logs on “NoRoute” response flag. Default value is false.

- - -No -defaultConfig -ProxyConfig +
defaultConfig
+
ProxyConfig
+

Default proxy config used by gateway and sidecars. In case of Kubernetes, the proxy config is applied once during the injection process, @@ -221,14 +190,12 @@ and remain constant for the duration of the pod. The rest of the mesh config can at runtime and config gets distributed dynamically. On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

- - -No -outboundTrafficPolicy -OutboundTrafficPolicy +
outboundTrafficPolicy
+
OutboundTrafficPolicy
+

Set the default behavior of the sidecar for handling outbound traffic from the application.

@@ -236,40 +203,34 @@ traffic from the application.

Sidecar API.

Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

- - -No -inboundTrafficPolicy -InboundTrafficPolicy +
inboundTrafficPolicy
+
InboundTrafficPolicy
+

Set the default behavior of the sidecar for handling inbound traffic to the application. If your application listens on localhost, you will need to set this to LOCALHOST.

- - -No -configSources -ConfigSource[] +
configSources
+
ConfigSource[]
+

ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.

- - -No -enableAutoMtls -BoolValue +
enableAutoMtls
+
BoolValue
+

This flag is used to enable mutual TLS automatically for service to service communication within the mesh, default true. @@ -283,26 +244,22 @@ If the upstream authentication policy is in PERMISSIVE mode, Istio configures cl mutual TLS when server sides are capable of accepting mutual TLS traffic. If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

- - -No -trustDomain -string +
trustDomain
+
string
+

The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID

- - -No -trustDomainAliases -string[] +
trustDomainAliases
+
string[]
+

The trust domain aliases represent the aliases of trustDomain. For example, if we have

@@ -312,28 +269,24 @@ trustDomainAliases: ["td2", "td3"]

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

- - -No -caCertificates -CertificateData[] +
caCertificates
+
CertificateData[]
+

The extra root certificates for workload-to-workload communication. The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.

- - -No -defaultServiceExportTo -string[] +
defaultServiceExportTo
+
string[]
+

The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to @@ -357,42 +310,36 @@ namespace.

For further discussion see the reference documentation for ServiceEntry, Sidecar, and Gateway.

- - -No -defaultVirtualServiceExportTo -string[] +
defaultVirtualServiceExportTo
+
string[]
+

The default value for the VirtualService.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use “*” as the default value which implies that virtual services are exported to all namespaces

- - -No -defaultDestinationRuleExportTo -string[] +
defaultDestinationRuleExportTo
+
string[]
+

The default value for the DestinationRule.exportTo field. Has the same syntax as defaultServiceExportTo.

If not set the system will use “*” as the default value which implies that destination rules are exported to all namespaces

- - -No -rootNamespace -string +
rootNamespace
+
string
+

The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for @@ -402,54 +349,46 @@ namespace is processed as if it were declared in the leaf namespace.

The precise semantics of this processing are documented on each resource type.

- - -No -localityLbSetting -LocalityLoadBalancerSetting +
localityLbSetting
+
LocalityLoadBalancerSetting
+

Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/

- - -No -dnsRefreshRate -Duration +
dnsRefreshRate
+
Duration
+

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS Default refresh rate is 60s.

- - -No -h2UpgradePolicy -H2UpgradePolicy +
h2UpgradePolicy
+
H2UpgradePolicy
+

Specify if http1.1 connections should be upgraded to http2 by default. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE. It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

- - -No -inboundClusterStatName -string +
inboundClusterStatName
+
string
+

Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. @@ -470,14 +409,12 @@ For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local%SERVICE% will use reviews.prod as the stats name. - - -No -outboundClusterStatName -string +

outboundClusterStatName
+
string
+

Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. @@ -498,14 +435,12 @@ For example outbound|8080|v2|reviews.prod.svc.cluster.local. This c

  • %SERVICE% will use reviews.prod as the stats name.
    • - - -No -enablePrometheusMerge -BoolValue +
    enablePrometheusMerge
    +
    BoolValue
    +

    If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod @@ -517,37 +452,31 @@ In this case, it is recommended to disable aggregation on that deployment with t prometheus.istio.io/merge-metrics: "false" annotation. If not specified, this will be enabled by default.

    - - -No -extensionProviders -ExtensionProvider[] +
    extensionProviders
    +
    ExtensionProvider[]
    +

    Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.

    - - -No -defaultProviders -DefaultProviders +
    defaultProviders
    +
    DefaultProviders
    +

    Specifies extension providers to use by default in Istio configuration resources.

    - - -No -discoverySelectors -LabelSelector[] +
    discoverySelectors
    +
    LabelSelector[]
    +

    A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio’s computational load @@ -573,14 +502,12 @@ The following example selects any namespace that matches either below:

    Refer to the Kubernetes selector docs for additional detail on selector semantics.

    - - -No -pathNormalization -ProxyPathNormalization +
    pathNormalization
    +
    ProxyPathNormalization
    +

    ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. @@ -590,14 +517,12 @@ authorization policy match and enforcement in inbound direction (server proxy), path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used.

    - - -No -defaultHttpRetryPolicy -HTTPRetry +
    defaultHttpRetryPolicy
    +
    HTTPRetry
    +

    Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: @@ -608,14 +533,12 @@ API. All settings in the retry policy except perTryTimeout can currently be configured globally via this field.

    - - -No -meshMTLS -TLSConfig +
    meshMTLS
    +
    TLSConfig
    +

    The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:

    @@ -631,184 +554,23 @@ For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and sp

    Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.

    Note: Mesh mTLS does not respect ECDH curves.

    - - -No -tlsDefaults -TLSConfig +
    tlsDefaults
    +
    TLSConfig
    +

    Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.

    - - -No -

    LabelSelector

    -
    -

    A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. -Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchLabelsmap<string, string> -

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels -map is equivalent to an element of matchExpressions, whose key field is “key”, the -operator is “In”, and the values array contains only “value”. The requirements are ANDed.

    - -    		 -No -
    matchExpressionsLabelSelectorRequirement[] -

    matchExpressions is a list of label selector requirements. The requirements are ANDed.

    - -    		 -No -
    -
    -

    LabelSelectorRequirement

    -
    -

    A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. -Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    keystring -

    key is the label key that the selector applies to.

    - -    		 -No -
    operatorstring -

    operator represents a key’s relationship to a set of values. -Valid operators are In, NotIn, Exists and DoesNotExist.

    - -    		 -No -
    valuesstring[] -

    values is an array of string values. If the operator is In or NotIn, -the values array must be non-empty. If the operator is Exists or DoesNotExist, -the values array must be empty. This array is replaced during a strategic -merge patch.

    - -    		 -No -
    -
    -

    ConfigSource

    -
    -

    ConfigSource describes information about a configuration store inside a -mesh. A single control plane instance can interact with one or more data -sources.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the server implementing the Istio Mesh Configuration -protocol (MCP). Can be IP address or a fully qualified DNS name. -Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or -fs:/// to specify a file-based backend with absolute path to the directory.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the MCP server -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    subscribedResourcesResource[] -

    Describes the source of configuration, if nothing is specified default is MCP

    - -    		 -No -
    -
    -

    MeshConfig.OutboundTrafficPolicy

    +

    OutboundTrafficPolicy

    OutboundTrafficPolicy sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

    @@ -817,3787 +579,21 @@ handling unknown outbound traffic from the application.

    Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +
    - -No -
    -

    MeshConfig.InboundTrafficPolicy

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeMode - -No -
    -
    -

    MeshConfig.CertificateData

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pemstring (oneof) -

    The PEM data of the certificate.

    - -    		 -No -
    spiffeBundleUrlstring (oneof) -

    The SPIFFE bundle endpoint URL that complies to: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle -The endpoint should support authentication based on Web PKI: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki -The certificate is retrieved from the endpoint.

    - -    		 -No -
    certSignersstring[] -

    Optional. Specify the kubernetes signers (External CA) that use this trustAnchor -when Istiod is acting as RA(registration authority) -If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

    - -    		 -No -
    trustDomainsstring[] -

    Optional. Specify the list of trust domains to which this trustAnchor data belongs. -If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain -and its aliases. -Note that we can have multiple trustAnchor data for a same trustDomain. -In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. -If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. -If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. -If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. -If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

    - -    		 -No -
    -
    -

    MeshConfig.CA

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    REQUIRED. Address of the CA server implementing the Istio CA gRPC API. -Can be IP address or a fully qualified DNS name with port -Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. -Regarding tlsSettings:

    -
      -
    • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. -DISABLE MODE can also be used for testing
      • -
    • TLS MUTUAL MODE be on by default. If the CA certificates -(cert bundle to verify the CA server’s certificate) is omitted, Istiod will -use the system root certs to verify the CA server’s certificate.
      • -
    - -    		 -No -
    requestTimeoutDuration -

    timeout for forward CSR requests from Istiod to External CA -Default: 10s

    - -    		 -No -
    istiodSidebool -

    Use istiodSide to specify CA Server integrate to Istiod side or Agent side -Default: true

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    REQUIRED. A unique name identifying the extension provider.

    - -    		 -No -
    envoyExtAuthzHttpEnvoyExternalAuthorizationHttpProvider (oneof) -

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

    - -    		 -No -
    envoyExtAuthzGrpcEnvoyExternalAuthorizationGrpcProvider (oneof) -

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

    - -    		 -No -
    zipkinZipkinTracingProvider (oneof) -

    Configures a tracing provider that uses the Zipkin API.

    - -    		 -No -
    datadogDatadogTracingProvider (oneof) -

    Configures a Datadog tracing provider.

    - -    		 -No -
    skywalkingSkyWalkingTracingProvider (oneof) -

    Configures a Apache SkyWalking provider.

    - -    		 -No -
    opentelemetryOpenTelemetryTracingProvider (oneof) -

    Configures an OpenTelemetry tracing provider.

    - -    		 -No -
    prometheusPrometheusMetricsProvider (oneof) -

    Configures a Prometheus metrics provider.

    - -    		 -No -
    envoyFileAccessLogEnvoyFileAccessLogProvider (oneof) -

    Configures an Envoy File Access Log provider.

    - -    		 -No -
    envoyHttpAlsEnvoyHttpGrpcV3LogProvider (oneof) -

    Configures an Envoy Access Logging Service provider for HTTP traffic.

    - -    		 -No -
    envoyTcpAlsEnvoyTcpGrpcV3LogProvider (oneof) -

    Configures an Envoy Access Logging Service provider for TCP traffic.

    - -    		 -No -
    envoyOtelAlsEnvoyOpenTelemetryLogProvider (oneof) -

    Configures an Envoy Open Telemetry Access Logging Service provider.

    - -    		 -No -
    -
    -

    MeshConfig.DefaultProviders

    -
    -

    Holds the name references to the providers that will be used by default -in other Istio configuration resources if the provider is not specified.

    -

    These names must match a provider defined in extensionProviders that is -one of the supported tracing providers.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tracingstring[] -

    Name of the default provider(s) for tracing.

    - -    		 -No -
    metricsstring[] -

    Name of the default provider(s) for metrics.

    - -    		 -No -
    accessLoggingstring[] -

    Name of the default provider(s) for access logging.

    - -    		 -No -
    -
    -

    MeshConfig.ProxyPathNormalization

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    normalizationNormalizationType - -No -
    -
    -

    MeshConfig.TLSConfig

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    minProtocolVersionTLSProtocol -

    Optional: the minimum TLS protocol version. The default minimum -TLS version will be TLS 1.2. As servers may not be Envoy and be -set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the -minimum TLS version for clients may also be TLS 1.2. -In the current Istio implementation, the maximum TLS protocol version -is TLS 1.3.

    - -    		 -No -
    ecdhCurvesstring[] -

    Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. -If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to -Ecdh Curves.

    - -    		 -No -
    cipherSuitesstring[] -

    Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. -If not specified, the following cipher suites will be used:

    -
    ECDHE-ECDSA-AES256-GCM-SHA384
-ECDHE-RSA-AES256-GCM-SHA384
-ECDHE-ECDSA-AES128-GCM-SHA256
-ECDHE-RSA-AES128-GCM-SHA256
-AES256-GCM-SHA384
-AES128-GCM-SHA256
-
    - -    		 -No -
    -
    -

    MeshConfig.ServiceSettings.Settings

    -
    -

    Settings for the selected services.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    clusterLocalbool -

    If true, specifies that the client and service endpoints must reside in the same cluster. -By default, in multi-cluster deployments, the Istio control plane assumes all service -endpoints to be reachable from any client in any of the clusters which are part of the -mesh. This configuration option limits the set of service endpoints visible to a client -to be cluster scoped.

    -

    There are some common scenarios when this can be useful:

    -
      -
    • A service (or group of services) is inherently local to the cluster and has local storage -for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      • -
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first -having services cluster-local and then slowly transition them to mesh-wide. They could do -this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group -(e.g. *.myns.svc.cluster.local).
      • -
    -

    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all -services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxRequestBytesuint32 -

    Sets the maximum size of a message body that the ext-authz filter will hold in memory. -If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). -Otherwise the request will be sent to the provider with a partial message. -Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the -failOpen is set to true.

    - -    		 -No -
    allowPartialMessagebool -

    When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. -The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. -A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message -indicating if the body data is partial.

    - -    		 -No -
    packAsBytesbool -

    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes -in the raw_body field. -Otherwise, it will be filled with UTF-8 string in the body field. -This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    timeoutDuration -

    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. -In this situation, the response sent back to the client will depend on the configured failOpen field.

    - -    		 -No -
    pathPrefixstring -

    Sets a prefix to the value of authorization request header Path. -For example, setting this to “/check” for an original user request at path “/admin” will cause the -authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

    - -    		 -No -
    failOpenbool -

    If true, the user request will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. -Default is false and the request will be rejected with “Forbidden” response.

    - -    		 -No -
    clearRouteCachebool -

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. -If true, recalculate routes with the new ExtAuthZ added/removed headers. -Default is false

    - -    		 -No -
    statusOnErrorstring -

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

    - -    		 -No -
    includeRequestHeadersInCheckstring[] -

    List of client request headers that should be included in the authorization request sent to the authorization service. -Note that in addition to the headers specified here following headers are included by default:

    -
      -
    1. Host, Method, Path and Content-Length are automatically sent.
      2. -
    2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization -request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), -consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      3. -
    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    includeAdditionalHeadersInCheckmap<string, string> -

    Set of additional fixed headers that should be included in the authorization request sent to the authorization service. -Key is the header name and value is the header value. -Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.

    - -    		 -No -
    includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody -

    If set, the client request body will be included in the authorization request sent to the authorization service.

    - -    		 -No -
    headersToUpstreamOnAllowstring[] -

    List of headers from the authorization service that should be added or overridden in the original request and -forwarded to the upstream when the authorization check result is allowed (HTTP code 200). -If not specified, the original request will not be modified and forwarded to backend as-is. -Note, any existing headers will be overridden.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    headersToDownstreamOnDenystring[] -

    List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is not allowed (HTTP code other than 200). -If not specified, all the authorization response headers, except Authority (Host) will be in the response to -the downstream. -When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are -automatically added. -Note, the body from the authorization service is always included in the response to downstream.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    headersToDownstreamOnAllowstring[] -

    List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is allowed (HTTP code 200). -If not specified, the original response will not be modified and forwarded to downstream as-is. -Note, any existing headers will be overridden.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    includeHeadersInCheckstring[] -

    DEPRECATED. Use includeRequestHeadersInCheck instead.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    timeoutDuration -

    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. -In this situation, the response sent back to the client will depend on the configured failOpen field.

    - -    		 -No -
    failOpenbool -

    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. -Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

    - -    		 -No -
    clearRouteCachebool -

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. -If true, recalculate routes with the new ExtAuthZ added/removed headers. -Default is false

    - -    		 -No -
    statusOnErrorstring -

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

    - -    		 -No -
    includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody -

    If set, the client request body will be included in the authorization request sent to the authorization service.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ZipkinTracingProvider

    -
    -

    Defines configuration for a Zipkin tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that the Zipkin API. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    enable64bitTraceIdbool -

    Optional. A 128 bit trace id will be used in Istio. -If true, will result in a 64 bit trace id being used.

    - -    		 -No -
    pathstring -

    Optional. Specifies the endpoint of Zipkin API. -The default value is “/api/v2/spans”.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.LightstepTracingProvider

    -
    -

    Defines configuration for a Lightstep tracer. -Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+ -will generate OpenTelemetry-compatible configuration when using this option.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the Lightstep collector. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    accessTokenstring -

    The Lightstep access token.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.DatadogTracingProvider

    -
    -

    Defines configuration for a Datadog tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the Datadog agent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.SkyWalkingTracingProvider

    -
    -

    Defines configuration for a SkyWalking tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the SkyWalking receiver. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    accessTokenstring -

    Optional. The SkyWalking OAP access token.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.StackdriverProvider

    -
    -

    Defines configuration for Stackdriver.

    -

    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used -alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus -driver in Envoy.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    loggingLogging -

    Optional. Controls Stackdriver logging behavior.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider

    -
    -

    Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

    -

    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of -OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation -in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration -may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider -configuration MUST be accompanied by a restart of all proxies that will use that configuration.

    -

    NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used -alongside OpenCensus provider configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the OpenCensusAgent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    contextTraceContext[] -

    Specifies the set of context propagation headers used for distributed -tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, -the proxy will attempt to read each header for each request and will -write all headers.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.PrometheusMetricsProvider

    -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider

    -
    -

    Defines configuration for Envoy-based access logging that writes to -local files (and/or standard streams).

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pathstring -

    Path to a local file to write the access log entries. -This may be used to write to streams, via /dev/stderr and /dev/stdout -If unspecified, defaults to /dev/stdout.

    - -    		 -No -
    logFormatLogFormat -

    Optional. Allows overriding of the default access log format.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider

    -
    -

    Defines configuration for an Envoy Access Logging Service -integration for HTTP traffic.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “http_envoy_accesslog”
      • -
    • “listener_envoy_accesslog”
      • -
    - -    		 -No -
    filterStateObjectsToLogstring[] -

    Optional. Additional filter state objects to log.

    - -    		 -No -
    additionalRequestHeadersToLogstring[] -

    Optional. Additional request headers to log.

    - -    		 -No -
    additionalResponseHeadersToLogstring[] -

    Optional. Additional response headers to log.

    - -    		 -No -
    additionalResponseTrailersToLogstring[] -

    Optional. Additional response trailers to log.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider

    -
    -

    Defines configuration for an Envoy Access Logging Service -integration for TCP traffic.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “tcp_envoy_accesslog”
      • -
    • “listener_envoy_accesslog”
      • -
    - -    		 -No -
    filterStateObjectsToLogstring[] -

    Optional. Additional filter state objects to log.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider

    -
    -

    Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “otel_envoy_accesslog”
      • -
    - -    		 -No -
    logFormatLogFormat -

    Optional. Format for the proxy access log -Empty value results in proxy’s default access log format, following Envoy access logging formatting.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider

    -
    -

    Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “otlp.default.svc.cluster.local” or “bar/otlp.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    httpHttpService -

    Optional. Specifies the configuration for exporting OTLP traces via HTTP. -When empty, traces will be exported via gRPC.

    -

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

    -
      -
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. -
    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: my.olly-backend.com
-    http:
-      path: "/api/otlp/traces"
-      timeout: 10s
-      headers:
-      - name: "my-custom-header"
-        value: "some value"
-
    -
      -
    1. Deploy a ServiceEntry for the observability back-end
      2. -
    -
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: my-olly-backend
-spec:
-  hosts:
-  - my.olly-backend.com
-  ports:
-  - number: 443
-    name: https-port
-    protocol: HTTPS
-  resolution: DNS
-  location: MESH_EXTERNAL
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: my-olly-backend
-spec:
-  host: my.olly-backend.com
-  trafficPolicy:
-    portLevelSettings:
-    - port:
-        number: 443
-      tls:
-        mode: SIMPLE
-
    - -    		 -No -
    grpcGrpcService -

    Optional. Specifies the configuration for exporting OTLP traces via GRPC. -When empty, traces will check whether HTTP is set. -If not, traces will use default GRPC configurations.

    -

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

    -
      -
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. -
    -
    - name: opentelemetry
-  opentelemetry:
-    port: 8090
-    service: tracing.example.com
-    grpc:
-      timeout: 10s
-      initialMetadata:
-      - name: "Authentication"
-        value: "token-xxxxx"
-
    -
      -
    1. Deploy a ServiceEntry for the observability back-end
      2. -
    -
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: tracing-grpc
-spec:
-  hosts:
-  - tracing.example.com
-  ports:
-  - number: 8090
-    name: grpc-port
-    protocol: GRPC
-  resolution: DNS
-  location: MESH_EXTERNAL
-
    - -    		 -No -
    resourceDetectorsResourceDetectors -

    Optional. Specifies Resource Detectors -to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged -according to the OpenTelemetry Resource specification.

    -

    The following example shows how to configure the Environment Resource Detector, that will -read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: my.olly-backend.com
-    resourceDetectors:
-      environment: {}
-
    - -    		 -No -
    dynatraceSamplerDynatraceSampler (oneof) -

    The Dynatrace adaptive traffic management (ATM) sampler.

    -

    Example configuration:

    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: "{your-environment-id}.live.dynatrace.com"
-    http:
-      path: "/api/v2/otlp/v1/traces"
-      timeout: 10s
-      headers:
-        - name: "Authorization"
-          value: "Api-Token dt0c01."
-    resourceDetectors:
-      dynatrace: {}
-    dynatraceSampler:
-      tenant: "{your-environment-id}"
-      clusterId: 1234
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.HttpService

    -
    -

    Defines configuration for an HTTP service that can be used by an Extension Provider. -that does communication via HTTP.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pathstring -

    REQUIRED. Specifies the path on the service.

    - -    		 -No -
    timeoutDuration -

    Optional. Specifies the timeout for the HTTP request. -If not specified, the default is 3s.

    - -    		 -No -
    headersHttpHeader[] -

    Optional. Allows specifying custom HTTP headers that will be added -to each HTTP request sent.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.HttpHeader

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    REQUIRED. The HTTP header name.

    - -    		 -No -
    valuestring -

    REQUIRED. The HTTP header value.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    environmentEnvironmentResourceDetector - -No -
    dynatraceDynatraceResourceDetector - -No -
    -
    -

    MeshConfig.ExtensionProvider.GrpcService

    -
    -

    Defines configuration for an GRPC service that can be used by an Extension Provider. -that does communication via GRPC.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    timeoutDuration -

    Optional. Specifies the timeout for the GRPC request.

    - -    		 -No -
    initialMetadataHttpHeader[] -

    Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for -scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key”) are to -be injected.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.StackdriverProvider.Logging

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    labelsmap<string, string> -

    Collection of tag names and tag expressions to include in the log -entry. Conflicts are resolved by the tag name by overriding previously -supplied values.

    -

    Example: -labels: -path: request.url_path -foo: request.headers[‘x-foo’]

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    textstring (oneof) -

    Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation -provides more information.

    -

    NOTE: Istio will insert a newline (’\n’) on all formats (if missing).

    -

    Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    - -    		 -No -
    labelsStruct (oneof) -

    JSON structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). -Use labels: {} for default envoy JSON log format.

    -

    Example:

    -
    labels:
-  status: "%RESPONSE_CODE%"
-  message: "%LOCAL_REPLY_BODY%"
-
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    textstring -

    Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation -provides more information. -Alias to body field in Open Telemetry -Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    - -    		 -No -
    labelsStruct -

    Optional. Additional attributes that describe the specific event occurrence. -Structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). -Alias to attributes field in Open Telemetry

    -

    Example:

    -
    labels:
-  status: "%RESPONSE_CODE%"
-  message: "%LOCAL_REPLY_BODY%"
-
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider.DynatraceSampler

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tenantstring -

    REQUIRED. The Dynatrace customer’s tenant identifier.

    -

    The value can be obtained from the Istio deployment page in Dynatrace.

    - -    		 -No -
    clusterIdint32 -

    REQUIRED. The identifier of the cluster in the Dynatrace platform. -The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

    -

    The value can be obtained from the Istio deployment page in Dynatrace.

    - -    		 -No -
    rootSpansPerMinuteuint32 -

    Optional. Number of sampled spans per minute to be used -when the adaptive value cannot be obtained from the Dynatrace API.

    -

    A default value of 1000 is used when:

    -
      -
    • rootSpansPerMinute is unset
      • -
    • rootSpansPerMinute is set to 0
      • -
    - -    		 -No -
    httpServiceDynatraceApi -

    Optional. Dynatrace HTTP API to obtain sampling configuration.

    -

    When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter -(service, port and http), including the access token.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider.DynatraceSampler.DynatraceApi

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. -The format is <Hostname>, where <Hostname> is the fully qualified Dynatrace environment -host name defined in the ServiceEntry.

    -

    Example: “{your-environment-id}.live.dynatrace.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    httpHttpService -

    REQUIRED. Specifies sampling configuration URI.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors.EnvironmentResourceDetector

    -
    -

    OpenTelemetry Environment Resource Detector. -The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES -and adds them to the OpenTelemetry resource.

    -

    See: Resource specification

    - -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors.DynatraceResourceDetector

    -
    -

    Dynatrace Resource Detector. -The resource detector reads from the Dynatrace enrichment files -and adds host/process related attributes to the OpenTelemetry resource.

    -

    See: Enrich ingested data with Dynatrace-specific dimensions

    - -
    -

    Tracing

    -
    -

    Tracing defines configuration for the tracing performed by Envoy instances.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    zipkinZipkin (oneof) -

    Use a Zipkin tracer.

    - -    		 -No -
    datadogDatadog (oneof) -

    Use a Datadog tracer.

    - -    		 -No -
    samplingdouble -

    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, -if not requested by the client or not forced. Default is 1.0.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the remote tracing service -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    enableIstioTagsBoolValue -

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. -By default Istio specific tags are included in the trace spans.

    - -    		 -No -
    -
    -

    Topology

    -
    -

    Topology describes the configuration for relative location of a proxy with -respect to intermediate trusted proxies and the client. These settings -control how the client attributes are retrieved from the incoming traffic by -the gateway proxy and propagated to the upstream services in the cluster.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numTrustedProxiesuint32 -

    Number of trusted proxies deployed in front of the Istio gateway proxy. -When this option is set to value N greater than zero, the trusted client -address is assumed to be the Nth address from the right end of the -X-Forwarded-For (XFF) header from the incoming request. If the -X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the -gateway proxy falls back to using the immediate downstream connection’s -source address as the trusted client address. -Note that the gateway proxy will append the downstream connection’s source -address to the X-Forwarded-For (XFF) address and set the -X-Envoy-External-Address header to the trusted client address before -forwarding it to the upstream services in the cluster. -The default value of numTrustedProxies is 0. -See Envoy XFF -header handling for more details.

    - -    		 -No -
    forwardClientCertDetailsForwardClientCertDetails -

    Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) -header in the incoming request.

    - -    		 -No -
    proxyProtocolProxyProtocolConfiguration -

    Enables PROXY protocol for -downstream connections on a gateway.

    - -    		 -No -
    -
    -

    PrivateKeyProvider

    -
    -

    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured -mesh-wide or individual per-workload basis.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    cryptombCryptoMb (oneof) -

    Use CryptoMb private key provider

    - -    		 -No -
    qatQAT (oneof) -

    Use QAT private key provider

    - -    		 -No -
    -
    -

    ProxyConfig

    -
    -

    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis -as well as by the mesh-wide defaults. -To set the mesh-wide defaults, configure the defaultConfig section of meshConfig. For example:

    -
    meshConfig:
-  defaultConfig:
-    discoveryAddress: istiod:15012
-
    -

    This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

    -
    annotations:
-  proxy.istio.io/config: |
-    discoveryAddress: istiod:15012
-
    -

    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. -This is different than a deep merge provided by protobuf. -For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider -such as "tracing": { "zipkin": { "address": "..." } }.

    -

    Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    configPathstring -

    Path to the generated configuration file directory. -Proxy agent generates the actual configuration and stores it in this directory.

    - -    		 -No -
    binaryPathstring -

    Path to the proxy binary

    - -    		 -No -
    serviceClusterstring (oneof) -

    Service cluster defines the name for the service_cluster that is -shared by all Envoy instances. This setting corresponds to ---service-cluster flag in Envoy. In a typical Envoy deployment, the -service-cluster flag is used to identify the caller, for -source-based routing scenarios.

    -

    Since Istio does not assign a local service/service version to each -Envoy instance, the name is same for all of them. However, the -source/caller’s identity (e.g., IP address) is encoded in the ---service-node flag when launching Envoy. When the RDS service -receives API calls from Envoy, it uses the value of the service-node -flag to compute routes that are relative to the service instances -located at that IP address.

    - -    		 -No -
    tracingServiceNameTracingServiceName (oneof) -

    Used by Envoy proxies to assign the values for the service names in trace -spans.

    - -    		 -No -
    drainDurationDuration -

    The time in seconds that Envoy will drain connections during a hot -restart. MUST be >=1s (e.g., 1s/1m/1h) -Default drain duration is 45s.

    - -    		 -No -
    discoveryAddressstring -

    Address of the discovery service exposing xDS with mTLS connection. -The inject configuration may override this value.

    - -    		 -No -
    statsdUdpAddressstring -

    IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

    - -    		 -No -
    proxyAdminPortint32 -

    Port on which Envoy should listen for administrative commands. -Default port is 15000.

    - -    		 -No -
    controlPlaneAuthPolicyAuthenticationPolicy -

    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. -Default is set to MUTUAL_TLS.

    - -    		 -No -
    customConfigFilestring -

    File path of custom proxy configuration, currently used by proxies -in front of istiod.

    - -    		 -No -
    statNameLengthint32 -

    Maximum length of name field in Envoy’s metrics. The length of the name field -is determined by the length of a name field in a service and the set of labels that -comprise a particular version of the service. The default value is set to 189 characters. -Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. -Increase the value of this field if you find that the metrics from Envoys are truncated.

    - -    		 -No -
    concurrencyInt32Value -

    The number of worker threads to run. -If unset, which is recommended, this will be automatically determined based on CPU requests/limits. -If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance -issues if CPU limits are also set.

    - -    		 -No -
    proxyBootstrapTemplatePathstring -

    Path to the proxy bootstrap template file

    - -    		 -No -
    interceptionModeInboundInterceptionMode -

    The mode used to redirect inbound traffic to Envoy.

    - -    		 -No -
    tracingTracing -

    Tracing configuration to be used by the proxy.

    - -    		 -No -
    envoyAccessLogServiceRemoteService -

    Address of the service to which access logs from Envoys should be -sent. (e.g. accesslog-service:15000). See Access Log -Service -for details about Envoy’s gRPC Access Log Service API.

    - -    		 -No -
    envoyMetricsServiceRemoteService -

    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). -See Metric Service -for details about Envoy’s Metrics Service API.

    - -    		 -No -
    proxyMetadatamap<string, string> -

    Additional environment variables for the proxy. -Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

    - -    		 -No -
    runtimeValuesmap<string, string> -

    Envoy runtime configuration to set during bootstrapping. -This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

    - -    		 -No -
    statusPortint32 -

    Port on which the agent should listen for administrative commands such as readiness probe. -Default is set to port 15020.

    - -    		 -No -
    extraStatTagsstring[] -

    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be -added by configuring the telemetry extension. Each additional tag needs to be present in this list. -Extra tags emitted by the telemetry extensions must be listed here so that they can be processed -and exposed as Prometheus metrics. -Deprecated: istio.stats is a native filter now, this field is no longer needed.

    - -    		 -No -
    gatewayTopologyTopology -

    Topology encapsulates the configuration which describes where the proxy is -located i.e. behind a (or N) trusted proxy (proxies) or directly exposed -to the internet. This configuration only effects gateways and is applied -to all the gateways in the cluster unless overridden via annotations of the -gateway workloads.

    - -    		 -No -
    terminationDrainDurationDuration -

    The amount of time allowed for connections to complete on proxy shutdown. -On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, -discouraging any new connections and allowing existing connections to complete. It then -sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. -If not set, a default of 5s will be applied.

    - -    		 -No -
    meshIdstring -

    The unique identifier for the service mesh -All control planes running in the same service mesh should specify the same mesh ID. -Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

    - -    		 -No -
    readinessProbeReadinessProbe -

    VM Health Checking readiness probe. This health check config exactly mirrors the -kubernetes readiness probe configuration both in schema and logic. -Only one health check method of 3 can be set at a time.

    - -    		 -No -
    proxyStatsMatcherProxyStatsMatcher -

    Proxy stats matcher defines configuration for reporting custom Envoy stats. -To reduce memory and CPU overhead from Envoy stats system, Istio proxies by -default create and expose only a subset of Envoy stats. This option is to -control creation of additional Envoy stats with prefix, suffix, and regex -expressions match on the name of the stats. This replaces the stats -inclusion annotations -(sidecar.istio.io/statsInclusionPrefixes, -sidecar.istio.io/statsInclusionRegexps, and -sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats -for circuit breakers, request retries, upstream connections, and request timeouts, -you can specify stats matcher as follows:

    -
    proxyStatsMatcher:
-  inclusionRegexps:
-    - .*outlier_detection.*
-    - .*upstream_rq_retry.*
-    - .*upstream_cx_.*
-  inclusionSuffixes:
-    - upstream_rq_timeout
-
    -

    Note including more Envoy stats might increase number of time series -collected by prometheus significantly. Care needs to be taken on Prometheus -resource provision and configuration to reduce cardinality.

    - -    		 -No -
    holdApplicationUntilProxyStartsBoolValue -

    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. -This feature adds hooks to delay application startup until the pod proxy -is ready to accept traffic, mitigating some startup race conditions. -Default value is ‘false’.

    - -    		 -No -
    caCertificatesPemstring[] -

    The PEM data of the extra root certificates for workload-to-workload communication. -This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. -The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) -are added automatically by Istiod.

    - -    		 -No -
    imageProxyImage -

    Specifies the details of the proxy image.

    - -    		 -No -
    privateKeyProviderPrivateKeyProvider -

    Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

    - -    		 -No -
    proxyHeadersProxyHeaders -

    Define the set of headers to add/modify for HTTP request/responses.

    -

    To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. -Note: currently all headers are enabled by default.

    -

    Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

    -
    proxyHeaders:
-  server:
-    value: "my-custom-server"
-  # Explicitly enable Request IDs.
-  # As this is the default, this has no effect.
-  requestId: {}
-  attemptCount:
-    disabled: true
-
    -

    Below shows an example of preserving the header case for HTTP 1.x requests

    -
    proxyHeaders:
-  perserveHttp1HeaderCase: true
-
    -

    Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

    -
    proxyHeaders:
-  forwardedClientCert: SANITIZE
-  server:
-    disabled: true
-  requestId:
-    disabled: true
-  attemptCount:
-    disabled: true
-  envoyDebugHeaders:
-    disabled: true
-  metadataExchangeHeaders:
-    mode: IN_MESH
-
    - -    		 -No -
    zipkinAddressstring -

    Address of the Zipkin service (e.g. zipkin:9411). -DEPRECATED: Use tracing instead.

    - -    		 -No -
    -
    -

    RemoteService

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of a remove service used for various purposes (access log -receiver, metrics receiver, etc.). Can be IP address or a fully -qualified DNS name.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the remote service -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    tcpKeepaliveTcpKeepalive -

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    - -    		 -No -
    -
    -

    Tracing.Zipkin

    -
    -

    Zipkin defines configuration for a Zipkin tracer.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the Zipkin service (e.g. zipkin:9411).

    - -    		 -No -
    -
    -

    Tracing.Datadog

    -
    -

    Datadog defines configuration for a Datadog tracer.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the Datadog Agent.

    - -    		 -No -
    -
    -

    Tracing.Stackdriver

    -
    -

    Stackdriver defines configuration for a Stackdriver tracer. -See Envoy’s OpenCensus trace configuration -and -OpenCensus trace config for details.

    - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    -
    -

    Tracing.OpenCensusAgent

    -
    -

    OpenCensusAgent defines configuration for an OpenCensus tracer writing to -an OpenCensus agent backend. See -Envoy’s OpenCensus trace configuration -and -OpenCensus trace config -for details.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or -unix:path). See gRPC naming -docs for -details.

    - -    		 -No -
    contextTraceContext[] -

    Specifies the set of context propagation headers used for distributed -tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, -the proxy will attempt to read each header for each request and will -write all headers.

    - -    		 -No -
    -
    -

    Topology.ProxyProtocolConfiguration

    -
    -

    PROXY protocol configuration.

    - -
    -

    PrivateKeyProvider.CryptoMb

    -
    -

    CryptoMb PrivateKeyProvider configuration

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pollDelayDuration -

    How long to wait until the per-thread processing queue should be processed. If the processing queue -gets full (eight sign or decrypt requests are received) it is processed immediately. -However, if the queue is not filled before the delay has expired, the requests already in the queue -are processed, even if the queue is not full. -In effect, this value controls the balance between latency and throughput. -The duration needs to be set to a value greater than or equal to 1 millisecond.

    - -    		 -No -
    fallbackBoolValue -

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) -Envoy will fallback to the BoringSSL default implementation when the fallback is true. -The default value is false.

    - -    		 -No -
    -
    -

    PrivateKeyProvider.QAT

    -
    -

    QAT (QuickAssist Technology) PrivateKeyProvider configuration

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pollDelayDuration -

    How long to wait before polling the hardware accelerator after a request has been submitted there. -Having a small value leads to quicker answers from the hardware but causes more polling loop spins, -leading to potentially larger CPU usage. -The duration needs to be set to a value greater than or equal to 1 millisecond.

    - -    		 -No -
    fallbackBoolValue -

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) -Envoy will fallback to the BoringSSL default implementation when the fallback is true. -The default value is false.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyStatsMatcher

    -
    -

    Proxy stats name matchers for stats creation. Note this is in addition to -the minimum Envoy stats that Istio generates by default.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    inclusionPrefixesstring[] -

    Proxy stats name prefix matcher for inclusion.

    - -    		 -No -
    inclusionSuffixesstring[] -

    Proxy stats name suffix matcher for inclusion.

    - -    		 -No -
    inclusionRegexpsstring[] -

    Proxy stats name regexps matcher for inclusion.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    forwardedClientCertForwardClientCertDetails -

    Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. -To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). -By default, APPEND_FORWARD will be used.

    - -    		 -No -
    setCurrentClientCertDetailsSetCurrentClientCertDetails -

    This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET -and the client connection is mTLS. It specifies the fields in -the client certificate to be forwarded. Note that Hash is always set, and -By is always set when the client certificate presents the URI type Subject Alternative Name value.

    - -    		 -No -
    requestIdRequestId -

    Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. -This applies to all types of traffic (inbound, outbound, and gateways). -If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. -Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. -This header is enabled by default if not configured.

    - -    		 -No -
    serverServer -

    Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). -If disabled, the Server header is not modified. If it is already present, it will be preserved.

    - -    		 -No -
    attemptCountAttemptCount -

    Controls the X-Envoy-Attempt-Count header. -If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. -If disabled, this header will not be set. If it is already present, it will be preserved. -This header is enabled by default if not configured.

    - -    		 -No -
    envoyDebugHeadersEnvoyDebugHeaders -

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, -these headers will be included. -If disabled, these headers will not be set. If they are already present, they will be preserved. -See the Envoy documentation for more details. -These headers are enabled by default if not configured.

    - -    		 -No -
    metadataExchangeHeadersMetadataExchangeHeaders -

    Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. -By default, the behavior is unspecified. -If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

    - -    		 -No -
    preserveHttp1HeaderCaseBoolValue -

    When true, the original case of HTTP/1.x headers will be preserved -as they pass through the proxy, rather than normalizing them to lowercase. -This field is particularly useful for applications that require case-sensitive -headers for interoperability with downstream systems or APIs that expect specific -casing. -The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers -to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 -requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 -standards.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders.Server

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    valuestring -

    If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders.RequestId

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.AttemptCount

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.EnvoyDebugHeaders

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.MetadataExchangeHeaders

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeMetadataExchangeMode - -No -
    -
    -

    ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    subjectBoolValue -

    Whether to forward the subject of the client cert. Defaults to true.

    - -    		 -No -
    certBoolValue -

    Whether to forward the entire client cert in URL encoded PEM format. This will appear in the -XFCC header comma separated from other values with the value Cert=“PEM”. -Defaults to false.

    - -    		 -No -
    chainBoolValue -

    Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM -format. This will appear in the XFCC header comma separated from other values with the value -Chain=“PEM”. -Defaults to false.

    - -    		 -No -
    dnsBoolValue -

    Whether to forward the DNS type Subject Alternative Names of the client cert. -Defaults to true.

    - -    		 -No -
    uriBoolValue -

    Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to -true.

    - -    		 -No -
    -
    -

    Network

    -
    -

    Network provides information about the endpoints in a routable L3 -network. A single routable L3 network can have one or more service -registries. Note that the network has no relation to the locality of the -endpoint. The endpoint locality will be obtained from the service -registry.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    endpointsNetworkEndpoints[] -

    The list of endpoints in the network (obtained through the -constituent service registries or from CIDR ranges). All endpoints in -the network are directly accessible to one another.

    - -    		 -Yes -
    gatewaysIstioNetworkGateway[] -

    Set of gateways associated with the network.

    - -    		 -Yes -
    -
    -

    MeshNetworks

    -
    -

    MeshNetworks (config map) provides information about the set of networks -inside a mesh and how to route to endpoints in each network. For example

    -

    MeshNetworks(file/config map):

    -
    networks:
-  network1:
-    endpoints:
-    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
-    - fromCidr: 192.168.100.0/22 #a VM network for example
-    gateways:
-    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-      port: 15443
-      locality: us-east-1a
-    - address: 192.168.100.1
-      port: 15443
-      locality: us-east-1a
-
    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    networksmap<string, Network> -

    The set of networks inside this mesh. Each network should -have a unique name and information about how to infer the endpoints in -the network as well as the gateways associated with the network.

    - -    		 -Yes -
    -
    -

    Network.NetworkEndpoints

    -
    -

    NetworkEndpoints describes how the network associated with an endpoint -should be inferred. An endpoint will be assigned to a network based on -the following rules:

    -
      -
    1. -

      Implicitly: If the registry explicitly provides information about -the network to which the endpoint belongs to. In some cases, its -possible to indicate the network associated with the endpoint by -adding the ISTIO_META_NETWORK environment variable to the sidecar.

      -
      2. -
    2. -

      Explicitly:

      -

      a. By matching the registry name with one of the “fromRegistry” -in the mesh config. A “fromRegistry” can only be assigned to a -single network.

      -

      b. By matching the IP against one of the CIDR ranges in a mesh -config network. The CIDR ranges must not overlap and be assigned to -a single network.

      -
      3. -
    -

    (2) will override (1) if both are present.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromCidrstring (oneof) -

    A CIDR range for the set of endpoints in this network. The CIDR -ranges for endpoints from different networks must not overlap.

    - -    		 -No -
    fromRegistrystring (oneof) -

    Add all endpoints from the specified registry into this network. -The names of the registries should correspond to the kubeconfig file name -inside the secret that was used to configure the registry (Kubernetes -multicluster) or supplied by MCP server.

    - -    		 -No -
    -
    -

    Network.IstioNetworkGateway

    -
    -

    The gateway associated with this network. Traffic from remote networks -will arrive at the specified gateway:port. All incoming traffic must -use mTLS.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    registryServiceNamestring (oneof) -

    A fully qualified domain name of the gateway service. istiod will -lookup the service from the service registries in the network and -obtain the endpoint IPs of the gateway from the service -registry. Note that while the service name is a fully qualified -domain name, it need not be resolvable outside the orchestration -platform for the registry. e.g., this could be -istio-ingressgateway.istio-system.svc.cluster.local.

    - -    		 -No -
    addressstring (oneof) -

    IP address or externally resolvable DNS address associated with the gateway.

    - -    		 -No -
    portuint32 -

    The port associated with the gateway.

    - -    		 -Yes -
    localitystring -

    The locality associated with an explicitly specified gateway (i.e. ip)

    - -    		 -No -
    -
    -

    MeshConfig.OutboundTrafficPolicy.Mode

    +

    Mode

    @@ -4631,7 +627,27 @@ to arbitrary destinations.

    -

    MeshConfig.InboundTrafficPolicy.Mode

    +

    InboundTrafficPolicy

    +
    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    Mode
    +
    		 +
    +
    +

    Mode

    @@ -4660,7 +676,943 @@ allowing proxy to be transparent.

    -

    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext

    +

    CertificateData

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pem
    +
    string (oneof)
    +
    		 +

    The PEM data of the certificate.

    + +
    spiffeBundleUrl
    +
    string (oneof)
    +
    		 +

    The SPIFFE bundle endpoint URL that complies to: +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle +The endpoint should support authentication based on Web PKI: +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki +The certificate is retrieved from the endpoint.

    + +
    certSigners
    +
    string[]
    +
    		 +

    Specify the kubernetes signers (External CA) that use this trustAnchor +when Istiod is acting as RA(registration authority) +If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

    + +
    trustDomains
    +
    string[]
    +
    		 +

    Specify the list of trust domains to which this trustAnchor data belongs. +If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain +and its aliases. +Note that we can have multiple trustAnchor data for a same trustDomain. +In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. +If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. +If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. +If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. +If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

    + +
    +
    +

    CA

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    REQUIRED. Address of the CA server implementing the Istio CA gRPC API. +Can be IP address or a fully qualified DNS name with port +Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. +Regarding tlsSettings:

    +
      +
    • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. +DISABLE MODE can also be used for testing
      • +
    • TLS MUTUAL MODE be on by default. If the CA certificates +(cert bundle to verify the CA server’s certificate) is omitted, Istiod will +use the system root certs to verify the CA server’s certificate.
      • +
    + +
    requestTimeout
    +
    Duration
    +
    		 +

    timeout for forward CSR requests from Istiod to External CA +Default: 10s

    + +
    istiodSide
    +
    bool
    +
    		 +

    Use istiodSide to specify CA Server integrate to Istiod side or Agent side +Default: true

    + +
    +
    +

    ExtensionProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    REQUIRED. A unique name identifying the extension provider.

    + +
    envoyExtAuthzHttp
    +
    EnvoyExternalAuthorizationHttpProvider (oneof)
    +
    		 +

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

    + +
    envoyExtAuthzGrpc
    +
    EnvoyExternalAuthorizationGrpcProvider (oneof)
    +
    		 +

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

    + +
    zipkin
    +
    ZipkinTracingProvider (oneof)
    +
    		 +

    Configures a tracing provider that uses the Zipkin API.

    + +
    datadog
    +
    DatadogTracingProvider (oneof)
    +
    		 +

    Configures a Datadog tracing provider.

    + +
    skywalking
    +
    SkyWalkingTracingProvider (oneof)
    +
    		 +

    Configures a Apache SkyWalking provider.

    + +
    opentelemetry
    +
    OpenTelemetryTracingProvider (oneof)
    +
    		 +

    Configures an OpenTelemetry tracing provider.

    + +
    prometheus
    +
    PrometheusMetricsProvider (oneof)
    +
    		 +

    Configures a Prometheus metrics provider.

    + +
    envoyFileAccessLog
    +
    EnvoyFileAccessLogProvider (oneof)
    +
    		 +

    Configures an Envoy File Access Log provider.

    + +
    envoyHttpAls
    +
    EnvoyHttpGrpcV3LogProvider (oneof)
    +
    		 +

    Configures an Envoy Access Logging Service provider for HTTP traffic.

    + +
    envoyTcpAls
    +
    EnvoyTcpGrpcV3LogProvider (oneof)
    +
    		 +

    Configures an Envoy Access Logging Service provider for TCP traffic.

    + +
    envoyOtelAls
    +
    EnvoyOpenTelemetryLogProvider (oneof)
    +
    		 +

    Configures an Envoy Open Telemetry Access Logging Service provider.

    + +
    +
    +

    EnvoyExternalAuthorizationRequestBody

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxRequestBytes
    +
    uint32
    +
    		 +

    Sets the maximum size of a message body that the ext-authz filter will hold in memory. +If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). +Otherwise the request will be sent to the provider with a partial message. +Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the +failOpen is set to true.

    + +
    allowPartialMessage
    +
    bool
    +
    		 +

    When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. +The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. +A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message +indicating if the body data is partial.

    + +
    packAsBytes
    +
    bool
    +
    		 +

    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes +in the raw_body field. +Otherwise, it will be filled with UTF-8 string in the body field. +This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.

    + +
    +
    +

    EnvoyExternalAuthorizationHttpProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). +When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +In this situation, the response sent back to the client will depend on the configured failOpen field.

    + +
    pathPrefix
    +
    string
    +
    		 +

    Sets a prefix to the value of authorization request header Path. +For example, setting this to “/check” for an original user request at path “/admin” will cause the +authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

    + +
    failOpen
    +
    bool
    +
    		 +

    If true, the user request will be allowed even if the communication with the authorization service has failed, +or if the authorization service has returned a HTTP 5xx error. +Default is false and the request will be rejected with “Forbidden” response.

    + +
    clearRouteCache
    +
    bool
    +
    		 +

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. +If true, recalculate routes with the new ExtAuthZ added/removed headers. +Default is false

    + +
    statusOnError
    +
    string
    +
    		 +

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. +The default status is “403” (HTTP Forbidden).

    + +
    includeRequestHeadersInCheck
    +
    string[]
    +
    		 +

    List of client request headers that should be included in the authorization request sent to the authorization service. +Note that in addition to the headers specified here following headers are included by default:

    +
      +
    1. Host, Method, Path and Content-Length are automatically sent.
      2. +
    2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization +request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), +consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      3. +
    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    includeAdditionalHeadersInCheck
    +
    map<string, string>
    +
    		 +

    Set of additional fixed headers that should be included in the authorization request sent to the authorization service. +Key is the header name and value is the header value. +Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.

    + +
    includeRequestBodyInCheck
    +
    EnvoyExternalAuthorizationRequestBody
    +
    		 +

    If set, the client request body will be included in the authorization request sent to the authorization service.

    + +
    headersToUpstreamOnAllow
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be added or overridden in the original request and +forwarded to the upstream when the authorization check result is allowed (HTTP code 200). +If not specified, the original request will not be modified and forwarded to backend as-is. +Note, any existing headers will be overridden.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    headersToDownstreamOnDeny
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be forwarded to downstream when the authorization +check result is not allowed (HTTP code other than 200). +If not specified, all the authorization response headers, except Authority (Host) will be in the response to +the downstream. +When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are +automatically added. +Note, the body from the authorization service is always included in the response to downstream.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    headersToDownstreamOnAllow
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be forwarded to downstream when the authorization +check result is allowed (HTTP code 200). +If not specified, the original response will not be modified and forwarded to downstream as-is. +Note, any existing headers will be overridden.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    includeHeadersInCheck
    +
    string[]
    +
    		 +

    DEPRECATED. Use includeRequestHeadersInCheck instead.

    + +
    +
    +

    EnvoyExternalAuthorizationGrpcProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). +When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +In this situation, the response sent back to the client will depend on the configured failOpen field.

    + +
    failOpen
    +
    bool
    +
    		 +

    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, +or if the authorization service has returned a HTTP 5xx error. +Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

    + +
    clearRouteCache
    +
    bool
    +
    		 +

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. +If true, recalculate routes with the new ExtAuthZ added/removed headers. +Default is false

    + +
    statusOnError
    +
    string
    +
    		 +

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. +The default status is “403” (HTTP Forbidden).

    + +
    includeRequestBodyInCheck
    +
    EnvoyExternalAuthorizationRequestBody
    +
    		 +

    If set, the client request body will be included in the authorization request sent to the authorization service.

    + +
    +
    +

    ZipkinTracingProvider

    +
    +

    Defines configuration for a Zipkin tracer.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that the Zipkin API. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    enable64bitTraceId
    +
    bool
    +
    		 +

    A 128 bit trace id will be used in Istio. +If true, will result in a 64 bit trace id being used.

    + +
    path
    +
    string
    +
    		 +

    Specifies the endpoint of Zipkin API. +The default value is “/api/v2/spans”.

    + +
    +
    +

    LightstepTracingProvider

    +
    +

    Defines configuration for a Lightstep tracer. +Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+ +will generate OpenTelemetry-compatible configuration when using this option.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the Lightstep collector. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    accessToken
    +
    string
    +
    		 +

    The Lightstep access token.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +

    DatadogTracingProvider

    +
    +

    Defines configuration for a Datadog tracer.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the Datadog agent. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +

    SkyWalkingTracingProvider

    +
    +

    Defines configuration for a SkyWalking tracer.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the SkyWalking receiver. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    accessToken
    +
    string
    +
    		 +

    The SkyWalking OAP access token.

    + +
    +
    +

    StackdriverProvider

    +
    +

    Defines configuration for Stackdriver.

    +

    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used +alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus +driver in Envoy.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    logging
    +
    Logging
    +
    		 +

    Controls Stackdriver logging behavior.

    + +
    +
    +
    Logging
    +
    + + + + + + + + + + + + + +
    FieldDescription
    labels
    +
    map<string, string>
    +
    		 +

    Collection of tag names and tag expressions to include in the log +entry. Conflicts are resolved by the tag name by overriding previously +supplied values.

    +

    Example: +labels: +path: request.url_path +foo: request.headers[‘x-foo’]

    + +
    +
    +

    OpenCensusAgentTracingProvider

    +
    +

    Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

    +

    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of +OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation +in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration +may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider +configuration MUST be accompanied by a restart of all proxies that will use that configuration.

    +

    NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used +alongside OpenCensus provider configuration.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the OpenCensusAgent. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    context
    +
    TraceContext[]
    +
    		 +

    Specifies the set of context propagation headers used for distributed +tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, +the proxy will attempt to read each header for each request and will +write all headers.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +
    TraceContext

    TraceContext selects the context propagation headers used for distributed tracing.

    @@ -4710,7 +1662,858 @@ for details.

    -

    MeshConfig.ProxyPathNormalization.NormalizationType

    +

    PrometheusMetricsProvider

    +
    +
    +

    EnvoyFileAccessLogProvider

    +
    +

    Defines configuration for Envoy-based access logging that writes to +local files (and/or standard streams).

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    path
    +
    string
    +
    		 +

    Path to a local file to write the access log entries. +This may be used to write to streams, via /dev/stderr and /dev/stdout +If unspecified, defaults to /dev/stdout.

    + +
    logFormat
    +
    LogFormat
    +
    		 +

    Allows overriding of the default access log format.

    + +
    +
    +
    LogFormat
    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    text
    +
    string (oneof)
    +
    		 +

    Textual format for the envoy access logs. Envoy command operators may be +used in the format. The format string documentation +provides more information.

    +

    NOTE: Istio will insert a newline (’\n’) on all formats (if missing).

    +

    Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    + +
    labels
    +
    Struct (oneof)
    +
    		 +

    JSON structured format for the envoy access logs. Envoy command operators +can be used as values for fields within the Struct. Values are rendered +as strings, numbers, or boolean values, as appropriate +(see: format dictionaries). Nested JSON is +supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +Use labels: {} for default envoy JSON log format.

    +

    Example:

    +
    labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+
    + +
    +
    +

    EnvoyHttpGrpcV3LogProvider

    +
    +

    Defines configuration for an Envoy Access Logging Service +integration for HTTP traffic.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “http_envoy_accesslog”
      • +
    • “listener_envoy_accesslog”
      • +
    + +
    filterStateObjectsToLog
    +
    string[]
    +
    		 +

    Additional filter state objects to log.

    + +
    additionalRequestHeadersToLog
    +
    string[]
    +
    		 +

    Additional request headers to log.

    + +
    additionalResponseHeadersToLog
    +
    string[]
    +
    		 +

    Additional response headers to log.

    + +
    additionalResponseTrailersToLog
    +
    string[]
    +
    		 +

    Additional response trailers to log.

    + +
    +
    +

    EnvoyTcpGrpcV3LogProvider

    +
    +

    Defines configuration for an Envoy Access Logging Service +integration for TCP traffic.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “tcp_envoy_accesslog”
      • +
    • “listener_envoy_accesslog”
      • +
    + +
    filterStateObjectsToLog
    +
    string[]
    +
    		 +

    Additional filter state objects to log.

    + +
    +
    +

    EnvoyOpenTelemetryLogProvider

    +
    +

    Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “otel_envoy_accesslog”
      • +
    + +
    logFormat
    +
    LogFormat
    +
    		 +

    Format for the proxy access log +Empty value results in proxy’s default access log format, following Envoy access logging formatting.

    + +
    +
    +
    LogFormat
    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    text
    +
    string
    +
    		 +

    Textual format for the envoy access logs. Envoy command operators may be +used in the format. The format string documentation +provides more information. +Alias to body field in Open Telemetry +Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    + +
    labels
    +
    Struct
    +
    		 +

    Additional attributes that describe the specific event occurrence. +Structured format for the envoy access logs. Envoy command operators +can be used as values for fields within the Struct. Values are rendered +as strings, numbers, or boolean values, as appropriate +(see: format dictionaries). Nested JSON is +supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +Alias to attributes field in Open Telemetry

    +

    Example:

    +
    labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+
    + +
    +
    +

    OpenTelemetryTracingProvider

    +
    +

    Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “otlp.default.svc.cluster.local” or “bar/otlp.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    http
    +
    HttpService
    +
    		 +

    Specifies the configuration for exporting OTLP traces via HTTP. +When empty, traces will be exported via gRPC.

    +

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

    +
      +
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. +
    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    http:
+      path: "/api/otlp/traces"
+      timeout: 10s
+      headers:
+      - name: "my-custom-header"
+        value: "some value"
+
    +
      +
    1. Deploy a ServiceEntry for the observability back-end
      2. +
    +
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: my-olly-backend
+spec:
+  hosts:
+  - my.olly-backend.com
+  ports:
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: my-olly-backend
+spec:
+  host: my.olly-backend.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 443
+      tls:
+        mode: SIMPLE
+
    + +
    grpc
    +
    GrpcService
    +
    		 +

    Specifies the configuration for exporting OTLP traces via GRPC. +When empty, traces will check whether HTTP is set. +If not, traces will use default GRPC configurations.

    +

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

    +
      +
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. +
    +
    - name: opentelemetry
+  opentelemetry:
+    port: 8090
+    service: tracing.example.com
+    grpc:
+      timeout: 10s
+      initialMetadata:
+      - name: "Authentication"
+        value: "token-xxxxx"
+
    +
      +
    1. Deploy a ServiceEntry for the observability back-end
      2. +
    +
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: tracing-grpc
+spec:
+  hosts:
+  - tracing.example.com
+  ports:
+  - number: 8090
+    name: grpc-port
+    protocol: GRPC
+  resolution: DNS
+  location: MESH_EXTERNAL
+
    + +
    resourceDetectors
    +
    ResourceDetectors
    +
    		 +

    Specifies Resource Detectors +to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged +according to the OpenTelemetry Resource specification.

    +

    The following example shows how to configure the Environment Resource Detector, that will +read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    resourceDetectors:
+      environment: {}
+
    + +
    dynatraceSampler
    +
    DynatraceSampler (oneof)
    +
    		 +

    The Dynatrace adaptive traffic management (ATM) sampler.

    +

    Example configuration:

    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: "{your-environment-id}.live.dynatrace.com"
+    http:
+      path: "/api/v2/otlp/v1/traces"
+      timeout: 10s
+      headers:
+        - name: "Authorization"
+          value: "Api-Token dt0c01."
+    resourceDetectors:
+      dynatrace: {}
+    dynatraceSampler:
+      tenant: "{your-environment-id}"
+      clusterId: 1234
    + +
    +
    +
    DynatraceSampler
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tenant
    +
    string
    +
    		 +

    REQUIRED. The Dynatrace customer’s tenant identifier.

    +

    The value can be obtained from the Istio deployment page in Dynatrace.

    + +
    clusterId
    +
    int32
    +
    		 +

    REQUIRED. The identifier of the cluster in the Dynatrace platform. +The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

    +

    The value can be obtained from the Istio deployment page in Dynatrace.

    + +
    rootSpansPerMinute
    +
    uint32
    +
    		 +

    Number of sampled spans per minute to be used +when the adaptive value cannot be obtained from the Dynatrace API.

    +

    A default value of 1000 is used when:

    +
      +
    • rootSpansPerMinute is unset
      • +
    • rootSpansPerMinute is set to 0
      • +
    + +
    httpService
    +
    DynatraceApi
    +
    		 +

    Dynatrace HTTP API to obtain sampling configuration.

    +

    When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter +(service, port and http), including the access token.

    + +
    +
    +
    DynatraceApi
    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. +The format is <Hostname>, where <Hostname> is the fully qualified Dynatrace environment +host name defined in the ServiceEntry.

    +

    Example: “{your-environment-id}.live.dynatrace.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    http
    +
    HttpService
    +
    		 +

    REQUIRED. Specifies sampling configuration URI.

    + +
    +
    +

    HttpService

    +
    +

    Defines configuration for an HTTP service that can be used by an Extension Provider. +that does communication via HTTP.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    path
    +
    string
    +
    		 +

    REQUIRED. Specifies the path on the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    Specifies the timeout for the HTTP request. +If not specified, the default is 3s.

    + +
    headers
    +
    HttpHeader[]
    +
    		 +

    Allows specifying custom HTTP headers that will be added +to each HTTP request sent.

    + +
    +
    +

    HttpHeader

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    REQUIRED. The HTTP header name.

    + +
    value
    +
    string
    +
    		 +

    REQUIRED. The HTTP header value.

    + +
    +
    +

    ResourceDetectors

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    environment
    +
    EnvironmentResourceDetector
    +
    		 +
    dynatrace
    +
    DynatraceResourceDetector
    +
    		 +
    +
    +
    EnvironmentResourceDetector
    +
    +

    OpenTelemetry Environment Resource Detector. +The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES +and adds them to the OpenTelemetry resource.

    +

    See: Resource specification

    + +
    +
    DynatraceResourceDetector
    +
    +

    Dynatrace Resource Detector. +The resource detector reads from the Dynatrace enrichment files +and adds host/process related attributes to the OpenTelemetry resource.

    +

    See: Enrich ingested data with Dynatrace-specific dimensions

    + +
    +

    GrpcService

    +
    +

    Defines configuration for an GRPC service that can be used by an Extension Provider. +that does communication via GRPC.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    timeout
    +
    Duration
    +
    		 +

    Specifies the timeout for the GRPC request.

    + +
    initialMetadata
    +
    HttpHeader[]
    +
    		 +

    Additional metadata to include in streams initiated to the GrpcService. This can be used for +scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key”) are to +be injected.

    + +
    +
    +

    DefaultProviders

    +
    +

    Holds the name references to the providers that will be used by default +in other Istio configuration resources if the provider is not specified.

    +

    These names must match a provider defined in extensionProviders that is +one of the supported tracing providers.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tracing
    +
    string[]
    +
    		 +

    Name of the default provider(s) for tracing.

    + +
    metrics
    +
    string[]
    +
    		 +

    Name of the default provider(s) for metrics.

    + +
    accessLogging
    +
    string[]
    +
    		 +

    Name of the default provider(s) for access logging.

    + +
    +
    +

    ProxyPathNormalization

    +
    + + + + + + + + + + + + + +
    FieldDescription
    normalization
    +
    NormalizationType
    +
    		 +
    +
    +

    NormalizationType

    @@ -4763,7 +2566,62 @@ For example, /a%2f/b normalizes to a/b.

    -

    MeshConfig.TLSConfig.TLSProtocol

    +

    TLSConfig

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    minProtocolVersion
    +
    TLSProtocol
    +
    		 +

    the minimum TLS protocol version. The default minimum +TLS version will be TLS 1.2. As servers may not be Envoy and be +set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the +minimum TLS version for clients may also be TLS 1.2. +In the current Istio implementation, the maximum TLS protocol version +is TLS 1.3.

    + +
    ecdhCurves
    +
    string[]
    +
    		 +

    Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. +If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to +Ecdh Curves.

    + +
    cipherSuites
    +
    string[]
    +
    		 +

    Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. +If not specified, the following cipher suites will be used:

    +
    ECDHE-ECDSA-AES256-GCM-SHA384
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+AES256-GCM-SHA384
+AES128-GCM-SHA256
+
    + +
    +
    +

    TLSProtocol

    TLS protocol versions.

    @@ -4799,7 +2657,46 @@ For example, /a%2f/b normalizes to a/b.

    -

    MeshConfig.IngressControllerMode

    +

    Settings

    +
    +

    Settings for the selected services.

    + + + + + + + + + + + + + + +
    FieldDescription
    clusterLocal
    +
    bool
    +
    		 +

    If true, specifies that the client and service endpoints must reside in the same cluster. +By default, in multi-cluster deployments, the Istio control plane assumes all service +endpoints to be reachable from any client in any of the clusters which are part of the +mesh. This configuration option limits the set of service endpoints visible to a client +to be cluster scoped.

    +

    There are some common scenarios when this can be useful:

    +
      +
    • A service (or group of services) is inherently local to the cluster and has local storage +for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      • +
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first +having services cluster-local and then slowly transition them to mesh-wide. They could do +this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group +(e.g. *.myns.svc.cluster.local).
      • +
    +

    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all +services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

    + +
    +
    +

    IngressControllerMode

    @@ -4848,7 +2745,7 @@ cloud-provided ingress controller).

    -

    MeshConfig.AccessLogEncoding

    +

    AccessLogEncoding

    @@ -4875,7 +2772,7 @@ cloud-provided ingress controller).

    -

    MeshConfig.H2UpgradePolicy

    +

    H2UpgradePolicy

    Default Policy for upgrading http1.1 connections to http2.

    @@ -4904,31 +2801,315 @@ cloud-provided ingress controller).

    -

    Resource

    +

    LabelSelector

    -

    Resource describes the source of configuration

    +

    A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. +Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - +
    - + - - + + + + + +
    NameField Description
    SERVICE_REGISTRY
    matchLabels
    +
    map<string, string>
    +
    		 -

    Set to only receive service entries that are generated by the platform. -These auto generated service entries are combination of services and endpoints -that are generated by a specific platform e.g. k8

    +

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is “key”, the +operator is “In”, and the values array contains only “value”. The requirements are ANDed.

    + +
    matchExpressions
    +
    LabelSelectorRequirement[]
    +
    		 +

    matchExpressions is a list of label selector requirements. The requirements are ANDed.
    -

    Tracing.OpenCensusAgent.TraceContext

    +

    LabelSelectorRequirement

    +
    +

    A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. +Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    key
    +
    string
    +
    		 +

    key is the label key that the selector applies to.

    + +
    operator
    +
    string
    +
    		 +

    operator represents a key’s relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    + +
    values
    +
    string[]
    +
    		 +

    values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.

    + +
    +
    +

    ConfigSource

    +
    +

    ConfigSource describes information about a configuration store inside a +mesh. A single control plane instance can interact with one or more data +sources.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the server implementing the Istio Mesh Configuration +protocol (MCP). Can be IP address or a fully qualified DNS name. +Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or +fs:/// to specify a file-based backend with absolute path to the directory.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the MCP server +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    subscribedResources
    +
    Resource[]
    +
    		 +

    Describes the source of configuration, if nothing is specified default is MCP

    + +
    +
    +

    Tracing

    +
    +

    Tracing defines configuration for the tracing performed by Envoy instances.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    zipkin
    +
    Zipkin (oneof)
    +
    		 +

    Use a Zipkin tracer.

    + +
    datadog
    +
    Datadog (oneof)
    +
    		 +

    Use a Datadog tracer.

    + +
    sampling
    +
    double
    +
    		 +

    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, +if not requested by the client or not forced. Default is 1.0.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the remote tracing service +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    enableIstioTags
    +
    BoolValue
    +
    		 +

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. +By default Istio specific tags are included in the trace spans.

    + +
    +
    +

    Zipkin

    +
    +

    Zipkin defines configuration for a Zipkin tracer.

    + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the Zipkin service (e.g. zipkin:9411).

    + +
    +
    +

    Datadog

    +
    +

    Datadog defines configuration for a Datadog tracer.

    + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the Datadog Agent.

    + +
    +
    +

    Stackdriver

    +
    +

    Stackdriver defines configuration for a Stackdriver tracer. +See Envoy’s OpenCensus trace configuration +and +OpenCensus trace config for details.

    + + + + + + + + + + +
    FieldDescription
    +
    +

    OpenCensusAgent

    +
    +

    OpenCensusAgent defines configuration for an OpenCensus tracer writing to +an OpenCensus agent backend. See +Envoy’s OpenCensus trace configuration +and +OpenCensus trace config +for details.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or +unix:path). See gRPC naming +docs for +details.

    + +
    context
    +
    TraceContext[]
    +
    		 +

    Specifies the set of context propagation headers used for distributed +tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, +the proxy will attempt to read each header for each request and will +write all headers.

    + +
    +
    +

    TraceContext

    TraceContext selects the context propagation headers used for distributed tracing.

    @@ -4978,7 +3159,940 @@ for details.

    -

    ProxyConfig.ProxyHeaders.MetadataExchangeMode

    +

    Topology

    +
    +

    Topology describes the configuration for relative location of a proxy with +respect to intermediate trusted proxies and the client. These settings +control how the client attributes are retrieved from the incoming traffic by +the gateway proxy and propagated to the upstream services in the cluster.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    numTrustedProxies
    +
    uint32
    +
    		 +

    Number of trusted proxies deployed in front of the Istio gateway proxy. +When this option is set to value N greater than zero, the trusted client +address is assumed to be the Nth address from the right end of the +X-Forwarded-For (XFF) header from the incoming request. If the +X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the +gateway proxy falls back to using the immediate downstream connection’s +source address as the trusted client address. +Note that the gateway proxy will append the downstream connection’s source +address to the X-Forwarded-For (XFF) address and set the +X-Envoy-External-Address header to the trusted client address before +forwarding it to the upstream services in the cluster. +The default value of numTrustedProxies is 0. +See Envoy XFF +header handling for more details.

    + +
    forwardClientCertDetails
    +
    ForwardClientCertDetails
    +
    		 +

    Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) +header in the incoming request.

    + +
    proxyProtocol
    +
    ProxyProtocolConfiguration
    +
    		 +

    Enables PROXY protocol for +downstream connections on a gateway.

    + +
    +
    +

    ProxyProtocolConfiguration

    +
    +

    PROXY protocol configuration.

    + +
    +

    PrivateKeyProvider

    +
    +

    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured +mesh-wide or individual per-workload basis.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    cryptomb
    +
    CryptoMb (oneof)
    +
    		 +

    Use CryptoMb private key provider

    + +
    qat
    +
    QAT (oneof)
    +
    		 +

    Use QAT private key provider

    + +
    +
    +

    CryptoMb

    +
    +

    CryptoMb PrivateKeyProvider configuration

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pollDelay
    +
    Duration
    +
    		 +

    How long to wait until the per-thread processing queue should be processed. If the processing queue +gets full (eight sign or decrypt requests are received) it is processed immediately. +However, if the queue is not filled before the delay has expired, the requests already in the queue +are processed, even if the queue is not full. +In effect, this value controls the balance between latency and throughput. +The duration needs to be set to a value greater than or equal to 1 millisecond.

    + +
    fallback
    +
    BoolValue
    +
    		 +

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) +Envoy will fallback to the BoringSSL default implementation when the fallback is true. +The default value is false.

    + +
    +
    +

    QAT

    +
    +

    QAT (QuickAssist Technology) PrivateKeyProvider configuration

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pollDelay
    +
    Duration
    +
    		 +

    How long to wait before polling the hardware accelerator after a request has been submitted there. +Having a small value leads to quicker answers from the hardware but causes more polling loop spins, +leading to potentially larger CPU usage. +The duration needs to be set to a value greater than or equal to 1 millisecond.

    + +
    fallback
    +
    BoolValue
    +
    		 +

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) +Envoy will fallback to the BoringSSL default implementation when the fallback is true. +The default value is false.

    + +
    +
    +

    ProxyConfig

    +
    +

    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis +as well as by the mesh-wide defaults. +To set the mesh-wide defaults, configure the defaultConfig section of meshConfig. For example:

    +
    meshConfig:
+  defaultConfig:
+    discoveryAddress: istiod:15012
+
    +

    This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

    +
    annotations:
+  proxy.istio.io/config: |
+    discoveryAddress: istiod:15012
+
    +

    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. +This is different than a deep merge provided by protobuf. +For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider +such as "tracing": { "zipkin": { "address": "..." } }.

    +

    Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    configPath
    +
    string
    +
    		 +

    Path to the generated configuration file directory. +Proxy agent generates the actual configuration and stores it in this directory.

    + +
    binaryPath
    +
    string
    +
    		 +

    Path to the proxy binary

    + +
    serviceCluster
    +
    string (oneof)
    +
    		 +

    Service cluster defines the name for the service_cluster that is +shared by all Envoy instances. This setting corresponds to +--service-cluster flag in Envoy. In a typical Envoy deployment, the +service-cluster flag is used to identify the caller, for +source-based routing scenarios.

    +

    Since Istio does not assign a local service/service version to each +Envoy instance, the name is same for all of them. However, the +source/caller’s identity (e.g., IP address) is encoded in the +--service-node flag when launching Envoy. When the RDS service +receives API calls from Envoy, it uses the value of the service-node +flag to compute routes that are relative to the service instances +located at that IP address.

    + +
    tracingServiceName
    +
    TracingServiceName (oneof)
    +
    		 +

    Used by Envoy proxies to assign the values for the service names in trace +spans.

    + +
    drainDuration
    +
    Duration
    +
    		 +

    The time in seconds that Envoy will drain connections during a hot +restart. MUST be >=1s (e.g., 1s/1m/1h) +Default drain duration is 45s.

    + +
    discoveryAddress
    +
    string
    +
    		 +

    Address of the discovery service exposing xDS with mTLS connection. +The inject configuration may override this value.

    + +
    statsdUdpAddress
    +
    string
    +
    		 +

    IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

    + +
    proxyAdminPort
    +
    int32
    +
    		 +

    Port on which Envoy should listen for administrative commands. +Default port is 15000.

    + +
    controlPlaneAuthPolicy
    +
    AuthenticationPolicy
    +
    		 +

    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. +Default is set to MUTUAL_TLS.

    + +
    customConfigFile
    +
    string
    +
    		 +

    File path of custom proxy configuration, currently used by proxies +in front of istiod.

    + +
    statNameLength
    +
    int32
    +
    		 +

    Maximum length of name field in Envoy’s metrics. The length of the name field +is determined by the length of a name field in a service and the set of labels that +comprise a particular version of the service. The default value is set to 189 characters. +Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. +Increase the value of this field if you find that the metrics from Envoys are truncated.

    + +
    concurrency
    +
    Int32Value
    +
    		 +

    The number of worker threads to run. +If unset, which is recommended, this will be automatically determined based on CPU requests/limits. +If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance +issues if CPU limits are also set.

    + +
    proxyBootstrapTemplatePath
    +
    string
    +
    		 +

    Path to the proxy bootstrap template file

    + +
    interceptionMode
    +
    InboundInterceptionMode
    +
    		 +

    The mode used to redirect inbound traffic to Envoy.

    + +
    tracing
    +
    Tracing
    +
    		 +

    Tracing configuration to be used by the proxy.

    + +
    envoyAccessLogService
    +
    RemoteService
    +
    		 +

    Address of the service to which access logs from Envoys should be +sent. (e.g. accesslog-service:15000). See Access Log +Service +for details about Envoy’s gRPC Access Log Service API.

    + +
    envoyMetricsService
    +
    RemoteService
    +
    		 +

    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). +See Metric Service +for details about Envoy’s Metrics Service API.

    + +
    proxyMetadata
    +
    map<string, string>
    +
    		 +

    Additional environment variables for the proxy. +Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

    + +
    runtimeValues
    +
    map<string, string>
    +
    		 +

    Envoy runtime configuration to set during bootstrapping. +This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

    + +
    statusPort
    +
    int32
    +
    		 +

    Port on which the agent should listen for administrative commands such as readiness probe. +Default is set to port 15020.

    + +
    extraStatTags
    +
    string[]
    +
    		 +

    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be +added by configuring the telemetry extension. Each additional tag needs to be present in this list. +Extra tags emitted by the telemetry extensions must be listed here so that they can be processed +and exposed as Prometheus metrics. +Deprecated: istio.stats is a native filter now, this field is no longer needed.

    + +
    gatewayTopology
    +
    Topology
    +
    		 +

    Topology encapsulates the configuration which describes where the proxy is +located i.e. behind a (or N) trusted proxy (proxies) or directly exposed +to the internet. This configuration only effects gateways and is applied +to all the gateways in the cluster unless overridden via annotations of the +gateway workloads.

    + +
    terminationDrainDuration
    +
    Duration
    +
    		 +

    The amount of time allowed for connections to complete on proxy shutdown. +On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, +discouraging any new connections and allowing existing connections to complete. It then +sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. +If not set, a default of 5s will be applied.

    + +
    meshId
    +
    string
    +
    		 +

    The unique identifier for the service mesh +All control planes running in the same service mesh should specify the same mesh ID. +Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

    + +
    readinessProbe
    +
    ReadinessProbe
    +
    		 +

    VM Health Checking readiness probe. This health check config exactly mirrors the +kubernetes readiness probe configuration both in schema and logic. +Only one health check method of 3 can be set at a time.

    + +
    proxyStatsMatcher
    +
    ProxyStatsMatcher
    +
    		 +

    Proxy stats matcher defines configuration for reporting custom Envoy stats. +To reduce memory and CPU overhead from Envoy stats system, Istio proxies by +default create and expose only a subset of Envoy stats. This option is to +control creation of additional Envoy stats with prefix, suffix, and regex +expressions match on the name of the stats. This replaces the stats +inclusion annotations +(sidecar.istio.io/statsInclusionPrefixes, +sidecar.istio.io/statsInclusionRegexps, and +sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats +for circuit breakers, request retries, upstream connections, and request timeouts, +you can specify stats matcher as follows:

    +
    proxyStatsMatcher:
+  inclusionRegexps:
+    - .*outlier_detection.*
+    - .*upstream_rq_retry.*
+    - .*upstream_cx_.*
+  inclusionSuffixes:
+    - upstream_rq_timeout
+
    +

    Note including more Envoy stats might increase number of time series +collected by prometheus significantly. Care needs to be taken on Prometheus +resource provision and configuration to reduce cardinality.

    + +
    holdApplicationUntilProxyStarts
    +
    BoolValue
    +
    		 +

    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. +This feature adds hooks to delay application startup until the pod proxy +is ready to accept traffic, mitigating some startup race conditions. +Default value is ‘false’.

    + +
    caCertificatesPem
    +
    string[]
    +
    		 +

    The PEM data of the extra root certificates for workload-to-workload communication. +This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. +The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) +are added automatically by Istiod.

    + +
    image
    +
    ProxyImage
    +
    		 +

    Specifies the details of the proxy image.

    + +
    privateKeyProvider
    +
    PrivateKeyProvider
    +
    		 +

    Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

    + +
    proxyHeaders
    +
    ProxyHeaders
    +
    		 +

    Define the set of headers to add/modify for HTTP request/responses.

    +

    To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. +Note: currently all headers are enabled by default.

    +

    Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

    +
    proxyHeaders:
+  server:
+    value: "my-custom-server"
+  # Explicitly enable Request IDs.
+  # As this is the default, this has no effect.
+  requestId: {}
+  attemptCount:
+    disabled: true
+
    +

    Below shows an example of preserving the header case for HTTP 1.x requests

    +
    proxyHeaders:
+  perserveHttp1HeaderCase: true
+
    +

    Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

    +
    proxyHeaders:
+  forwardedClientCert: SANITIZE
+  server:
+    disabled: true
+  requestId:
+    disabled: true
+  attemptCount:
+    disabled: true
+  envoyDebugHeaders:
+    disabled: true
+  metadataExchangeHeaders:
+    mode: IN_MESH
+
    + +
    zipkinAddress
    +
    string
    +
    		 +

    Address of the Zipkin service (e.g. zipkin:9411). +DEPRECATED: Use tracing instead.

    + +
    +
    +

    ProxyStatsMatcher

    +
    +

    Proxy stats name matchers for stats creation. Note this is in addition to +the minimum Envoy stats that Istio generates by default.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    inclusionPrefixes
    +
    string[]
    +
    		 +

    Proxy stats name prefix matcher for inclusion.

    + +
    inclusionSuffixes
    +
    string[]
    +
    		 +

    Proxy stats name suffix matcher for inclusion.

    + +
    inclusionRegexps
    +
    string[]
    +
    		 +

    Proxy stats name regexps matcher for inclusion.

    + +
    +
    +

    ProxyHeaders

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    forwardedClientCert
    +
    ForwardClientCertDetails
    +
    		 +

    Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. +To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). +By default, APPEND_FORWARD will be used.

    + +
    setCurrentClientCertDetails
    +
    SetCurrentClientCertDetails
    +
    		 +

    This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET +and the client connection is mTLS. It specifies the fields in +the client certificate to be forwarded. Note that Hash is always set, and +By is always set when the client certificate presents the URI type Subject Alternative Name value.

    + +
    requestId
    +
    RequestId
    +
    		 +

    Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. +This applies to all types of traffic (inbound, outbound, and gateways). +If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. +Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. +This header is enabled by default if not configured.

    + +
    server
    +
    Server
    +
    		 +

    Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). +If disabled, the Server header is not modified. If it is already present, it will be preserved.

    + +
    attemptCount
    +
    AttemptCount
    +
    		 +

    Controls the X-Envoy-Attempt-Count header. +If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. +If disabled, this header will not be set. If it is already present, it will be preserved. +This header is enabled by default if not configured.

    + +
    envoyDebugHeaders
    +
    EnvoyDebugHeaders
    +
    		 +

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, +these headers will be included. +If disabled, these headers will not be set. If they are already present, they will be preserved. +See the Envoy documentation for more details. +These headers are enabled by default if not configured.

    + +
    metadataExchangeHeaders
    +
    MetadataExchangeHeaders
    +
    		 +

    Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. +By default, the behavior is unspecified. +If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

    + +
    preserveHttp1HeaderCase
    +
    BoolValue
    +
    		 +

    When true, the original case of HTTP/1.x headers will be preserved +as they pass through the proxy, rather than normalizing them to lowercase. +This field is particularly useful for applications that require case-sensitive +headers for interoperability with downstream systems or APIs that expect specific +casing. +The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers +to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 +requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 +standards.

    + +
    +
    +

    Server

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    value
    +
    string
    +
    		 +

    If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

    + +
    +
    +

    RequestId

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    AttemptCount

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    EnvoyDebugHeaders

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    MetadataExchangeHeaders

    +
    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    MetadataExchangeMode
    +
    		 +
    +
    +

    SetCurrentClientCertDetails

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    subject
    +
    BoolValue
    +
    		 +

    Whether to forward the subject of the client cert. Defaults to true.

    + +
    cert
    +
    BoolValue
    +
    		 +

    Whether to forward the entire client cert in URL encoded PEM format. This will appear in the +XFCC header comma separated from other values with the value Cert=“PEM”. +Defaults to false.

    + +
    chain
    +
    BoolValue
    +
    		 +

    Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM +format. This will appear in the XFCC header comma separated from other values with the value +Chain=“PEM”. +Defaults to false.

    + +
    dns
    +
    BoolValue
    +
    		 +

    Whether to forward the DNS type Subject Alternative Names of the client cert. +Defaults to true.

    + +
    uri
    +
    BoolValue
    +
    		 +

    Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to +true.

    + +
    +
    +

    MetadataExchangeMode

    @@ -5006,7 +4120,7 @@ Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means
    -

    ProxyConfig.TracingServiceName

    +

    TracingServiceName

    Allows specification of various Istio-supported naming schemes for the Envoy service_cluster value. The service_cluster value is primarily used @@ -5045,7 +4159,7 @@ a cluster name. If the app label does not exist istio-proxy

    -

    ProxyConfig.InboundInterceptionMode

    +

    InboundInterceptionMode

    The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables REDIRECT is always used for @@ -5083,6 +4197,274 @@ filtering and manipulation. This mode also configures the sidecar to run with th

    The NONE mode does not configure redirect to Envoy at all. This is an advanced configuration that typically requires changes to user applications.

    + + + + +
    +

    RemoteService

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of a remove service used for various purposes (access log +receiver, metrics receiver, etc.). Can be IP address or a fully +qualified DNS name.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the remote service +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    tcpKeepalive
    +
    TcpKeepalive
    +
    		 +

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    + +
    +
    +

    Network

    +
    +

    Network provides information about the endpoints in a routable L3 +network. A single routable L3 network can have one or more service +registries. Note that the network has no relation to the locality of the +endpoint. The endpoint locality will be obtained from the service +registry.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    endpoints
    +
    NetworkEndpoints[]
    +
    Required
    +
    		 +

    The list of endpoints in the network (obtained through the +constituent service registries or from CIDR ranges). All endpoints in +the network are directly accessible to one another.

    + +
    gateways
    +
    IstioNetworkGateway[]
    +
    Required
    +
    		 +

    Set of gateways associated with the network.

    + +
    +
    +

    NetworkEndpoints

    +
    +

    NetworkEndpoints describes how the network associated with an endpoint +should be inferred. An endpoint will be assigned to a network based on +the following rules:

    +
      +
    1. +

      Implicitly: If the registry explicitly provides information about +the network to which the endpoint belongs to. In some cases, its +possible to indicate the network associated with the endpoint by +adding the ISTIO_META_NETWORK environment variable to the sidecar.

      +
      2. +
    2. +

      Explicitly:

      +

      a. By matching the registry name with one of the “fromRegistry” +in the mesh config. A “fromRegistry” can only be assigned to a +single network.

      +

      b. By matching the IP against one of the CIDR ranges in a mesh +config network. The CIDR ranges must not overlap and be assigned to +a single network.

      +
      3. +
    +

    (2) will override (1) if both are present.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    fromCidr
    +
    string (oneof)
    +
    		 +

    A CIDR range for the set of endpoints in this network. The CIDR +ranges for endpoints from different networks must not overlap.

    + +
    fromRegistry
    +
    string (oneof)
    +
    		 +

    Add all endpoints from the specified registry into this network. +The names of the registries should correspond to the kubeconfig file name +inside the secret that was used to configure the registry (Kubernetes +multicluster) or supplied by MCP server.

    + +
    +
    +

    IstioNetworkGateway

    +
    +

    The gateway associated with this network. Traffic from remote networks +will arrive at the specified gateway:port. All incoming traffic must +use mTLS.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    registryServiceName
    +
    string (oneof)
    +
    		 +

    A fully qualified domain name of the gateway service. istiod will +lookup the service from the service registries in the network and +obtain the endpoint IPs of the gateway from the service +registry. Note that while the service name is a fully qualified +domain name, it need not be resolvable outside the orchestration +platform for the registry. e.g., this could be +istio-ingressgateway.istio-system.svc.cluster.local.

    + +
    address
    +
    string (oneof)
    +
    		 +

    IP address or externally resolvable DNS address associated with the gateway.

    + +
    port
    +
    uint32
    +
    Required
    +
    		 +

    The port associated with the gateway.

    + +
    locality
    +
    string
    +
    		 +

    The locality associated with an explicitly specified gateway (i.e. ip)

    + +
    +
    +

    MeshNetworks

    +
    +

    MeshNetworks (config map) provides information about the set of networks +inside a mesh and how to route to endpoints in each network. For example

    +

    MeshNetworks(file/config map):

    +
    networks:
+  network1:
+    endpoints:
+    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
+    - fromCidr: 192.168.100.0/22 #a VM network for example
+    gateways:
+    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+      port: 15443
+      locality: us-east-1a
+    - address: 192.168.100.1
+      port: 15443
+      locality: us-east-1a
+
    + + + + + + + + + + + + + + +
    FieldDescription
    networks
    +
    map<string, Network>
    +
    Required
    +
    		 +

    The set of networks inside this mesh. Each network should +have a unique name and information about how to infer the endpoints in +the network as well as the gateways associated with the network.

    + +
    +
    +

    Resource

    +
    +

    Resource describes the source of configuration

    + + + + + + + + + + + + diff --git a/content/en/docs/reference/config/labels/index.html b/content/en/docs/reference/config/labels/index.html index 2b9685f32f..aeceb0f2de 100644 --- a/content/en/docs/reference/config/labels/index.html +++ b/content/en/docs/reference/config/labels/index.html @@ -289,6 +289,29 @@ indicates the type of traffic this waypoint can handle.

    NameDescription
    SERVICE_REGISTRY +

    Set to only receive service entries that are generated by the platform. +These auto generated service entries are combination of services and endpoints +that are generated by a specific platform e.g. k8

    +
    +

    service.istio.io/workload-name

    + + + + + + + + + + + + + + + + + + + +
    Nameservice.istio.io/workload-name
    Feature StatusAlpha
    Resource Types[Pod WorkloadEntry]
    Description

    The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource. +For example, a Pod resource may default to the Deployment name.

    +

    sidecar.istio.io/inject

    diff --git a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html index 9ab398ff2b..a747ec3dc7 100644 --- a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html +++ b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html @@ -14,33 +14,27 @@ number_of_entries: 2 - - - - + - - - + - @@ -52,88 +46,72 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html index e2dcd8fe1a..db313aefdd 100644 --- a/content/en/docs/reference/config/networking/destination-rule/index.html +++ b/content/en/docs/reference/config/networking/destination-rule/index.html @@ -103,15 +103,15 @@ after routing has occurred.

    - - - - + - - - + - - - + - - - + - - - + - @@ -209,59 +198,50 @@ destination ports. See DestinationRule for examples.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldType DescriptionRequired
    conditionsIstioCondition[]
    conditions
    +
    IstioCondition[]
    +

    Current service state of the resource. More info: https://istio.io/docs/reference/config/config-status/

    -    		 -No
    validationMessagesAnalysisMessageBase[]
    validationMessages
    +
    AnalysisMessageBase[]
    +

    Includes any errors or warnings detected by Istio’s analyzers.

    -    		 -No
    FieldType DescriptionRequired
    typestring
    type
    +
    string
    +

    Type is the type of the condition.

    -    		 -No
    statusstring
    status
    +
    string
    +

    Status is the status of the condition. Can be True, False, Unknown.

    -    		 -No
    lastProbeTimeTimestamp
    lastProbeTime
    +
    Timestamp
    +

    Last time we probed the condition.

    -    		 -No
    lastTransitionTimeTimestamp
    lastTransitionTime
    +
    Timestamp
    +

    Last time the condition transitioned from one status to another.

    -    		 -No
    reasonstring
    reason
    +
    string
    +

    Unique, one-word, CamelCase reason for the condition’s last transition.

    -    		 -No
    messagestring
    message
    +
    string
    +

    Human-readable message indicating details about last transition.

    -    		 -No
    observedGenerationint64
    observedGeneration
    +
    int64
    +

    Resource Generation to which the Condition refers.

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +
    Required
    +

    The name of a service from the service registry. Service names are looked up from the platform’s service registry (e.g., @@ -128,38 +128,32 @@ potential misconfigurations, it is recommended to always use fully qualified domain names over short names.

    Note that the host field applies to both HTTP and TCP services.

    -    		 -Yes
    trafficPolicyTrafficPolicy
    trafficPolicy
    +
    TrafficPolicy
    +

    Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection).

    -    		 -No
    subsetsSubset[]
    subsets
    +
    Subset[]
    +

    One or more named sets that represent individual versions of a service. Traffic policies can be overridden at subset level.

    -    		 -No
    exportTostring[]
    exportTo
    +
    string[]
    +

    A list of namespaces to which this destination rule is exported. The resolution of a destination rule to apply to a service occurs in the @@ -174,14 +168,12 @@ namespaces by default.

    the destination rule is declared in. Similarly, the value “*” is reserved and defines an export to all namespaces.

    -    		 -No
    workloadSelectorWorkloadSelector
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this DestinationRule configuration should be applied. If specified, the DestinationRule @@ -192,9 +184,6 @@ For example, if specific sidecars need to have egress TLS settings for services of the mesh, instead of every sidecar in the mesh needing to have the configuration (which is the default behaviour), a workload selector can be specified.

    -    		 -No
    FieldType DescriptionRequired
    loadBalancerLoadBalancerSettings
    loadBalancer
    +
    LoadBalancerSettings
    +

    Settings controlling the load balancer algorithms.

    -    		 -No
    connectionPoolConnectionPoolSettings
    connectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections to an upstream service

    -    		 -No
    outlierDetectionOutlierDetection
    outlierDetection
    +
    OutlierDetection
    +

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    -    		 -No
    tlsClientTLSSettings
    tls
    +
    ClientTLSSettings
    +

    TLS related settings for connections to the upstream service.

    -    		 -No
    portLevelSettingsPortTrafficPolicy[]
    portLevelSettings
    +
    PortTrafficPolicy[]
    +

    Traffic policies specific to individual ports. Note that port level settings will override the destination-level settings. Traffic @@ -269,33 +249,187 @@ settings specified at the destination-level will not be inherited when overridden by port-level settings, i.e. default values will be applied to fields omitted in port-level traffic policies.

    -    		 -No
    tunnelTunnelSettings
    tunnel
    +
    TunnelSettings
    +

    Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.

    -    		 -No
    proxyProtocolProxyProtocol
    proxyProtocol
    +
    ProxyProtocol
    +

    The upstream PROXY protocol settings.

    +
    +

    PortTrafficPolicy

    +
    +

    Traffic policies that apply to specific ports of the service

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    port
    +
    PortSelector
    +
    		 -No +

    Specifies the number of a port on the destination service +on which this policy is being applied.

    + +
    loadBalancer
    +
    LoadBalancerSettings
    +
    		 +

    Settings controlling the load balancer algorithms.

    + +
    connectionPool
    +
    ConnectionPoolSettings
    +
    		 +

    Settings controlling the volume of connections to an upstream service

    + +
    outlierDetection
    +
    OutlierDetection
    +
    		 +

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    + +
    tls
    +
    ClientTLSSettings
    +
    		 +

    TLS related settings for connections to the upstream service.

    + +
    +
    +

    TunnelSettings

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    protocol
    +
    string
    +
    		 +

    Specifies which protocol to use for tunneling the downstream connection. +Supported protocols are:

    +
      +
    • CONNECT - uses HTTP CONNECT;
      • +
    • POST - uses HTTP POST.
      • +
    +

    CONNECT is used by default if not specified.

    +

    HTTP version for upstream requests is determined by the service protocol defined for the proxy.

    + +
    targetHost
    +
    string
    +
    Required
    +
    		 +

    Specifies a host to which the downstream connection is tunneled. +Target host must be an FQDN or IP address.

    + +
    targetPort
    +
    uint32
    +
    Required
    +
    		 +

    Specifies a port to which the downstream connection is tunneled.

    + +
    +
    +

    ProxyProtocol

    +
    + + + + + + + + + + + + + +
    FieldDescription
    version
    +
    VERSION
    +
    		 +

    The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details. +By default it is V1.

    + +
    +
    +

    VERSION

    +
    + + + + + + + + + + + + + + + @@ -340,48 +474,41 @@ can be used to identify a specific SNI host corresponding to the named subset. - - - - + - - - + - - - + - @@ -426,56 +553,47 @@ spec: - - - - + - - - + - - - + - - - + - - - + -
    NameDescription
    V1 +

    ⁣PROXY protocol version 1. Human readable format.

    + +
    V2 +

    ⁣PROXY protocol version 2. Binary format.

    +
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    Name of the subset. The service name and the subset name can be used for traffic splitting in a route rule.

    -    		 -Yes
    labelsmap<string, string>
    labels
    +
    map<string, string>
    +

    Labels apply a filter over the endpoints of a service in the service registry. See route rules for examples of usage.

    -    		 -No
    trafficPolicyTrafficPolicy
    trafficPolicy
    +
    TrafficPolicy
    +

    Traffic policies that apply to this subset. Subsets inherit the traffic policies specified at the DestinationRule level. Settings specified at the subset level will override the corresponding settings specified at the DestinationRule level.

    -    		 -No
    FieldType DescriptionRequired
    simpleSimpleLB (oneof)
    simple
    +
    SimpleLB (oneof)
    +
    		 -No -
    consistentHashConsistentHashLB (oneof)
    consistentHash
    +
    ConsistentHashLB (oneof)
    +
    		 -No -
    localityLbSettingLocalityLoadBalancerSetting
    localityLbSetting
    +
    LocalityLoadBalancerSetting
    +

    Locality load balancer settings, this will override mesh-wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig

    -    		 -No
    warmupDurationSecsDuration
    warmupDurationSecs
    +
    Duration
    +

    Deprecated: use warmup instead.

    -    		 -No
    warmupWarmupConfiguration
    warmup
    +
    WarmupConfiguration
    +

    Represents the warmup configuration of Service. If set, the newly created endpoint of service remains in warmup mode starting from its creation time for the duration of this window and @@ -486,825 +604,12 @@ endpoints are relatively new like new deployment, this is not very effective as amount of requests. Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.

    -    		 -No
    -

    WarmupConfiguration

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    durationDuration -

    Duration of warmup mode

    - -    		 -Yes -
    minimumPercentDoubleValue -

    Configures the minimum percentage of origin weight -If unspecified, defaults to 10

    - -    		 -No -
    aggressionDoubleValue -

    This parameter controls the speed of traffic increase over the warmup duration. Defaults to 1.0, so that endpoints would -get linearly increasing amount of traffic. When increasing the value for this parameter, -the speed of traffic ramp-up increases non-linearly.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings

    -
    -

    Connection pool settings for an upstream host. The settings apply to -each individual host in the upstream service. See Envoy’s circuit -breaker -for more details. Connection pool settings can be applied at the TCP -level as well as at HTTP level.

    -

    For example, the following rule sets a limit of 100 connections to redis -service called myredissrv with a connect timeout of 30ms

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: bookinfo-redis
-spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
-
    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tcpTCPSettings -

    Settings common to both HTTP and TCP upstream connections.

    - -    		 -No -
    httpHTTPSettings -

    HTTP connection pool settings.

    - -    		 -No -
    -
    -

    OutlierDetection

    -
    -

    A Circuit breaker implementation that tracks the status of each -individual host in the upstream service. Applicable to both HTTP and -TCP services. For HTTP services, hosts that continually return 5xx -errors for API calls are ejected from the pool for a pre-defined period -of time. For TCP services, connection timeouts or connection -failures to a given host counts as an error when measuring the -consecutive errors metric. See Envoy’s outlier -detection -for more details.

    -

    The following rule sets a connection pool size of 100 HTTP1 connections -with no more than 10 req/connection to the “reviews” service. In addition, -it sets a limit of 1000 concurrent HTTP2 requests and configures upstream -hosts to be scanned every 5 mins so that any host that fails 7 consecutive -times with a 502, 503, or 504 error code will be ejected for 15 minutes.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutive5xxErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    splitExternalLocalOriginErrorsbool -

    Determines whether to distinguish local origin failures from external errors. If set to true -consecutiveLocalOriginFailures is taken into account for outlier detection calculations. -This should be used when you want to derive the outlier detection status based on the errors -seen locally such as failure to connect, timeout while connecting etc. rather than the status code -returned by upstream service. This is especially useful when the upstream service explicitly returns -a 5xx for some requests and you want to ignore those responses from upstream service while determining -the outlier detection status of a host. -Defaults to false.

    - -    		 -No -
    consecutiveLocalOriginFailuresUInt32Value -

    The number of consecutive locally originated failures before ejection -occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors -is set to true.

    - -    		 -No -
    consecutiveGatewayErrorsUInt32Value -

    Number of gateway errors before a host is ejected from the connection pool. -When the upstream host is accessed over HTTP, a 502, 503, or 504 return -code qualifies as a gateway error. When the upstream host is accessed over -an opaque TCP connection, connect timeouts and connection error/failure -events qualify as a gateway error. -This feature is disabled by default or when set to the value 0.

    -

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be -used separately or together. Because the errors counted by -consecutiveGatewayErrors are also included in consecutive5xxErrors, -if the value of consecutiveGatewayErrors is greater than or equal to -the value of consecutive5xxErrors, consecutiveGatewayErrors will have -no effect.

    - -    		 -No -
    consecutive5xxErrorsUInt32Value -

    Number of 5xx errors before a host is ejected from the connection pool. -When the upstream host is accessed over an opaque TCP connection, connect -timeouts, connection error/failure and request failure events qualify as a -5xx error. -This feature defaults to 5 but can be disabled by setting the value to 0.

    -

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be -used separately or together. Because the errors counted by -consecutiveGatewayErrors are also included in consecutive5xxErrors, -if the value of consecutiveGatewayErrors is greater than or equal to -the value of consecutive5xxErrors, consecutiveGatewayErrors will have -no effect.

    - -    		 -No -
    intervalDuration -

    Time interval between ejection sweep analysis. format: -1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    - -    		 -No -
    baseEjectionTimeDuration -

    Minimum ejection duration. A host will remain ejected for a period -equal to the product of minimum ejection duration and the number of -times the host has been ejected. This technique allows the system to -automatically increase the ejection period for unhealthy upstream -servers. format: 1h/1m/1s/1ms. MUST be >=1ms. Default is 30s.

    - -    		 -No -
    maxEjectionPercentint32 -

    Maximum % of hosts in the load balancing pool for the upstream -service that can be ejected. Defaults to 10%.

    - -    		 -No -
    minHealthPercentint32 -

    Outlier detection will be enabled as long as the associated load balancing -pool has at least minHealthPercent hosts in healthy mode. When the -percentage of healthy hosts in the load balancing pool drops below this -threshold, outlier detection will be disabled and the proxy will load balance -across all hosts in the pool (healthy and unhealthy). The threshold can be -disabled by setting it to 0%. The default is 0% as it’s not typically -applicable in k8s environments with few pods per service.

    - -    		 -No -
    -
    -

    ClientTLSSettings

    -
    -

    SSL/TLS related settings for upstream connections. See Envoy’s TLS -context -for more details. These settings are common to both HTTP and TCP upstreams.

    -

    For example, the following rule configures a client to use mutual TLS -for connections to upstream database cluster.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    -

    The following rule configures a client to use TLS when talking to a -foreign service whose domain matches *.foo.com.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-
    -

    The following rule configures a client to use Istio mutual TLS when talking -to rating services.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeTLSmode -

    Indicates whether connections to this port should be secured -using TLS. The value of this field determines how TLS is enforced.

    - -    		 -No -
    clientCertificatestring -

    REQUIRED if mode is MUTUAL. The path to the file holding the -client-side TLS certificate to use. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    privateKeystring -

    REQUIRED if mode is MUTUAL. The path to the file holding the -client’s private key. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    caCertificatesstring -

    OPTIONAL: The path to the file containing certificate authority -certificates to use in verifying a presented server certificate. If -omitted, the proxy will verify the server’s certificate using -the OS CA certificates. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    credentialNamestring -

    The name of the secret that holds the TLS certs for the -client including the CA certificates. This secret must exist in -the namespace of the proxy using the certificates. -An Opaque secret should contain the following keys and values: -key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, -crl: <certificateRevocationList> -Here CACertificate is used to verify the server certificate. -For mutual TLS, cacert: <CACertificate> can be provided in the -same secret or a separate secret named <secret>-cacert. -A TLS secret for client certificates with an additional -ca.crt key for CA certificates and ca.crl key for -certificate revocation list(CRL) is also supported. -Only one of client certificates and CA certificate -or credentialName can be specified.

    -

    NOTE: This field is applicable at sidecars only if -DestinationRule has a workloadSelector specified. -Otherwise the field will be applicable only at gateways, and -sidecars will continue to use the certificate paths.

    - -    		 -No -
    subjectAltNamesstring[] -

    A list of alternate names to verify the subject identity in the -certificate. If specified, the proxy will verify that the server -certificate’s subject alt name matches one of the specified values. -If specified, this list overrides the value of subjectAltNames -from the ServiceEntry. If unspecified, automatic validation of upstream -presented certificate for new upstream connections will be done based on the -downstream HTTP host/authority header.

    - -    		 -No -
    snistring -

    SNI string to present to the server during TLS handshake. -If unspecified, SNI will be automatically set based on downstream HTTP -host/authority header for SIMPLE and MUTUAL TLS modes.

    - -    		 -No -
    insecureSkipVerifyBoolValue -

    insecureSkipVerify specifies whether the proxy should skip verifying the -CA signature and SAN for the server certificate corresponding to the host. -The default value of this field is false.

    - -    		 -No -
    caCrlstring -

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) -to use in verifying a presented server certificate. CRL is a list of certificates -that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. -If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. -If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, -CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting

    -
    -

    Locality-weighted load balancing allows administrators to control the -distribution of traffic to endpoints based on the localities of where the -traffic originates and where it will terminate. These localities are -specified using arbitrary labels that designate a hierarchy of localities in -{region}/{zone}/{sub-zone} form. For additional detail refer to -Locality Weight -The following example shows how to setup locality weights mesh-wide.

    -

    Given a mesh with workloads and their service deployed to “us-west/zone1/*” -and “us-west/zone2/*”. This example specifies that when traffic accessing a -service originates from workloads in “us-west/zone1/*”, 80% of the traffic -will be sent to endpoints in “us-west/zone1/*”, i.e the same zone, and the -remaining 20% will go to endpoints in “us-west/zone2/*”. This setup is -intended to favor routing traffic to endpoints in the same locality. -A similar setting is specified for traffic originating in “us-west/zone2/*”.

    -
      distribute:
-    - from: us-west/zone1/*
-      to:
-        "us-west/zone1/*": 80
-        "us-west/zone2/*": 20
-    - from: us-west/zone2/*
-      to:
-        "us-west/zone1/*": 20
-        "us-west/zone2/*": 80
-
    -

    If the goal of the operator is not to distribute load across zones and -regions but rather to restrict the regionality of failover to meet other -operational requirements an operator can set a ‘failover’ policy instead of -a ‘distribute’ policy.

    -

    The following example sets up a locality failover policy for regions. -Assume a service resides in zones within us-east, us-west & eu-west -this example specifies that when endpoints within us-east become unhealthy -traffic should failover to endpoints in any zone or sub-zone within eu-west -and similarly us-west should failover to us-east.

    -
     failover:
-   - from: us-east
-     to: eu-west
-   - from: us-west
-     to: us-east
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    distributeDistribute[] -

    Optional: only one of distribute, failover or failoverPriority can be set. -Explicitly specify loadbalancing weight across different zones and geographical locations. -Refer to Locality weighted load balancing -If empty, the locality weight is set according to the endpoints number within it.

    - -    		 -No -
    failoverFailover[] -

    Optional: only one of distribute, failover or failoverPriority can be set. -Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. -Should be used together with OutlierDetection to detect unhealthy endpoints. -Note: if no OutlierDetection specified, this will not take effect.

    - -    		 -No -
    failoverPrioritystring[] -

    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. -This is to support traffic failover across different groups of endpoints. -Two kinds of labels can be specified:

    -
      -
    • -

      Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. -Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:

      -
        -
      1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
        2. -
      2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
        3. -
      3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
        4. -
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. -
      -
      • -
    • -

      Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. -Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:

      -
        -
      1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
        2. -
      2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
        3. -
      3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
        4. -
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. -
      -
      • -
    -

    Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

    -

    It can be any label specified on both client and server workloads. -The following labels which have special semantic meaning are also supported:

    -
      -
    • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
      • -
    • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
      • -
    • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
      • -
    • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
      • -
    • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
      • -
    • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
      • -
    -

    The below topology config indicates the following priority levels:

    -
    failoverPriority:
-- "topology.istio.io/network"
-- "topology.kubernetes.io/region"
-- "topology.kubernetes.io/zone"
-- "topology.istio.io/subzone"
-
    -
      -
    1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
      2. -
    2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
      3. -
    3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
      4. -
    4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
      5. -
    5. all the other endpoints have the same lowest priority.
      6. -
    -

    Suppose a service associated endpoints reside in multi clusters, the below example represents:

    -
      -
    1. endpoints in clusterA and has version=v1 label have P(0) priority.
      2. -
    2. endpoints not in clusterA but has version=v1 label have P(1) priority.
      3. -
    3. all the other endpoints have P(2) priority.
      4. -
    -
    failoverPriority:
-- "version=v1"
-- "topology.istio.io/cluster=clusterA"
-
    -

    Optional: only one of distribute, failover or failoverPriority can be set. -And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

    - -    		 -No -
    enabledBoolValue -

    Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. -e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.

    - -    		 -No -
    -
    -

    TrafficPolicy.PortTrafficPolicy

    -
    -

    Traffic policies that apply to specific ports of the service

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    portPortSelector -

    Specifies the number of a port on the destination service -on which this policy is being applied.

    - -    		 -No -
    loadBalancerLoadBalancerSettings -

    Settings controlling the load balancer algorithms.

    - -    		 -No -
    connectionPoolConnectionPoolSettings -

    Settings controlling the volume of connections to an upstream service

    - -    		 -No -
    outlierDetectionOutlierDetection -

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    - -    		 -No -
    tlsClientTLSSettings -

    TLS related settings for connections to the upstream service.

    - -    		 -No -
    -
    -

    TrafficPolicy.TunnelSettings

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    protocolstring -

    Specifies which protocol to use for tunneling the downstream connection. -Supported protocols are:

    -
      -
    • CONNECT - uses HTTP CONNECT;
      • -
    • POST - uses HTTP POST.
      • -
    -

    CONNECT is used by default if not specified.

    -

    HTTP version for upstream requests is determined by the service protocol defined for the proxy.

    - -    		 -No -
    targetHoststring -

    Specifies a host to which the downstream connection is tunneled. -Target host must be an FQDN or IP address.

    - -    		 -Yes -
    targetPortuint32 -

    Specifies a port to which the downstream connection is tunneled.

    - -    		 -Yes -
    -
    -

    TrafficPolicy.ProxyProtocol

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    versionVERSION -

    The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details. -By default it is V1.

    - -    		 -No -
    -
    -

    LoadBalancerSettings.ConsistentHashLB

    +

    ConsistentHashLB

    Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other @@ -1325,108 +630,91 @@ or a high level load balancer handles locality affinity.

    Field -Type Description -Required -httpHeaderName -string (oneof) +
    httpHeaderName
    +
    string (oneof)
    +

    Hash based on a specific HTTP header.

    - - -No -httpCookie -HTTPCookie (oneof) +
    httpCookie
    +
    HTTPCookie (oneof)
    +

    Hash based on HTTP cookie.

    - - -No -useSourceIp -bool (oneof) +
    useSourceIp
    +
    bool (oneof)
    +

    Hash based on the source IP address. This is applicable for both TCP and HTTP connections.

    - - -No -httpQueryParameterName -string (oneof) +
    httpQueryParameterName
    +
    string (oneof)
    +

    Hash based on a specific HTTP query parameter.

    - - -No -ringHash -RingHash (oneof) +
    ringHash
    +
    RingHash (oneof)
    +

    The ring/modulo hash load balancer implements consistent hashing to backend hosts.

    - - -No -maglev -MagLev (oneof) +
    maglev
    +
    MagLev (oneof)
    +

    The Maglev load balancer implements consistent hashing to backend hosts.

    - - -No -minimumRingSize -uint64 +
    minimumRingSize
    +
    uint64
    +

    Deprecated. Use RingHash instead.

    - - -No
    -

    LoadBalancerSettings.ConsistentHashLB.RingHash

    +

    RingHash

    - - - - + -
    FieldType DescriptionRequired
    minimumRingSizeuint64
    minimumRingSize
    +
    uint64
    +

    The minimum number of virtual nodes to use for the hash ring. Defaults to 1024. Larger ring sizes result in more granular @@ -1434,29 +722,25 @@ load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node.

    -    		 -No
    -

    LoadBalancerSettings.ConsistentHashLB.MagLev

    +

    MagLev

    - - - - + -
    FieldType DescriptionRequired
    tableSizeuint64
    tableSize
    +
    uint64
    +

    The table size for Maglev hashing. This helps in controlling the disruption when the backend hosts change. @@ -1464,15 +748,12 @@ Increasing the table size reduces the amount of disruption. The table size must be prime number less than 5000011. If it is not specified, the default is 65537.

    -    		 -No
    -

    LoadBalancerSettings.ConsistentHashLB.HTTPCookie

    +

    HTTPCookie

    Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer.

    @@ -1481,460 +762,44 @@ Consistent Hash load balancer.

    Field -Type Description -Required -name -string +
    name
    +
    string
    +
    Required
    +

    Name of the cookie.

    - - -Yes -path -string +
    path
    +
    string
    +

    Path to set for the cookie.

    - - -No -ttl -Duration +
    ttl
    +
    Duration
    +

    Lifetime of the cookie. If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie.

    - - -No
    -

    ConnectionPoolSettings.TCPSettings

    -
    -

    Settings common to both HTTP and TCP upstream connections.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxConnectionsint32 -

    Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

    - -    		 -No -
    connectTimeoutDuration -

    TCP connection timeout. format: -1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    - -    		 -No -
    tcpKeepaliveTcpKeepalive -

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    - -    		 -No -
    maxConnectionDurationDuration -

    The maximum duration of a connection. The duration is defined as the period since a connection -was established. If not set, there is no max duration. When maxConnectionDuration -is reached the connection will be closed. Duration must be at least 1ms.

    - -    		 -No -
    idleTimeoutDuration -

    The idle timeout for TCP connections. -The idle timeout is defined as the period in which there are no bytes sent or received on either -the upstream or downstream connection. -If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled. -Idle timeout is not configured per each cluster individually when weighted destinations are used, -because idleTimeout is a property of a listener, not a cluster. In that case, idleTimeout -specified in a destination rule for the first weighted route is configured in the listener, -which means also for all weighted routes.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings.HTTPSettings

    -
    -

    Settings applicable to HTTP1.1/HTTP2/GRPC connections.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    http1MaxPendingRequestsint32 -

    Maximum number of requests that will be queued while waiting for -a ready connection pool connection. Default 2^32-1. -Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking -under which conditions a new connection is created for HTTP2. -Please note that this is applicable to both HTTP/1.1 and HTTP2.

    - -    		 -No -
    http2MaxRequestsint32 -

    Maximum number of active requests to a destination. Default 2^32-1. -Please note that this is applicable to both HTTP/1.1 and HTTP2.

    - -    		 -No -
    maxRequestsPerConnectionint32 -

    Maximum number of requests per connection to a backend. Setting this -parameter to 1 disables keep alive. Default 0, meaning “unlimited”, -up to 2^29.

    - -    		 -No -
    maxRetriesint32 -

    Maximum number of retries that can be outstanding to all hosts in a -cluster at a given time. Defaults to 2^32-1.

    - -    		 -No -
    idleTimeoutDuration -

    The idle timeout for upstream connection pool connections. The idle timeout -is defined as the period in which there are no active requests. -If not set, the default is 1 hour. When the idle timeout is reached, -the connection will be closed. If the connection is an HTTP/2 -connection a drain sequence will occur prior to closing the connection. -Note that request based timeouts mean that HTTP/2 PINGs will not -keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

    - -    		 -No -
    h2UpgradePolicyH2UpgradePolicy -

    Specify if http1.1 connection should be upgraded to http2 for the associated destination.

    - -    		 -No -
    useClientProtocolbool -

    If set to true, client protocol will be preserved while initiating connection to backend. -Note that when this is set to true, h2UpgradePolicy will be ineffective i.e. the client -connections will not be upgraded to http2.

    - -    		 -No -
    maxConcurrentStreamsint32 -

    The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. -Defaults to 2^31-1.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings.TCPSettings.TcpKeepalive

    -
    -

    TCP keepalive.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    probesuint32 -

    Maximum number of keepalive probes to send without response before -deciding the connection is dead. Default is to use the OS level configuration -(unless overridden, Linux defaults to 9.)

    - -    		 -No -
    timeDuration -

    The time duration a connection needs to be idle before keep-alive -probes start being sent. Default is to use the OS level configuration -(unless overridden, Linux defaults to 7200s (ie 2 hours.)

    - -    		 -No -
    intervalDuration -

    The time duration between keep-alive probes. -Default is to use the OS level configuration -(unless overridden, Linux defaults to 75s.)

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting.Distribute

    -
    -

    Describes how traffic originating in the ‘from’ zone or sub-zone is -distributed over a set of ’to’ zones. Syntax for specifying a zone is -{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any -segment of the specification. Examples:

    -

    * - matches all localities

    -

    us-west/* - all zones and sub-zones within the us-west region

    -

    us-west/zone-1/* - all sub-zones within us-west/zone-1

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromstring -

    Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

    - -    		 -No -
    tomap<string, uint32> -

    Map of upstream localities to traffic distribution weights. The sum of -all weights should be 100. Any locality not present will -receive no traffic.

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting.Failover

    -
    -

    Specify the traffic failover policy across regions. Since zone and sub-zone -failover is supported by default this only needs to be specified for -regions when the operator needs to constrain traffic failover so that -the default behavior of failing over to any endpoint globally does not -apply. This is useful when failing over traffic across regions would not -improve service health or may need to be restricted for other reasons -like regulatory controls.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromstring -

    Originating region.

    - -    		 -No -
    tostring -

    Destination region the traffic will fail over to when endpoints in -the ‘from’ region becomes unhealthy.

    - -    		 -No -
    -
    -

    google.protobuf.UInt32Value

    -
    -

    Wrapper message for uint32.

    -

    The JSON representation for UInt32Value is JSON number.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valueuint32 -

    The uint32 value.

    - -    		 -No -
    -
    -

    TrafficPolicy.ProxyProtocol.VERSION

    -
    - - - - - - - - - - - - - - - - - -
    NameDescription
    V1 -

    ⁣PROXY protocol version 1. Human readable format.

    - -
    V2 -

    ⁣PROXY protocol version 2. Binary format.

    - -
    -
    -

    LoadBalancerSettings.SimpleLB

    +

    SimpleLB

    Standard load balancing algorithms that require no tuning.

    @@ -2004,7 +869,327 @@ LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.

    -

    ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

    +

    WarmupConfiguration

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    duration
    +
    Duration
    +
    Required
    +
    		 +

    Duration of warmup mode

    + +
    minimumPercent
    +
    DoubleValue
    +
    		 +

    Configures the minimum percentage of origin weight +If unspecified, defaults to 10

    + +
    aggression
    +
    DoubleValue
    +
    		 +

    This parameter controls the speed of traffic increase over the warmup duration. Defaults to 1.0, so that endpoints would +get linearly increasing amount of traffic. When increasing the value for this parameter, +the speed of traffic ramp-up increases non-linearly.

    + +
    +
    +

    ConnectionPoolSettings

    +
    +

    Connection pool settings for an upstream host. The settings apply to +each individual host in the upstream service. See Envoy’s circuit +breaker +for more details. Connection pool settings can be applied at the TCP +level as well as at HTTP level.

    +

    For example, the following rule sets a limit of 100 connections to redis +service called myredissrv with a connect timeout of 30ms

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+
    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tcp
    +
    TCPSettings
    +
    		 +

    Settings common to both HTTP and TCP upstream connections.

    + +
    http
    +
    HTTPSettings
    +
    		 +

    HTTP connection pool settings.

    + +
    +
    +

    TCPSettings

    +
    +

    Settings common to both HTTP and TCP upstream connections.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxConnections
    +
    int32
    +
    		 +

    Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

    + +
    connectTimeout
    +
    Duration
    +
    		 +

    TCP connection timeout. format: +1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    + +
    tcpKeepalive
    +
    TcpKeepalive
    +
    		 +

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    + +
    maxConnectionDuration
    +
    Duration
    +
    		 +

    The maximum duration of a connection. The duration is defined as the period since a connection +was established. If not set, there is no max duration. When maxConnectionDuration +is reached the connection will be closed. Duration must be at least 1ms.

    + +
    idleTimeout
    +
    Duration
    +
    		 +

    The idle timeout for TCP connections. +The idle timeout is defined as the period in which there are no bytes sent or received on either +the upstream or downstream connection. +If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled. +Idle timeout is not configured per each cluster individually when weighted destinations are used, +because idleTimeout is a property of a listener, not a cluster. In that case, idleTimeout +specified in a destination rule for the first weighted route is configured in the listener, +which means also for all weighted routes.

    + +
    +
    +

    TcpKeepalive

    +
    +

    TCP keepalive.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    probes
    +
    uint32
    +
    		 +

    Maximum number of keepalive probes to send without response before +deciding the connection is dead. Default is to use the OS level configuration +(unless overridden, Linux defaults to 9.)

    + +
    time
    +
    Duration
    +
    		 +

    The time duration a connection needs to be idle before keep-alive +probes start being sent. Default is to use the OS level configuration +(unless overridden, Linux defaults to 7200s (ie 2 hours.)

    + +
    interval
    +
    Duration
    +
    		 +

    The time duration between keep-alive probes. +Default is to use the OS level configuration +(unless overridden, Linux defaults to 75s.)

    + +
    +
    +

    HTTPSettings

    +
    +

    Settings applicable to HTTP1.1/HTTP2/GRPC connections.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    http1MaxPendingRequests
    +
    int32
    +
    		 +

    Maximum number of requests that will be queued while waiting for +a ready connection pool connection. Default 2^32-1. +Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking +under which conditions a new connection is created for HTTP2. +Please note that this is applicable to both HTTP/1.1 and HTTP2.

    + +
    http2MaxRequests
    +
    int32
    +
    		 +

    Maximum number of active requests to a destination. Default 2^32-1. +Please note that this is applicable to both HTTP/1.1 and HTTP2.

    + +
    maxRequestsPerConnection
    +
    int32
    +
    		 +

    Maximum number of requests per connection to a backend. Setting this +parameter to 1 disables keep alive. Default 0, meaning “unlimited”, +up to 2^29.

    + +
    maxRetries
    +
    int32
    +
    		 +

    Maximum number of retries that can be outstanding to all hosts in a +cluster at a given time. Defaults to 2^32-1.

    + +
    idleTimeout
    +
    Duration
    +
    		 +

    The idle timeout for upstream connection pool connections. The idle timeout +is defined as the period in which there are no active requests. +If not set, the default is 1 hour. When the idle timeout is reached, +the connection will be closed. If the connection is an HTTP/2 +connection a drain sequence will occur prior to closing the connection. +Note that request based timeouts mean that HTTP/2 PINGs will not +keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

    + +
    h2UpgradePolicy
    +
    H2UpgradePolicy
    +
    		 +

    Specify if http1.1 connection should be upgraded to http2 for the associated destination.

    + +
    useClientProtocol
    +
    bool
    +
    		 +

    If set to true, client protocol will be preserved while initiating connection to backend. +Note that when this is set to true, h2UpgradePolicy will be ineffective i.e. the client +connections will not be upgraded to http2.

    + +
    maxConcurrentStreams
    +
    int32
    +
    		 +

    The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. +Defaults to 2^31-1.

    + +
    +
    +

    H2UpgradePolicy

    Policy for upgrading http1.1 connections to http2.

    @@ -2042,7 +1227,345 @@ This opt-in option overrides the default.

    -

    ClientTLSSettings.TLSmode

    +

    OutlierDetection

    +
    +

    A Circuit breaker implementation that tracks the status of each +individual host in the upstream service. Applicable to both HTTP and +TCP services. For HTTP services, hosts that continually return 5xx +errors for API calls are ejected from the pool for a pre-defined period +of time. For TCP services, connection timeouts or connection +failures to a given host counts as an error when measuring the +consecutive errors metric. See Envoy’s outlier +detection +for more details.

    +

    The following rule sets a connection pool size of 100 HTTP1 connections +with no more than 10 req/connection to the “reviews” service. In addition, +it sets a limit of 1000 concurrent HTTP2 requests and configures upstream +hosts to be scanned every 5 mins so that any host that fails 7 consecutive +times with a 502, 503, or 504 error code will be ejected for 15 minutes.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    splitExternalLocalOriginErrors
    +
    bool
    +
    		 +

    Determines whether to distinguish local origin failures from external errors. If set to true +consecutiveLocalOriginFailures is taken into account for outlier detection calculations. +This should be used when you want to derive the outlier detection status based on the errors +seen locally such as failure to connect, timeout while connecting etc. rather than the status code +returned by upstream service. This is especially useful when the upstream service explicitly returns +a 5xx for some requests and you want to ignore those responses from upstream service while determining +the outlier detection status of a host. +Defaults to false.

    + +
    consecutiveLocalOriginFailures
    +
    UInt32Value
    +
    		 +

    The number of consecutive locally originated failures before ejection +occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors +is set to true.

    + +
    consecutiveGatewayErrors
    +
    UInt32Value
    +
    		 +

    Number of gateway errors before a host is ejected from the connection pool. +When the upstream host is accessed over HTTP, a 502, 503, or 504 return +code qualifies as a gateway error. When the upstream host is accessed over +an opaque TCP connection, connect timeouts and connection error/failure +events qualify as a gateway error. +This feature is disabled by default or when set to the value 0.

    +

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be +used separately or together. Because the errors counted by +consecutiveGatewayErrors are also included in consecutive5xxErrors, +if the value of consecutiveGatewayErrors is greater than or equal to +the value of consecutive5xxErrors, consecutiveGatewayErrors will have +no effect.

    + +
    consecutive5xxErrors
    +
    UInt32Value
    +
    		 +

    Number of 5xx errors before a host is ejected from the connection pool. +When the upstream host is accessed over an opaque TCP connection, connect +timeouts, connection error/failure and request failure events qualify as a +5xx error. +This feature defaults to 5 but can be disabled by setting the value to 0.

    +

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be +used separately or together. Because the errors counted by +consecutiveGatewayErrors are also included in consecutive5xxErrors, +if the value of consecutiveGatewayErrors is greater than or equal to +the value of consecutive5xxErrors, consecutiveGatewayErrors will have +no effect.

    + +
    interval
    +
    Duration
    +
    		 +

    Time interval between ejection sweep analysis. format: +1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    + +
    baseEjectionTime
    +
    Duration
    +
    		 +

    Minimum ejection duration. A host will remain ejected for a period +equal to the product of minimum ejection duration and the number of +times the host has been ejected. This technique allows the system to +automatically increase the ejection period for unhealthy upstream +servers. format: 1h/1m/1s/1ms. MUST be >=1ms. Default is 30s.

    + +
    maxEjectionPercent
    +
    int32
    +
    		 +

    Maximum % of hosts in the load balancing pool for the upstream +service that can be ejected. Defaults to 10%.

    + +
    minHealthPercent
    +
    int32
    +
    		 +

    Outlier detection will be enabled as long as the associated load balancing +pool has at least minHealthPercent hosts in healthy mode. When the +percentage of healthy hosts in the load balancing pool drops below this +threshold, outlier detection will be disabled and the proxy will load balance +across all hosts in the pool (healthy and unhealthy). The threshold can be +disabled by setting it to 0%. The default is 0% as it’s not typically +applicable in k8s environments with few pods per service.

    + +
    +
    +

    ClientTLSSettings

    +
    +

    SSL/TLS related settings for upstream connections. See Envoy’s TLS +context +for more details. These settings are common to both HTTP and TCP upstreams.

    +

    For example, the following rule configures a client to use mutual TLS +for connections to upstream database cluster.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+
    +

    The following rule configures a client to use TLS when talking to a +foreign service whose domain matches *.foo.com.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+
    +

    The following rule configures a client to use Istio mutual TLS when talking +to rating services.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    TLSmode
    +
    		 +

    Indicates whether connections to this port should be secured +using TLS. The value of this field determines how TLS is enforced.

    + +
    clientCertificate
    +
    string
    +
    		 +

    REQUIRED if mode is MUTUAL. The path to the file holding the +client-side TLS certificate to use. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    privateKey
    +
    string
    +
    		 +

    REQUIRED if mode is MUTUAL. The path to the file holding the +client’s private key. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    caCertificates
    +
    string
    +
    		 +

    OPTIONAL: The path to the file containing certificate authority +certificates to use in verifying a presented server certificate. If +omitted, the proxy will verify the server’s certificate using +the OS CA certificates. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    credentialName
    +
    string
    +
    		 +

    The name of the secret that holds the TLS certs for the +client including the CA certificates. This secret must exist in +the namespace of the proxy using the certificates. +An Opaque secret should contain the following keys and values: +key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, +crl: <certificateRevocationList> +Here CACertificate is used to verify the server certificate. +For mutual TLS, cacert: <CACertificate> can be provided in the +same secret or a separate secret named <secret>-cacert. +A TLS secret for client certificates with an additional +ca.crt key for CA certificates and ca.crl key for +certificate revocation list(CRL) is also supported. +Only one of client certificates and CA certificate +or credentialName can be specified.

    +

    NOTE: This field is applicable at sidecars only if +DestinationRule has a workloadSelector specified. +Otherwise the field will be applicable only at gateways, and +sidecars will continue to use the certificate paths.

    + +
    subjectAltNames
    +
    string[]
    +
    		 +

    A list of alternate names to verify the subject identity in the +certificate. If specified, the proxy will verify that the server +certificate’s subject alt name matches one of the specified values. +If specified, this list overrides the value of subjectAltNames +from the ServiceEntry. If unspecified, automatic validation of upstream +presented certificate for new upstream connections will be done based on the +downstream HTTP host/authority header.

    + +
    sni
    +
    string
    +
    		 +

    SNI string to present to the server during TLS handshake. +If unspecified, SNI will be automatically set based on downstream HTTP +host/authority header for SIMPLE and MUTUAL TLS modes.

    + +
    insecureSkipVerify
    +
    BoolValue
    +
    		 +

    insecureSkipVerify specifies whether the proxy should skip verifying the +CA signature and SAN for the server certificate corresponding to the host. +The default value of this field is false.

    + +
    caCrl
    +
    string
    +
    		 +

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) +to use in verifying a presented server certificate. CRL is a list of certificates +that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. +If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. +If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, +CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

    + +
    +
    +

    TLSmode

    TLS connection mode

    @@ -2090,3 +1613,266 @@ used, all other fields in ClientTLSSettings should be empty.

    +

    LocalityLoadBalancerSetting

    +
    +

    Locality-weighted load balancing allows administrators to control the +distribution of traffic to endpoints based on the localities of where the +traffic originates and where it will terminate. These localities are +specified using arbitrary labels that designate a hierarchy of localities in +{region}/{zone}/{sub-zone} form. For additional detail refer to +Locality Weight +The following example shows how to setup locality weights mesh-wide.

    +

    Given a mesh with workloads and their service deployed to “us-west/zone1/*” +and “us-west/zone2/*”. This example specifies that when traffic accessing a +service originates from workloads in “us-west/zone1/*”, 80% of the traffic +will be sent to endpoints in “us-west/zone1/*”, i.e the same zone, and the +remaining 20% will go to endpoints in “us-west/zone2/*”. This setup is +intended to favor routing traffic to endpoints in the same locality. +A similar setting is specified for traffic originating in “us-west/zone2/*”.

    +
      distribute:
+    - from: us-west/zone1/*
+      to:
+        "us-west/zone1/*": 80
+        "us-west/zone2/*": 20
+    - from: us-west/zone2/*
+      to:
+        "us-west/zone1/*": 20
+        "us-west/zone2/*": 80
+
    +

    If the goal of the operator is not to distribute load across zones and +regions but rather to restrict the regionality of failover to meet other +operational requirements an operator can set a ‘failover’ policy instead of +a ‘distribute’ policy.

    +

    The following example sets up a locality failover policy for regions. +Assume a service resides in zones within us-east, us-west & eu-west +this example specifies that when endpoints within us-east become unhealthy +traffic should failover to endpoints in any zone or sub-zone within eu-west +and similarly us-west should failover to us-east.

    +
     failover:
+   - from: us-east
+     to: eu-west
+   - from: us-west
+     to: us-east
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    distribute
    +
    Distribute[]
    +
    		 +

    only one of distribute, failover or failoverPriority can be set. +Explicitly specify loadbalancing weight across different zones and geographical locations. +Refer to Locality weighted load balancing +If empty, the locality weight is set according to the endpoints number within it.

    + +
    failover
    +
    Failover[]
    +
    		 +

    only one of distribute, failover or failoverPriority can be set. +Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. +Should be used together with OutlierDetection to detect unhealthy endpoints. +Note: if no OutlierDetection specified, this will not take effect.

    + +
    failoverPriority
    +
    string[]
    +
    		 +

    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. +This is to support traffic failover across different groups of endpoints. +Two kinds of labels can be specified:

    +
      +
    • +

      Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. +Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:

      +
        +
      1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
        2. +
      2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
        3. +
      3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
        4. +
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. +
      +
      • +
    • +

      Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. +Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:

      +
        +
      1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
        2. +
      2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
        3. +
      3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
        4. +
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. +
      +
      • +
    +

    Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

    +

    It can be any label specified on both client and server workloads. +The following labels which have special semantic meaning are also supported:

    +
      +
    • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
      • +
    • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
      • +
    • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
      • +
    • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
      • +
    • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
      • +
    • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
      • +
    +

    The below topology config indicates the following priority levels:

    +
    failoverPriority:
+- "topology.istio.io/network"
+- "topology.kubernetes.io/region"
+- "topology.kubernetes.io/zone"
+- "topology.istio.io/subzone"
+
    +
      +
    1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
      2. +
    2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
      3. +
    3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
      4. +
    4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
      5. +
    5. all the other endpoints have the same lowest priority.
      6. +
    +

    Suppose a service associated endpoints reside in multi clusters, the below example represents:

    +
      +
    1. endpoints in clusterA and has version=v1 label have P(0) priority.
      2. +
    2. endpoints not in clusterA but has version=v1 label have P(1) priority.
      3. +
    3. all the other endpoints have P(2) priority.
      4. +
    +
    failoverPriority:
+- "version=v1"
+- "topology.istio.io/cluster=clusterA"
+
    +

    only one of distribute, failover or failoverPriority can be set. +And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

    + +
    enabled
    +
    BoolValue
    +
    		 +

    Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. +e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.

    + +
    +
    +

    Distribute

    +
    +

    Describes how traffic originating in the ‘from’ zone or sub-zone is +distributed over a set of ’to’ zones. Syntax for specifying a zone is +{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any +segment of the specification. Examples:

    +

    * - matches all localities

    +

    us-west/* - all zones and sub-zones within the us-west region

    +

    us-west/zone-1/* - all sub-zones within us-west/zone-1

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    string
    +
    		 +

    Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

    + +
    to
    +
    map<string, uint32>
    +
    		 +

    Map of upstream localities to traffic distribution weights. The sum of +all weights should be 100. Any locality not present will +receive no traffic.

    + +
    +
    +

    Failover

    +
    +

    Specify the traffic failover policy across regions. Since zone and sub-zone +failover is supported by default this only needs to be specified for +regions when the operator needs to constrain traffic failover so that +the default behavior of failing over to any endpoint globally does not +apply. This is useful when failing over traffic across regions would not +improve service health or may need to be restricted for other reasons +like regulatory controls.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    string
    +
    		 +

    Originating region.

    + +
    to
    +
    string
    +
    		 +

    Destination region the traffic will fail over to when endpoints in +the ‘from’ region becomes unhealthy.

    + +
    +
    +

    UInt32Value

    +
    +

    Wrapper message for uint32.

    +

    The JSON representation for UInt32Value is JSON number.

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    uint32
    +
    		 +

    The uint32 value.

    + +
    +
    diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html index 9e529960c3..4eb28a5a70 100644 --- a/content/en/docs/reference/config/networking/envoy-filter/index.html +++ b/content/en/docs/reference/config/networking/envoy-filter/index.html @@ -363,15 +363,14 @@ generated by istiod.

    Field -Type Description -Required -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. If omitted, the set @@ -380,16 +379,14 @@ instances in the same namespace. If the EnvoyFilter is present in the config root namespace, it will be applied to all applicable workloads in any namespace.

    - - -No -targetRefs -PolicyTargetReference[] +
    targetRefs
    +
    PolicyTargetReference[]
    +
    -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -405,25 +402,21 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    - - -No -configPatches -EnvoyConfigObjectPatch[] +
    configPatches
    +
    EnvoyConfigObjectPatch[]
    +

    One or more patches with match conditions.

    - - -No -priority -int32 +
    priority
    +
    int32
    +

    Priority defines the order in which patch sets are applied within a context. When one patch depends on another patch, the order of patch application @@ -439,15 +432,12 @@ to leave room for further insertion.

    Patch sets are sorted in the following ascending key order: priority, creation time, fully qualified resource name.

    - - -No -

    EnvoyFilter.ProxyMatch

    +

    ProxyMatch

    One or more properties of the proxy to match on.

    @@ -455,15 +445,14 @@ No Field -Type Description -Required -proxyVersion -string +
    proxyVersion
    +
    string
    +

    A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio @@ -474,14 +463,12 @@ variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker image. Custom proxy implementations should provide this metadata variable to take advantage of the Istio version check option.

    - - -No -metadata -map<string, string> +
    metadata
    +
    map<string, string>
    +

    Match on the node metadata supplied by a proxy when connecting to istiod. Note that while Envoy’s node metadata is of @@ -490,15 +477,12 @@ istiod. All keys specified in the metadata must match with exact values. The match will fail if any of the specified keys are absent or the values fail to match.

    - - -No
    -

    EnvoyFilter.ClusterMatch

    +

    ClusterMatch

    Conditions specified in ClusterMatch must be met for the patch to be applied to a cluster.

    @@ -507,28 +491,25 @@ to be applied to a cluster.

    Field -Type Description -Required -portNumber -uint32 +
    portNumber
    +
    uint32
    +

    The service port for which this cluster was generated. If omitted, applies to clusters for any port. Note: for inbound cluster, it is the service target port.

    - - -No -service -string +
    service
    +
    string
    +

    The fully qualified service name for this cluster. If omitted, applies to clusters for any service. For services defined @@ -536,41 +517,34 @@ through service entries, the service name is same as the hosts defined in the service entry. Note: for inbound cluster, this is ignored.

    - - -No -subset -string +
    subset
    +
    string
    +

    The subset associated with the service. If omitted, applies to clusters for any subset of a service.

    - - -No -name -string +
    name
    +
    string
    +

    The exact name of the cluster to match. To match a specific cluster by name, such as the internally generated Passthrough cluster, leave all fields in clusterMatch empty, except the name.

    - - -No
    -

    EnvoyFilter.RouteConfigurationMatch

    +

    RouteConfigurationMatch

    Conditions specified in RouteConfigurationMatch must be met for the patch to be applied to a route configuration object or a @@ -580,40 +554,35 @@ specific virtual host within the route configuration.

    Field -Type Description -Required -portNumber -uint32 +
    portNumber
    +
    uint32
    +

    The service port number or gateway server port number for which this route configuration was generated. If omitted, applies to route configurations for all ports.

    - - -No -portName -string +
    portName
    +
    string
    +

    Applicable only for GATEWAY context. The gateway server port name for which this route configuration was generated.

    - - -No -gateway -string +
    gateway
    +
    string
    +

    The Istio gateway config’s namespace/name for which this route configuration was generated. Applies only if the context is @@ -622,295 +591,33 @@ in conjunction with the portNumber and portName to acc select the Envoy route configuration for a specific HTTPS server within a gateway config object.

    - - -No -vhost -VirtualHostMatch +
    vhost
    +
    VirtualHostMatch
    +

    Match a specific virtual host in a route configuration and apply the patch to the virtual host.

    - - -No -name -string +
    name
    +
    string
    +

    Route configuration name to match on. Can be used to match a specific route configuration by name, such as the internally generated http_proxy route configuration for all sidecars.

    - - -No
    -

    EnvoyFilter.ListenerMatch

    -
    -

    Conditions specified in a listener match must be met for the -patch to be applied to a specific listener across all filter -chains, or a specific filter chain inside the listener.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    portNumberuint32 -

    The service port/gateway port to which traffic is being -sent/received. If not specified, matches all listeners. Even though -inbound listeners are generated for the instance/pod ports, only -service ports should be used to match listeners.

    - -    		 -No -
    filterChainFilterChainMatch -

    Match a specific filter chain in a listener. If specified, the -patch will be applied to the filter chain (and a specific -filter if specified) and not to other filter chains in the -listener.

    - -    		 -No -
    listenerFilterstring -

    Match a specific listener filter. If specified, the -patch will be applied to the listener filter.

    - -    		 -No -
    namestring -

    Match a specific listener by its name. The listeners generated -by istiod are typically named as IP:Port.

    - -    		 -No -
    -
    -

    EnvoyFilter.Patch

    -
    -

    Patch specifies how the selected object should be modified.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Determines how the patch should be applied.

    - -    		 -No -
    valueStruct -

    The JSON config of the object being patched. This will be merged using -proto merge semantics with the existing proto in the path.

    - -    		 -No -
    filterClassFilterClass -

    Determines the filter insertion order.

    - -    		 -No -
    -
    -

    EnvoyFilter.EnvoyConfigObjectMatch

    -
    -

    One or more match conditions to be met before a patch is applied -to the generated configuration for a given proxy.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    contextPatchContext -

    The specific config generation context to match on. istiod -generates envoy configuration in the context of a gateway, -inbound traffic to sidecar and outbound traffic from sidecar.

    - -    		 -No -
    proxyProxyMatch -

    Match on properties associated with a proxy.

    - -    		 -No -
    listenerListenerMatch (oneof) -

    Match on envoy listener attributes.

    - -    		 -No -
    routeConfigurationRouteConfigurationMatch (oneof) -

    Match on envoy HTTP route configuration attributes.

    - -    		 -No -
    clusterClusterMatch (oneof) -

    Match on envoy cluster attributes.

    - -    		 -No -
    -
    -

    EnvoyFilter.EnvoyConfigObjectPatch

    -
    -

    Changes to be made to various envoy config objects.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    applyToApplyTo -

    Specifies where in the Envoy configuration, the patch should be -applied. The match is expected to select the appropriate -object based on applyTo. For example, an applyTo with -HTTP_FILTER is expected to have a match condition on the -listeners, with a network filter selection on -envoy.filters.network.http_connection_manager and a sub filter selection on the -HTTP filter relative to which the insertion should be -performed. Similarly, an applyTo on CLUSTER should have a match -(if provided) on the cluster and not on a listener.

    - -    		 -No -
    matchEnvoyConfigObjectMatch -

    Match on listener/route configuration/cluster.

    - -    		 -No -
    patchPatch -

    The patch to apply along with the operation.

    - -    		 -No -
    -
    -

    EnvoyFilter.RouteConfigurationMatch.RouteMatch

    +

    RouteMatch

    Match a specific route inside a virtual host in a route configuration.

    @@ -918,262 +625,35 @@ No Field -Type Description -Required -name -string +
    name
    +
    string
    +

    The Route objects generated by default are named as default. Route objects generated using a virtual service will carry the name used in the virtual service’s HTTP routes.

    - - -No -action -Action +
    action
    +
    Action
    +

    Match a route with specific action type.

    - - -No
    -

    EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

    -
    -

    Match a specific virtual host inside a route configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The VirtualHosts objects generated by Istio are named as -host:port, where the host typically corresponds to the -VirtualService’s host field or the hostname of a service in the -registry.

    - -    		 -No -
    routeRouteMatch -

    Match a specific route within the virtual host.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.FilterChainMatch

    -
    -

    For listeners with multiple filter chains (e.g., inbound -listeners on sidecars with permissive mTLS, gateway listeners -with multiple SNI matches), the filter chain match can be used -to select a specific filter chain to patch.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The name assigned to the filter chain.

    - -    		 -No -
    snistring -

    The SNI value used by a filter chain’s match condition. This -condition will evaluate to false if the filter chain has no -sni match.

    - -    		 -No -
    transportProtocolstring -

    Applies only to SIDECAR_INBOUND context. If non-empty, a -transport protocol to consider when determining a filter -chain match. This value will be compared against the -transport protocol of a new connection, when it’s detected by -the tls_inspector listener filter.

    -

    Accepted values include:

    -
      -
    • raw_buffer - default, used when no transport protocol is detected.
      • -
    • tls - set when TLS protocol is detected by the TLS inspector.
      • -
    - -    		 -No -
    applicationProtocolsstring -

    Applies only to sidecars. If non-empty, a comma separated set -of application protocols to consider when determining a -filter chain match. This value will be compared against the -application protocols of a new connection, when it’s detected -by one of the listener filters such as the http_inspector.

    -

    Accepted values include: h2, http/1.1, http/1.0

    - -    		 -No -
    filterFilterMatch -

    The name of a specific filter to apply the patch to. Set this -to envoy.filters.network.http_connection_manager to add a filter or apply a -patch to the HTTP connection manager.

    - -    		 -No -
    destinationPortuint32 -

    The destination_port value used by a filter chain’s match condition. -This condition will evaluate to false if the filter chain has no destination_port match.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.FilterMatch

    -
    -

    Conditions to match a specific filter within a filter chain.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The filter name to match on. -For standard Envoy filters, canonical filter -names should be used.

    - -    		 -No -
    subFilterSubFilterMatch -

    The next level filter within this filter to match -upon. Typically used for HTTP Connection Manager filters and -Thrift filters.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.SubFilterMatch

    -
    -

    Conditions to match a specific filter within another -filter. This field is typically useful to match a HTTP filter -inside the envoy.filters.network.http_connection_manager network filter. -This could also be applicable for thrift filters.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The filter name to match on.

    - -    		 -No -
    -
    -

    EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

    +
    Action

    Action refers to the route action taken by Envoy when a http route matches.

    @@ -1216,7 +696,302 @@ No
    -

    EnvoyFilter.Patch.Operation

    +

    VirtualHostMatch

    +
    +

    Match a specific virtual host inside a route configuration.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The VirtualHosts objects generated by Istio are named as +host:port, where the host typically corresponds to the +VirtualService’s host field or the hostname of a service in the +registry.

    + +
    route
    +
    RouteMatch
    +
    		 +

    Match a specific route within the virtual host.

    + +
    +
    +

    ListenerMatch

    +
    +

    Conditions specified in a listener match must be met for the +patch to be applied to a specific listener across all filter +chains, or a specific filter chain inside the listener.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    portNumber
    +
    uint32
    +
    		 +

    The service port/gateway port to which traffic is being +sent/received. If not specified, matches all listeners. Even though +inbound listeners are generated for the instance/pod ports, only +service ports should be used to match listeners.

    + +
    filterChain
    +
    FilterChainMatch
    +
    		 +

    Match a specific filter chain in a listener. If specified, the +patch will be applied to the filter chain (and a specific +filter if specified) and not to other filter chains in the +listener.

    + +
    listenerFilter
    +
    string
    +
    		 +

    Match a specific listener filter. If specified, the +patch will be applied to the listener filter.

    + +
    name
    +
    string
    +
    		 +

    Match a specific listener by its name. The listeners generated +by istiod are typically named as IP:Port.

    + +
    +
    +

    FilterChainMatch

    +
    +

    For listeners with multiple filter chains (e.g., inbound +listeners on sidecars with permissive mTLS, gateway listeners +with multiple SNI matches), the filter chain match can be used +to select a specific filter chain to patch.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The name assigned to the filter chain.

    + +
    sni
    +
    string
    +
    		 +

    The SNI value used by a filter chain’s match condition. This +condition will evaluate to false if the filter chain has no +sni match.

    + +
    transportProtocol
    +
    string
    +
    		 +

    Applies only to SIDECAR_INBOUND context. If non-empty, a +transport protocol to consider when determining a filter +chain match. This value will be compared against the +transport protocol of a new connection, when it’s detected by +the tls_inspector listener filter.

    +

    Accepted values include:

    +
      +
    • raw_buffer - default, used when no transport protocol is detected.
      • +
    • tls - set when TLS protocol is detected by the TLS inspector.
      • +
    + +
    applicationProtocols
    +
    string
    +
    		 +

    Applies only to sidecars. If non-empty, a comma separated set +of application protocols to consider when determining a +filter chain match. This value will be compared against the +application protocols of a new connection, when it’s detected +by one of the listener filters such as the http_inspector.

    +

    Accepted values include: h2, http/1.1, http/1.0

    + +
    filter
    +
    FilterMatch
    +
    		 +

    The name of a specific filter to apply the patch to. Set this +to envoy.filters.network.http_connection_manager to add a filter or apply a +patch to the HTTP connection manager.

    + +
    destinationPort
    +
    uint32
    +
    		 +

    The destination_port value used by a filter chain’s match condition. +This condition will evaluate to false if the filter chain has no destination_port match.

    + +
    +
    +

    FilterMatch

    +
    +

    Conditions to match a specific filter within a filter chain.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The filter name to match on. +For standard Envoy filters, canonical filter +names should be used.

    + +
    subFilter
    +
    SubFilterMatch
    +
    		 +

    The next level filter within this filter to match +upon. Typically used for HTTP Connection Manager filters and +Thrift filters.

    + +
    +
    +

    SubFilterMatch

    +
    +

    Conditions to match a specific filter within another +filter. This field is typically useful to match a HTTP filter +inside the envoy.filters.network.http_connection_manager network filter. +This could also be applicable for thrift filters.

    + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The filter name to match on.

    + +
    +
    +

    Patch

    +
    +

    Patch specifies how the selected object should be modified.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Determines how the patch should be applied.

    + +
    value
    +
    Struct
    +
    		 +

    The JSON config of the object being patched. This will be merged using +proto merge semantics with the existing proto in the path.

    + +
    filterClass
    +
    FilterClass
    +
    		 +

    Determines the filter insertion order.

    + +
    +
    +

    Operation

    Operation denotes how the patch should be applied to the selected configuration.

    @@ -1322,7 +1097,7 @@ has no effect.

    -

    EnvoyFilter.Patch.FilterClass

    +

    FilterClass

    FilterClass determines the filter insertion point in the filter chain relative to the filters implicitly inserted by the control plane. @@ -1374,7 +1149,120 @@ Do not specify FilterClass if the filter is independent of others.<

    -

    EnvoyFilter.ApplyTo

    +

    EnvoyConfigObjectMatch

    +
    +

    One or more match conditions to be met before a patch is applied +to the generated configuration for a given proxy.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    context
    +
    PatchContext
    +
    		 +

    The specific config generation context to match on. istiod +generates envoy configuration in the context of a gateway, +inbound traffic to sidecar and outbound traffic from sidecar.

    + +
    proxy
    +
    ProxyMatch
    +
    		 +

    Match on properties associated with a proxy.

    + +
    listener
    +
    ListenerMatch (oneof)
    +
    		 +

    Match on envoy listener attributes.

    + +
    routeConfiguration
    +
    RouteConfigurationMatch (oneof)
    +
    		 +

    Match on envoy HTTP route configuration attributes.

    + +
    cluster
    +
    ClusterMatch (oneof)
    +
    		 +

    Match on envoy cluster attributes.

    + +
    +
    +

    EnvoyConfigObjectPatch

    +
    +

    Changes to be made to various envoy config objects.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    applyTo
    +
    ApplyTo
    +
    		 +

    Specifies where in the Envoy configuration, the patch should be +applied. The match is expected to select the appropriate +object based on applyTo. For example, an applyTo with +HTTP_FILTER is expected to have a match condition on the +listeners, with a network filter selection on +envoy.filters.network.http_connection_manager and a sub filter selection on the +HTTP filter relative to which the insertion should be +performed. Similarly, an applyTo on CLUSTER should have a match +(if provided) on the cluster and not on a listener.

    + +
    match
    +
    EnvoyConfigObjectMatch
    +
    		 +

    Match on listener/route configuration/cluster.

    + +
    patch
    +
    Patch
    +
    		 +

    The patch to apply along with the operation.

    + +
    +
    +

    ApplyTo

    ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

    @@ -1479,7 +1367,7 @@ is only supported by HTTP filters.

    -

    EnvoyFilter.PatchContext

    +

    PatchContext

    PatchContext selects a class of configurations based on the traffic flow direction and workload type.

    diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html index b199f8bd0a..ecba0d5a31 100644 --- a/content/en/docs/reference/config/networking/gateway/index.html +++ b/content/en/docs/reference/config/networking/gateway/index.html @@ -175,26 +175,23 @@ receiving incoming or outgoing HTTP/TCP connections.

    Field -Type Description -Required -servers -Server[] +
    servers
    +
    Server[]
    +

    A list of server specifications.

    - - -No -selector -map<string, string> +
    selector
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. @@ -209,9 +206,6 @@ resource must reside in the same namespace as the gateway workload instance. If selector is nil, the Gateway will be applied to all workloads.

    - - -No @@ -276,27 +270,25 @@ spec: Field -Type Description -Required -port -Port +
    port
    +
    Port
    +
    Required
    +

    The Port on which the proxy should listen for incoming connections.

    - - -Yes -bind -string +
    bind
    +
    string
    +

    The ip or the Unix domain socket to which the listener should be bound to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar @@ -307,14 +299,13 @@ This is typically used when a gateway needs to communicate to another mesh servi e.g. publishing metrics. In such case, the server created with the specified bind will not be available to external gateway clients.

    - - -No -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    One or more hosts exposed by this gateway. While typically applicable to @@ -343,35 +334,28 @@ Private configurations (e.g., exportTo set to .) will available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

    - - -Yes -tls -ServerTLSSettings +
    tls
    +
    ServerTLSSettings
    +

    Set of TLS related options that govern the server’s behavior. Use these options to control if all http requests should be redirected to https, and the TLS modes to use.

    - - -No -name -string +
    name
    +
    string
    +

    An optional name of the server, when set must be unique across all servers. This will be used for variety of purposes like prefixing stats generated with this name etc.

    - - -No @@ -385,46 +369,41 @@ No Field -Type Description -Required -number -uint32 +
    number
    +
    uint32
    +
    Required
    +

    A valid non-negative integer port number.

    - - -Yes -protocol -string +
    protocol
    +
    string
    +
    Required
    +

    The protocol exposed on the port. MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS. TLS can be either used to terminate non-HTTP based connections on a specific port or to route traffic based on SNI header to the destination without terminating the TLS connection.

    - - -Yes -name -string +
    name
    +
    string
    +
    Required
    +

    Label assigned to the port.

    - - -Yes @@ -436,77 +415,66 @@ Yes Field -Type Description -Required -httpsRedirect -bool +
    httpsRedirect
    +
    bool
    +

    If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.

    - - -No -mode -TLSmode +
    mode
    +
    TLSmode
    +
    -

    Optional: Indicates whether connections to this port should be +

    Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

    - - -No -serverCertificate -string +
    serverCertificate
    +
    string
    +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server-side TLS certificate to use.

    - - -No -privateKey -string +
    privateKey
    +
    string
    +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server’s private key.

    - - -No -caCertificates -string +
    caCertificates
    +
    string
    +

    REQUIRED if mode is MUTUAL or OPTIONAL_MUTUAL. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.

    - - -No -caCrl -string +
    caCrl
    +
    string
    +

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate. CRL is a list of certificates @@ -514,14 +482,12 @@ that have been revoked by the CA (Certificate Authority) before their scheduled If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl.

    - - -No -credentialName -string +
    credentialName
    +
    string
    +

    For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable @@ -536,27 +502,23 @@ and ca.crl for certificate revocation list is also supported. Only one of server certificates and CA certificate or credentialName can be specified.

    - - -No -subjectAltNames -string[] +
    subjectAltNames
    +
    string[]
    +

    A list of alternate names to verify the subject identity in the certificate presented by the client. Requires TLS mode to be set to MUTUAL.

    - - -No -verifyCertificateSpki -string[] +
    verifyCertificateSpki
    +
    string[]
    +

    An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. @@ -564,14 +526,12 @@ Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

    - - -No -verifyCertificateHash -string[] +
    verifyCertificateHash
    +
    string[]
    +

    An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated @@ -580,41 +540,35 @@ Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

    - - -No -minProtocolVersion -TLSProtocol +
    minProtocolVersion
    +
    TLSProtocol
    +
    -

    Optional: Minimum TLS protocol version. By default, it is TLSV1_2. +

    Minimum TLS protocol version. By default, it is TLSV1_2. TLS protocol versions below TLSV1_2 require setting compatible ciphers with the cipherSuites setting as they no longer include compatible ciphers.

    Note: Using TLS protocol versions below TLSV1_2 has serious security risks.

    - - -No -maxProtocolVersion -TLSProtocol +
    maxProtocolVersion
    +
    TLSProtocol
    +
    -

    Optional: Maximum TLS protocol version.

    +

    Maximum TLS protocol version.

    - - -No -cipherSuites -string[] +
    cipherSuites
    +
    string[]
    +
    -

    Optional: If specified, only support the specified cipher list. +

    If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy as specified here. The supported list of ciphers are:

    @@ -636,15 +590,12 @@ The supported list of ciphers are:

  • DES-CBC3-SHA
    • - - -No
    -

    ServerTLSSettings.TLSmode

    +

    TLSmode

    TLS modes enforced by the proxy

    @@ -727,7 +678,7 @@ be specified for validating client certificates.

    -

    ServerTLSSettings.TLSProtocol

    +

    TLSProtocol

    TLS protocol versions.

    diff --git a/content/en/docs/reference/config/networking/proxy-config/index.html b/content/en/docs/reference/config/networking/proxy-config/index.html index ffa21414d8..ab9e043a60 100644 --- a/content/en/docs/reference/config/networking/proxy-config/index.html +++ b/content/en/docs/reference/config/networking/proxy-config/index.html @@ -65,58 +65,48 @@ with the CR taking precedence over the annotation for overlapping fields. Simila Field -Type Description -Required -selector -WorkloadSelector +
    selector
    +
    WorkloadSelector
    +
    -

    Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied. +

    Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied. If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.

    - - -No -concurrency -Int32Value +
    concurrency
    +
    Int32Value
    +

    The number of worker threads to run. If unset, this will be automatically determined based on CPU limits. If set to 0, all cores on the machine will be used.

    - - -No -environmentVariables -map<string, string> +
    environmentVariables
    +
    map<string, string>
    +

    Additional environment variables for the proxy. Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.

    - - -No -image -ProxyImage +
    image
    +
    ProxyImage
    +

    Specifies the details of the proxy image.

    - - -No @@ -133,24 +123,20 @@ This information was previously part of the Values API.

    Field -Type Description -Required -imageType -string +
    imageType
    +
    string
    +

    The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.

    - - -No diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html index 5561a0eafa..fff58f5e39 100644 --- a/content/en/docs/reference/config/networking/service-entry/index.html +++ b/content/en/docs/reference/config/networking/service-entry/index.html @@ -351,15 +351,15 @@ service registry.

    Field -Type Description -Required -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    The hosts associated with the ServiceEntry. Could be a DNS name with wildcard prefix.

    @@ -385,14 +385,12 @@ service accounts associated with the pods of the service, the SANs specified here will also be verified. - - -Yes -addresses -string[] +
    addresses
    +
    string[]
    +

    The virtual IP addresses associated with the service. Could be CIDR prefix. For HTTP traffic, generated route configurations will include http route @@ -409,65 +407,55 @@ simple TCP proxy, forwarding incoming traffic on a specified port to the specified destination endpoint IP/host. Unix domain socket addresses are not supported in this field.

    - - -No -ports -ServicePort[] +
    ports
    +
    ServicePort[]
    +

    The ports associated with the external service. If the Endpoints are Unix domain socket addresses, there must be exactly one port.

    - - -No -location -Location +
    location
    +
    Location
    +

    Specify whether the service should be considered external to the mesh or part of the mesh.

    - - -No -resolution -Resolution +
    resolution
    +
    Resolution
    +

    Service resolution mode for the hosts. Care must be taken when setting the resolution mode to NONE for a TCP port without accompanying IP addresses. In such cases, traffic to any IP on said port will be allowed (i.e. 0.0.0.0:<port>).

    - - -No -endpoints -WorkloadEntry[] +
    endpoints
    +
    WorkloadEntry[]
    +

    One or more endpoints associated with the service. Only one of endpoints or workloadSelector can be specified.

    - - -No -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Applicable only for MESH_INTERNAL services. Only one of endpoints or workloadSelector can be specified. Selects one @@ -476,14 +464,12 @@ or more Kubernetes pods or VM workloads (specified using representing the VMs should be defined in the same namespace as the ServiceEntry.

    - - -No -exportTo -string[] +
    exportTo
    +
    string[]
    +

    A list of namespaces to which this service is exported. Exporting a service allows it to be used by sidecars, gateways and virtual services defined in @@ -499,14 +485,12 @@ defines an export to all namespaces.

    the annotation “networking.istio.io/exportTo” to a comma-separated list of namespace names.

    - - -No -subjectAltNames -string[] +
    subjectAltNames
    +
    string[]
    +

    If specified, the proxy will verify that the server certificate’s subject alternate name matches one of the specified values.

    @@ -515,181 +499,12 @@ service account specified in the workloadEntry will also be used to derive the additional subject alternate names that should be verified.

    - - -No
    -

    ServicePort

    -
    -

    ServicePort describes the properties of a specific port of a service.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    A valid non-negative integer port number.

    - -    		 -Yes -
    protocolstring -

    The protocol exposed on the port. -MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. -TLS implies the connection will be routed based on the SNI header to -the destination without terminating the TLS connection.

    - -    		 -No -
    namestring -

    Label assigned to the port.

    - -    		 -Yes -
    targetPortuint32 -

    The port number on the endpoint where the traffic will be -received. If unset, default to number.

    - -    		 -No -
    -
    -

    ServiceEntryStatus

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    conditionsIstioCondition[] -

    Current service state of ServiceEntry. -More info: https://istio.io/docs/reference/config/config-status/

    - -    		 -No -
    validationMessagesAnalysisMessageBase[] -

    Includes any errors or warnings detected by Istio’s analyzers.

    - -    		 -No -
    observedGenerationint64 -

    Resource Generation to which the Reconciled Condition refers. -When this value is not equal to the object’s metadata generation, reconciled condition calculation for the current -generation is still in progress. See https://istio.io/latest/docs/reference/config/config-status/ for more info.

    - -    		 -No -
    addressesServiceEntryAddress[] -

    List of addresses which were assigned to this ServiceEntry.

    - -    		 -No -
    -
    -

    ServiceEntryAddress

    -
    -

    A minor abstraction to allow for adding hostnames if relevant.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuestring -

    The address (e.g. 192.168.0.2)

    - -    		 -No -
    hoststring -

    The host name associated with this address

    - -    		 -No -
    -
    -

    ServiceEntry.Location

    +

    Location

    Location specifies whether the service is part of Istio mesh or outside the mesh. Location determines the behavior of several @@ -725,7 +540,7 @@ Kubernetes based service mesh).

    -

    ServiceEntry.Resolution

    +

    Resolution

    Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can @@ -797,3 +612,145 @@ cannot be used with Unix domain socket endpoints.

    +

    ServicePort

    +
    +

    ServicePort describes the properties of a specific port of a service.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    number
    +
    uint32
    +
    Required
    +
    		 +

    A valid non-negative integer port number.

    + +
    protocol
    +
    string
    +
    		 +

    The protocol exposed on the port. +MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. +TLS implies the connection will be routed based on the SNI header to +the destination without terminating the TLS connection.

    + +
    name
    +
    string
    +
    Required
    +
    		 +

    Label assigned to the port.

    + +
    targetPort
    +
    uint32
    +
    		 +

    The port number on the endpoint where the traffic will be +received. If unset, default to number.

    + +
    +
    +

    ServiceEntryStatus

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    conditions
    +
    IstioCondition[]
    +
    		 +

    Current service state of ServiceEntry. +More info: https://istio.io/docs/reference/config/config-status/

    + +
    validationMessages
    +
    AnalysisMessageBase[]
    +
    		 +

    Includes any errors or warnings detected by Istio’s analyzers.

    + +
    observedGeneration
    +
    int64
    +
    		 +

    Resource Generation to which the Reconciled Condition refers. +When this value is not equal to the object’s metadata generation, reconciled condition calculation for the current +generation is still in progress. See https://istio.io/latest/docs/reference/config/config-status/ for more info.

    + +
    addresses
    +
    ServiceEntryAddress[]
    +
    		 +

    List of addresses which were assigned to this ServiceEntry.

    + +
    +
    +

    ServiceEntryAddress

    +
    +

    A minor abstraction to allow for adding hostnames if relevant.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    string
    +
    		 +

    The address (e.g. 192.168.0.2)

    + +
    host
    +
    string
    +
    		 +

    The host name associated with this address

    + +
    +
    diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html index b4b5a6cce9..92b07bf7a0 100644 --- a/content/en/docs/reference/config/networking/sidecar/index.html +++ b/content/en/docs/reference/config/networking/sidecar/index.html @@ -316,28 +316,25 @@ attached.

    Field -Type Description -Required -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this Sidecar configuration should be applied. If omitted, the Sidecar configuration will be applied to all workload instances in the same namespace.

    - - -No -ingress -IstioIngressListener[] +
    ingress
    +
    IstioIngressListener[]
    +

    Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will @@ -346,28 +343,24 @@ obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.

    - - -No -egress -IstioEgressListener[] +
    egress
    +
    IstioEgressListener[]
    +

    Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. If not specified, inherits the system detected defaults from the namespace-wide or the global default Sidecar.

    - - -No -inboundConnectionPool -ConnectionPoolSettings +
    inboundConnectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections Envoy will accept from the network. This default will apply for all inbound listeners and can be overridden per-port @@ -393,22 +386,17 @@ following precedence, highest to lowest:

    In every case, the connection pool settings are overridden, not merged.

    - - -No -outboundTrafficPolicy -OutboundTrafficPolicy +
    outboundTrafficPolicy
    +
    OutboundTrafficPolicy
    +

    Set the default behavior of the sidecar for handling outbound traffic from the application.

    Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

    - - -No @@ -423,26 +411,24 @@ traffic listener on the sidecar proxy attached to a workload instance.

    Field -Type Description -Required -port -SidecarPort +
    port
    +
    SidecarPort
    +
    Required
    +

    The port associated with the listener.

    - - -Yes -bind -string +
    bind
    +
    string
    +

    The IP(IPv4 or IPv6) to which the listener should be bound. Unix domain socket addresses are not allowed in @@ -451,26 +437,22 @@ automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to.

    - - -No -captureMode -CaptureMode +
    captureMode
    +
    CaptureMode
    +

    The captureMode option dictates how traffic to the listener is expected to be captured (or not).

    - - -No -defaultEndpoint -string +
    defaultEndpoint
    +
    string
    +

    The IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to @@ -481,27 +463,23 @@ connections. Arbitrary IPs are not supported. Format should be one of 0.0.0.0:PORT, [::]:PORT (forward to the instance IP), or unix:///path/to/socket (forward to Unix domain socket).

    - - -No -tls -ServerTLSSettings +
    tls
    +
    ServerTLSSettings
    +

    Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. Currently supports only SIMPLE and MUTUAL TLS modes.

    - - -No -connectionPool -ConnectionPoolSettings +
    connectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections Envoy will accept from the network. This setting overrides the top-level default inboundConnectionPool to configure @@ -511,9 +489,6 @@ This port level connection pool has the highest precedence in configuration, overriding both the Sidecar’s top level InboundConnectionPool as well as any connection pooling settings from the DestinationRule.

    - - -No @@ -528,15 +503,14 @@ listener on the sidecar proxy attached to a workload instance.

    Field -Type Description -Required -port -SidecarPort +
    port
    +
    SidecarPort
    +

    The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if @@ -548,14 +522,12 @@ specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.

    - - -No -bind -string +
    bind
    +
    string
    +

    The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or @@ -565,27 +537,24 @@ services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is NONE, bind will default to 127.0.0.1.

    - - -No -captureMode -CaptureMode +
    captureMode
    +
    CaptureMode
    +

    When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or NONE for Unix domain socket binds.

    - - -No -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    One or more service hosts exposed by the listener in namespace/dnsName format. Services in the specified namespace @@ -612,9 +581,6 @@ Private configurations (e.g., exportTo set to .) will not be available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

    - - -Yes @@ -636,24 +602,20 @@ label based selection mechanism is supported.

    Field -Type Description -Required -labels -map<string, string> +
    labels
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. The scope of label search is restricted to the configuration namespace in which the the resource is present.

    - - -No @@ -668,78 +630,21 @@ handling unknown outbound traffic from the application.

    Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +
    - -No - -

    SidecarPort

    -
    -

    Port describes the properties of a specific port of a service.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    A valid non-negative integer port number.

    - -    		 -No -
    protocolstring -

    The protocol exposed on the port. -MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. -TLS can be either used to terminate non-HTTP based connections on a specific port -or to route traffic based on SNI header to the destination without terminating the TLS connection.

    - -    		 -No -
    namestring -

    Label assigned to the port.

    - -    		 -No -
    -
    -

    OutboundTrafficPolicy.Mode

    +

    Mode

    @@ -768,6 +673,51 @@ Unknown destination traffic will have limited functionality, however, such as re This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect to arbitrary destinations.

    + + + +
    +
    +

    SidecarPort

    +
    +

    Port describes the properties of a specific port of a service.

    + + + + + + + + + + + + + + + + + + + + diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html index 74316f7179..3bfc315ca6 100644 --- a/content/en/docs/reference/config/networking/virtual-service/index.html +++ b/content/en/docs/reference/config/networking/virtual-service/index.html @@ -95,15 +95,14 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - @@ -350,15 +336,15 @@ spec: - - - - + - - - + - - - + - @@ -417,85 +396,74 @@ gRPC traffic. See VirtualService for usage examples.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -699,33 +646,27 @@ spec: - - - - + - - - + - @@ -771,34 +712,71 @@ spec: - - - - + - - - + + + +
    FieldDescription
    number
    +
    uint32
    +
    		 +

    A valid non-negative integer port number.

    + +
    protocol
    +
    string
    +
    		 +

    The protocol exposed on the port. +MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. +TLS can be either used to terminate non-HTTP based connections on a specific port +or to route traffic based on SNI header to the destination without terminating the TLS connection.

    + +
    name
    +
    string
    +
    		 +

    Label assigned to the port.

    +
    FieldType DescriptionRequired
    hostsstring[]
    hosts
    +
    string[]
    +

    The destination hosts to which traffic is being sent. Could be a DNS name with wildcard prefix or an IP address. Depending on the @@ -131,14 +130,12 @@ referred to using their alphanumeric names. IP addresses are allowed only for services defined via the Gateway.

    Note: It must be empty for a delegate VirtualService.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    The names of gateways and sidecars that should apply these routes. Gateways in other namespaces may be referred to by @@ -154,14 +151,12 @@ sidecars in the mesh. If a list of gateway names is provided, the rules will apply only to the gateways. To apply the rules to both gateways and sidecars, specify mesh as one of the gateway names.

    -    		 -No
    httpHTTPRoute[]
    http
    +
    HTTPRoute[]
    +

    An ordered list of route rules for HTTP traffic. HTTP routes will be applied to platform service ports using HTTP/HTTP2/GRPC protocols, gateway @@ -169,14 +164,12 @@ ports with protocol HTTP/HTTP2/GRPC/TLS-terminated-HTTPS and service entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching an incoming request is used.

    -    		 -No
    tlsTLSRoute[]
    tls
    +
    TLSRoute[]
    +

    An ordered list of route rule for non-terminated TLS & HTTPS traffic. Routing is typically performed using the SNI value presented @@ -188,27 +181,23 @@ incoming request is used. NOTE: Traffic ‘https-’ or ’tls- without associated virtual service will be treated as opaque TCP traffic.

    -    		 -No
    tcpTCPRoute[]
    tcp
    +
    TCPRoute[]
    +

    An ordered list of route rules for opaque TCP traffic. TCP routes will be applied to any port that is not a HTTP or TLS port. The first rule matching an incoming request is used.

    -    		 -No
    exportTostring[]
    exportTo
    +
    string[]
    +

    A list of namespaces to which this virtual service is exported. Exporting a virtual service allows it to be used by sidecars and gateways defined in @@ -221,9 +210,6 @@ namespaces by default.

    the virtual service is declared in. Similarly the value “*” is reserved and defines an export to all namespaces.

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +
    Required
    +

    The name of a service from the service registry. Service names are looked up from the platform’s service registry (e.g., @@ -374,35 +360,28 @@ the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names.

    -    		 -Yes
    subsetstring
    subset
    +
    string
    +

    The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.

    -    		 -No
    portPortSelector
    port
    +
    PortSelector
    +

    Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The name assigned to the route for debugging purposes. The route’s name will be concatenated with the match’s name and will be logged in the access logs for requests matching this route/match.

    -    		 -No
    matchHTTPMatchRequest[]
    match
    +
    HTTPMatchRequest[]
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -No
    routeHTTPRouteDestination[]
    route
    +
    HTTPRouteDestination[]
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. The forwarding target can be one of several versions of a service (see glossary in beginning of document). Weights associated with the service version determine the proportion of traffic it receives.

    -    		 -No
    redirectHTTPRedirect
    redirect
    +
    HTTPRedirect
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. If traffic passthrough option is specified in the rule, route/redirect will be ignored. The redirect primitive can be used to send a HTTP 301 redirect to a different URI or Authority.

    -    		 -No
    directResponseHTTPDirectResponse
    directResponse
    +
    HTTPDirectResponse
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. Direct Response is used to specify a fixed response that should be sent to clients.

    It can be set only when Route and Redirect are empty.

    -    		 -No
    delegateDelegate
    delegate
    +
    Delegate
    +

    Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute.

    @@ -509,37 +477,31 @@ current one.

    otherwise there is a conflict and the HTTPRoute will not take effect. -    		 -No
    rewriteHTTPRewrite
    rewrite
    +
    HTTPRewrite
    +

    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with Redirect primitive. Rewrite will be performed before forwarding.

    -    		 -No
    timeoutDuration
    timeout
    +
    Duration
    +

    Timeout for HTTP requests, default is disabled.

    -    		 -No
    retriesHTTPRetry
    retries
    +
    HTTPRetry
    +

    Retry policy for HTTP requests.

    Note: the default cluster-wide retry policy, if not specified, is:

    @@ -548,27 +510,23 @@ retryOn: "connect-failure,refused-stream,unavailable,cancelled,503"

    This can be customized in Mesh Config defaultHttpRetryPolicy.

    -    		 -No
    faultHTTPFaultInjection
    fault
    +
    HTTPFaultInjection
    +

    Fault injection policy to apply on HTTP traffic at the client side. Note that timeouts or retries will not be enabled when faults are enabled on the client side.

    -    		 -No
    mirrorDestination
    mirror
    +
    Destination
    +

    Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. Mirrored traffic is on a @@ -577,14 +535,12 @@ mirrored cluster to respond before returning the response from the original destination. Statistics will be generated for the mirrored destination.

    -    		 -No
    mirrorsHTTPMirrorPolicy[]
    mirrors
    +
    HTTPMirrorPolicy[]
    +

    Specifies the destinations to mirror HTTP traffic in addition to the original destination. Mirrored traffic is on a @@ -593,46 +549,37 @@ mirrored destinations to respond before returning the response from the original destination. Statistics will be generated for the mirrored destination.

    -    		 -No
    mirrorPercentagePercent
    mirrorPercentage
    +
    Percent
    +

    Percentage of the traffic to be mirrored by the mirror field. If this field is absent, all the traffic (100%) will be mirrored. Max value is 100.

    -    		 -No
    corsPolicyCorsPolicy
    corsPolicy
    +
    CorsPolicy
    +

    Cross-Origin Resource Sharing policy (CORS). Refer to CORS for further details about cross origin resource sharing.

    -    		 -No
    headersHeaders
    headers
    +
    Headers
    +

    Header manipulation rules

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    Name specifies the name of the delegate VirtualService.

    -    		 -No
    namespacestring
    namespace
    +
    string
    +

    Namespace specifies the namespace where the delegate VirtualService resides. By default, it is same to the root’s.

    -    		 -No
    FieldType DescriptionRequired
    requestHeaderOperations
    request
    +
    HeaderOperations
    +

    Header manipulation rules to apply before forwarding a request to the destination service

    -    		 -No
    responseHeaderOperations
    response
    +
    HeaderOperations
    +

    Header manipulation rules to apply before returning a response to the caller

    +
    +

    HeaderOperations

    +
    +

    HeaderOperations Describes the header manipulations to apply

    + + + + + + + + + + + + + + + + + + + @@ -840,35 +818,30 @@ spec: - - - - + - - - + - @@ -900,35 +873,29 @@ spec: - - - - + - - - + - @@ -971,28 +938,25 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -1308,46 +1245,39 @@ spec: - - - - + - - - + - - - + - @@ -1361,35 +1291,30 @@ No - - - - + - - - + - @@ -1404,75 +1329,63 @@ is incomplete.

    - - - - + - - - + - - - + - - - + - - - + - @@ -1486,90 +1399,77 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - @@ -1603,51 +1503,44 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldDescription
    set
    +
    map<string, string>
    +
    		 -No +

    Overwrite the headers specified by key with the given values

    + +
    add
    +
    map<string, string>
    +
    		 +

    Append the given values to the headers specified by keys +(will create a comma-separated list of values)

    + +
    remove
    +
    string[]
    +
    		 +

    Remove the specified headers

    +
    FieldType DescriptionRequired
    matchTLSMatchAttributes[]
    match
    +
    TLSMatchAttributes[]
    +
    Required
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -Yes
    routeRouteDestination[]
    route
    +
    RouteDestination[]
    +

    The destination to which the connection should be forwarded to.

    -    		 -No
    FieldType DescriptionRequired
    matchL4MatchAttributes[]
    match
    +
    L4MatchAttributes[]
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -No
    routeRouteDestination[]
    route
    +
    RouteDestination[]
    +

    The destination to which the connection should be forwarded to.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The name assigned to a match. The match’s name will be concatenated with the parent route’s name and will be logged in the access logs for requests matching this route.

    -    		 -No
    uriStringMatch
    uri
    +
    StringMatch
    +

    URI to match values are case-sensitive and formatted as follows:

    @@ -1010,14 +974,12 @@ values are case-sensitive and formatted as follows:

    Note: Case-insensitive matching could be enabled via the ignoreUriCase flag.

    -    		 -No
    schemeStringMatch
    scheme
    +
    StringMatch
    +

    URI Scheme values are case-sensitive and formatted as follows:

    @@ -1033,14 +995,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    methodStringMatch
    method
    +
    StringMatch
    +

    HTTP Method values are case-sensitive and formatted as follows:

    @@ -1056,14 +1016,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    authorityStringMatch
    authority
    +
    StringMatch
    +

    HTTP Authority values are case-sensitive and formatted as follows:

    @@ -1079,14 +1037,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    headersmap<string, StringMatch>
    headers
    +
    map<string, StringMatch>
    +

    The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id.

    @@ -1110,54 +1066,46 @@ To provide an empty value, use {}, for example:

    Note: The keys uri, scheme, method, and authority will be ignored.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    queryParamsmap<string, StringMatch>
    queryParams
    +
    map<string, StringMatch>
    +

    Query parameters for matching.

    Ex:

    @@ -1181,52 +1129,44 @@ configuration will only match values like “123” but not “a123& -    		 -No
    ignoreUriCasebool
    ignoreUriCase
    +
    bool
    +

    Flag to specify whether the URI matching should be case-insensitive.

    Note: The case will be ignored only in the case of exact and prefix URI matches.

    -    		 -No
    withoutHeadersmap<string, StringMatch>
    withoutHeaders
    +
    map<string, StringMatch>
    +

    withoutHeader has the same syntax with the header, but has opposite meaning. If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    statPrefixstring
    statPrefix
    +
    string
    +

    The human readable prefix to use when emitting statistics for this route. The statistics are generated with prefix route.<stat_prefix>. @@ -1235,9 +1175,6 @@ This prefix is only for proxy-level statistics (envoy_) and not service-leve Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix for statistics that are generated when this is configured.

    -    		 -No
    FieldType DescriptionRequired
    destinationDestination
    destination
    +
    Destination
    +
    Required
    +

    Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.

    -    		 -Yes
    weightint32
    weight
    +
    int32
    +

    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests. If there is only one destination in a rule, it will receive all traffic. Otherwise, if weight is 0, the destination will not receive any traffic.

    -    		 -No
    headersHeaders
    headers
    +
    Headers
    +

    Header manipulation rules

    -    		 -No
    FieldType DescriptionRequired
    destinationDestination
    destination
    +
    Destination
    +
    Required
    +

    Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.

    -    		 -Yes
    weightint32
    weight
    +
    int32
    +

    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests. If there is only one destination in a rule, it will receive all traffic. Otherwise, if weight is 0, the destination will not receive any traffic.

    -    		 -No
    FieldType DescriptionRequired
    destinationSubnetsstring[]
    destinationSubnets
    +
    string[]
    +

    IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it should include the reserved gateway mesh in order for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    FieldType DescriptionRequired
    sniHostsstring[]
    sniHosts
    +
    string[]
    +
    Required
    +

    SNI (server name indicator) to match on. Wildcard prefixes can be used in the SNI value, e.g., *.com will match foo.example.com as well as example.com. An SNI value must be a subset (i.e., fall within the domain) of the corresponding virtual service’s hosts.

    -    		 -Yes
    destinationSubnetsstring[]
    destinationSubnets
    +
    string[]
    +

    IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it should include the reserved gateway mesh in order for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    FieldType DescriptionRequired
    uristring
    uri
    +
    string
    +

    On a redirect, overwrite the Path portion of the URL with this value. Note that the entire path will be replaced, irrespective of the request URI being matched as an exact path or prefix.

    -    		 -No
    authoritystring
    authority
    +
    string
    +

    On a redirect, overwrite the Authority/Host portion of the URL with this value.

    -    		 -No
    portuint32 (oneof)
    port
    +
    uint32 (oneof)
    +

    On a redirect, overwrite the port portion of the URL with this value.

    -    		 -No
    derivePortRedirectPortSelection (oneof)
    derivePort
    +
    RedirectPortSelection (oneof)
    +

    On a redirect, dynamically set the port:

      @@ -1655,35 +1548,51 @@ No
    • FROM_REQUEST_PORT: automatically use the port of the request.
    -    		 -No
    schemestring
    scheme
    +
    string
    +

    On a redirect, overwrite the scheme portion of the URL with this value. For example, http or https. If unset, the original scheme will be used. If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well

    -    		 -No
    redirectCodeuint32
    redirectCode
    +
    uint32
    +

    On a redirect, Specifies the HTTP status code to use in the redirect response. The default response code is MOVED_PERMANENTLY (301).

    +
    +

    RedirectPortSelection

    +
    + + + + + + + + + + + + + + @@ -1759,33 +1668,28 @@ spec: - - - - + - - - + - @@ -1797,32 +1701,26 @@ No - - - - + - - - + - @@ -1858,45 +1756,37 @@ spec: - - - - + - - - + - - - + - @@ -1908,26 +1798,23 @@ No - - - - + - - - + - @@ -1956,44 +1840,36 @@ case-sensitive. regex matching supports case-insensitive matches. - - - - + - - - + - - - + - @@ -2028,15 +1904,14 @@ spec: - - - - + - - - + - - - + - - - + - @@ -2135,513 +2001,87 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + -
    NameDescription
    FROM_PROTOCOL_DEFAULT +
    FROM_REQUEST_PORT -No
    FieldType DescriptionRequired
    statusuint32
    status
    +
    uint32
    +
    Required
    +

    Specifies the HTTP response status to be returned.

    -    		 -Yes
    bodyHTTPBody
    body
    +
    HTTPBody
    +

    Specifies the content of the response body. If this setting is omitted, no body is included in the generated response.

    -    		 -No
    FieldType DescriptionRequired
    stringstring (oneof)
    string
    +
    string (oneof)
    +

    response body as a string

    -    		 -No
    bytesbytes (oneof)
    bytes
    +
    bytes (oneof)
    +

    response body as base64 encoded bytes.

    -    		 -No
    FieldType DescriptionRequired
    uristring
    uri
    +
    string
    +

    rewrite the path (or the prefix) portion of the URI with this value. If the original URI was matched based on prefix, the value provided in this field will replace the corresponding matched prefix.

    -    		 -No
    authoritystring
    authority
    +
    string
    +

    rewrite the Authority/Host header with this value.

    -    		 -No
    uriRegexRewriteRegexRewrite
    uriRegexRewrite
    +
    RegexRewrite
    +

    rewrite the path portion of the URI with the specified regex.

    -    		 -No
    FieldType DescriptionRequired
    matchstring
    match
    +
    string
    +

    RE2 style regex-based match.

    -    		 -No
    rewritestring
    rewrite
    +
    string
    +

    The string that should replace into matching portions of original URI. Capture groups in the pattern can be referenced in the new URI. @@ -1939,9 +1826,6 @@ rewrite string of “/customprefix/\2/\1” would transform into “ Path pattern “/aaa/XxX/bbb” with match “(?i)/xxx/” and a rewrite string of /yyy/ would do a case-insensitive match and transform the path to “/aaa/yyy/bbb”.

    -    		 -No
    FieldType DescriptionRequired
    exactstring (oneof)
    exact
    +
    string (oneof)
    +

    exact string match

    -    		 -No
    prefixstring (oneof)
    prefix
    +
    string (oneof)
    +

    prefix-based match

    -    		 -No
    regexstring (oneof)
    regex
    +
    string (oneof)
    +

    RE2 style regex-based match.

    Example: (?i)^aaa$ can be used to case-insensitive match a string consisting of three a’s.

    -    		 -No
    FieldType DescriptionRequired
    attemptsint32
    attempts
    +
    int32
    +

    Number of retries to be allowed for a given request. The interval between retries will be determined automatically (25ms+). When request @@ -2045,28 +1920,24 @@ or per_try_timeout is configured, the actual number of retries atte the specified request timeout and per_try_timeout values. MUST be >= 0. If 0, retries will be disabled. The maximum possible number of requests made will be 1 + attempts.

    -    		 -No
    perTryTimeoutDuration
    perTryTimeout
    +
    Duration
    +

    Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. Default is same value as request timeout of the HTTP route, which means no timeout.

    -    		 -No
    retryOnstring
    retryOn
    +
    string
    +

    Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. @@ -2078,21 +1949,16 @@ For example, if a connection is reset, Istio will translate this to 503 for it&r However, the destination did not return a 503 error, so this would not match "503" (it would, however, match "reset").

    If not specified, this defaults to connect-failure,refused-stream,unavailable,cancelled,503.

    -    		 -No
    retryRemoteLocalitiesBoolValue
    retryRemoteLocalities
    +
    BoolValue
    +

    Flag to specify whether the retries should retry to other localities. See the retry plugin configuration for more details.

    -    		 -No
    FieldType DescriptionRequired
    allowOriginsStringMatch[]
    allowOrigins
    +
    StringMatch[]
    +

    String patterns that match allowed origins. An origin is allowed if any of the string matchers match. If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.

    -    		 -No
    allowMethodsstring[]
    allowMethods
    +
    string[]
    +

    List of HTTP methods allowed to access the resource. The content will be serialized into the Access-Control-Allow-Methods header.

    -    		 -No
    allowHeadersstring[]
    allowHeaders
    +
    string[]
    +

    List of HTTP headers that can be used when requesting the resource. Serialized to Access-Control-Allow-Headers header.

    -    		 -No
    exposeHeadersstring[]
    exposeHeaders
    +
    string[]
    +

    A list of HTTP headers that the browsers are allowed to access. Serialized into Access-Control-Expose-Headers header.

    -    		 -No
    maxAgeDuration
    maxAge
    +
    Duration
    +

    Specifies how long the results of a preflight request can be cached. Translates to the Access-Control-Max-Age header.

    -    		 -No
    allowCredentialsBoolValue
    allowCredentials
    +
    BoolValue
    +

    Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to Access-Control-Allow-Credentials header.

    -    		 -No
    unmatchedPreflightsUnmatchedPreflights
    unmatchedPreflights
    +
    UnmatchedPreflights
    +

    Indicates whether preflight requests not matching the configured allowed origin shouldn’t be forwarded to the upstream. Default is forward to upstream.

    -    		 -No
    -

    HTTPFaultInjection

    -
    -

    HTTPFaultInjection can be used to specify one or more faults to inject -while forwarding HTTP requests to the destination specified in a route. -Fault specification is part of a VirtualService rule. Faults include -aborting the Http request from downstream service, and/or delaying -proxying of requests. A fault rule MUST HAVE delay or abort or both.

    -

    Note: Delay and abort faults are independent of one another, even if -both are specified simultaneously.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    delayDelay -

    Delay requests before forwarding, emulating various failures such as -network issues, overloaded upstream service, etc.

    - -    		 -No -
    abortAbort -

    Abort Http request attempts and return error codes back to downstream -service, giving the impression that the upstream service is faulty.

    - -    		 -No -
    -
    -

    HTTPMirrorPolicy

    -
    -

    HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition -to the original destination. Mirrored traffic is on a -best effort basis where the sidecar/gateway will not wait for the -mirrored destinations to respond before returning the response from the -original destination. Statistics will be generated for the mirrored -destination.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    destinationDestination -

    Destination specifies the target of the mirror operation.

    - -    		 -Yes -
    percentagePercent -

    Percentage of the traffic to be mirrored by the destination field. -If this field is absent, all the traffic (100%) will be mirrored. -Max value is 100.

    - -    		 -No -
    -
    -

    PortSelector

    -
    -

    PortSelector specifies the number of a port to be used for -matching or selection for final routing.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    Valid port number

    - -    		 -No -
    -
    -

    Percent

    -
    -

    Percent specifies a percentage in the range of [0.0, 100.0].

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuedouble - -No -
    -
    -

    Headers.HeaderOperations

    -
    -

    HeaderOperations Describes the header manipulations to apply

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    setmap<string, string> -

    Overwrite the headers specified by key with the given values

    - -    		 -No -
    addmap<string, string> -

    Append the given values to the headers specified by keys -(will create a comma-separated list of values)

    - -    		 -No -
    removestring[] -

    Remove the specified headers

    - -    		 -No -
    -
    -

    HTTPFaultInjection.Delay

    -
    -

    Delay specification is used to inject latency into the request -forwarding path. The following example will introduce a 5 second delay -in 1 out of every 1000 requests to the “v1” version of the “reviews” -service from all pods with label env: prod

    -
    apiVersion: networking.istio.io/v1
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - match:
-    - sourceLabels:
-        env: prod
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
-
    -

    The fixedDelay field is used to indicate the amount of delay in seconds. -The optional percentage field can be used to only delay a certain -percentage of requests. If left unspecified, no request will be delayed.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fixedDelayDuration (oneof) -

    Add a fixed delay before forwarding the request. Format: -1h/1m/1s/1ms. MUST be >=1ms.

    - -    		 -No -
    percentagePercent -

    Percentage of requests on which the delay will be injected. -If left unspecified, no request will be delayed.

    - -    		 -No -
    percentint32 -

    Percentage of requests on which the delay will be injected (0-100). -Use of integer percent value is deprecated. Use the double percentage -field instead.

    - -    		 -No -
    -
    -

    HTTPFaultInjection.Abort

    -
    -

    Abort specification is used to prematurely abort a request with a -pre-specified error code. The following example will return an HTTP 400 -error code for 1 out of every 1000 requests to the “ratings” service “v1”.

    -
    apiVersion: networking.istio.io/v1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
-
    -

    The httpStatus field is used to indicate the HTTP status code to -return to the caller. The optional percentage field can be used to only -abort a certain percentage of requests. If not specified, no request will be -aborted.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    httpStatusint32 (oneof) -

    HTTP status code to use to abort the Http request.

    - -    		 -No -
    grpcStatusstring (oneof) -

    GRPC status code to use to abort the request. The supported -codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md -Note: If you want to return the status “Unavailable”, then you should -specify the code as UNAVAILABLE(all caps), but not 14.

    - -    		 -No -
    percentagePercent -

    Percentage of requests to be aborted with the error code provided. -If not specified, no request will be aborted.

    - -    		 -No -
    -
    -

    google.protobuf.UInt32Value

    -
    -

    Wrapper message for uint32.

    -

    The JSON representation for UInt32Value is JSON number.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valueuint32 -

    The uint32 value.

    - -    		 -No -
    -
    -

    HTTPRedirect.RedirectPortSelection

    -
    - - - - - - - - - - - - - - - - - -
    NameDescription
    FROM_PROTOCOL_DEFAULT -
    FROM_REQUEST_PORT -
    -
    -

    CorsPolicy.UnmatchedPreflights

    +

    UnmatchedPreflights

    @@ -2677,3 +2117,300 @@ will not be forwarded to the upstream.

    +

    HTTPFaultInjection

    +
    +

    HTTPFaultInjection can be used to specify one or more faults to inject +while forwarding HTTP requests to the destination specified in a route. +Fault specification is part of a VirtualService rule. Faults include +aborting the Http request from downstream service, and/or delaying +proxying of requests. A fault rule MUST HAVE delay or abort or both.

    +

    Note: Delay and abort faults are independent of one another, even if +both are specified simultaneously.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    delay
    +
    Delay
    +
    		 +

    Delay requests before forwarding, emulating various failures such as +network issues, overloaded upstream service, etc.

    + +
    abort
    +
    Abort
    +
    		 +

    Abort Http request attempts and return error codes back to downstream +service, giving the impression that the upstream service is faulty.

    + +
    +
    +

    Delay

    +
    +

    Delay specification is used to inject latency into the request +forwarding path. The following example will introduce a 5 second delay +in 1 out of every 1000 requests to the “v1” version of the “reviews” +service from all pods with label env: prod

    +
    apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - match:
+    - sourceLabels:
+        env: prod
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
+
    +

    The fixedDelay field is used to indicate the amount of delay in seconds. +The optional percentage field can be used to only delay a certain +percentage of requests. If left unspecified, no request will be delayed.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    fixedDelay
    +
    Duration (oneof)
    +
    		 +

    Add a fixed delay before forwarding the request. Format: +1h/1m/1s/1ms. MUST be >=1ms.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of requests on which the delay will be injected. +If left unspecified, no request will be delayed.

    + +
    percent
    +
    int32
    +
    		 +

    Percentage of requests on which the delay will be injected (0-100). +Use of integer percent value is deprecated. Use the double percentage +field instead.

    + +
    +
    +

    Abort

    +
    +

    Abort specification is used to prematurely abort a request with a +pre-specified error code. The following example will return an HTTP 400 +error code for 1 out of every 1000 requests to the “ratings” service “v1”.

    +
    apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
+
    +

    The httpStatus field is used to indicate the HTTP status code to +return to the caller. The optional percentage field can be used to only +abort a certain percentage of requests. If not specified, no request will be +aborted.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    httpStatus
    +
    int32 (oneof)
    +
    		 +

    HTTP status code to use to abort the Http request.

    + +
    grpcStatus
    +
    string (oneof)
    +
    		 +

    GRPC status code to use to abort the request. The supported +codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md +Note: If you want to return the status “Unavailable”, then you should +specify the code as UNAVAILABLE(all caps), but not 14.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of requests to be aborted with the error code provided. +If not specified, no request will be aborted.

    + +
    +
    +

    HTTPMirrorPolicy

    +
    +

    HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition +to the original destination. Mirrored traffic is on a +best effort basis where the sidecar/gateway will not wait for the +mirrored destinations to respond before returning the response from the +original destination. Statistics will be generated for the mirrored +destination.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    destination
    +
    Destination
    +
    Required
    +
    		 +

    Destination specifies the target of the mirror operation.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of the traffic to be mirrored by the destination field. +If this field is absent, all the traffic (100%) will be mirrored. +Max value is 100.

    + +
    +
    +

    PortSelector

    +
    +

    PortSelector specifies the number of a port to be used for +matching or selection for final routing.

    + + + + + + + + + + + + + + +
    FieldDescription
    number
    +
    uint32
    +
    		 +

    Valid port number

    + +
    +
    +

    Percent

    +
    +

    Percent specifies a percentage in the range of [0.0, 100.0].

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    double
    +
    		 +
    +
    +

    UInt32Value

    +
    +

    Wrapper message for uint32.

    +

    The JSON representation for UInt32Value is JSON number.

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    uint32
    +
    		 +

    The uint32 value.

    + +
    +
    diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html index d69697457a..8a3349fc14 100644 --- a/content/en/docs/reference/config/networking/workload-entry/index.html +++ b/content/en/docs/reference/config/networking/workload-entry/index.html @@ -128,15 +128,14 @@ spec: Field -Type Description -Required -address -string +
    address
    +
    string
    +

    Address associated with the network endpoint without the port. Domain names can be used if and only if the resolution is set @@ -144,14 +143,12 @@ to DNS, and must be fully-qualified without wildcards. Use the form unix:///absolute/path/to/socket for Unix domain socket endpoints. If address is empty, network must be specified.

    - - -No -ports -map<string, uint32> +
    ports
    +
    map<string, uint32>
    +

    Set of ports associated with the endpoint. If the port map is specified, it must be a map of servicePortName to this endpoint’s @@ -166,25 +163,21 @@ the same port.

    NOTE 1: Do not use for unix:// addresses.

    NOTE 2: endpoint port map takes precedence over targetPort.

    - - -No -labels -map<string, string> +
    labels
    +
    map<string, string>
    +

    One or more labels associated with the endpoint.

    - - -No -network -string +
    network
    +
    string
    +

    Network enables Istio to group endpoints resident in the same L3 domain/network. All endpoints in the same network are assumed to be @@ -195,14 +188,12 @@ used to establish connectivity (usually using the an advanced configuration used typically for spanning an Istio mesh over multiple clusters. Required if address is not provided.

    - - -No -locality -string +
    locality
    +
    string
    +

    The locality associated with the endpoint. A locality corresponds to a failure domain (e.g., country/region/zone). Arbitrary failure @@ -222,35 +213,28 @@ locality. Endpoint e2 could be the IP associated with a gateway (that bridges networks n1 and n2), or the IP associated with a standard service endpoint.

    - - -No -weight -uint32 +
    weight
    +
    uint32
    +

    The load balancing weight associated with the endpoint. Endpoints with higher weights will receive proportionally higher traffic.

    - - -No -serviceAccount -string +
    serviceAccount
    +
    string
    +

    The service account associated with the workload if a sidecar is present in the workload. The service account must be present in the same namespace as the configuration ( WorkloadEntry or a ServiceEntry)

    - - -No diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html index 81d9632636..be0cc99bb4 100644 --- a/content/en/docs/reference/config/networking/workload-group/index.html +++ b/content/en/docs/reference/config/networking/workload-group/index.html @@ -65,27 +65,25 @@ and as such doesn’t configure host name for these workloads.

    Field -Type Description -Required -metadata -ObjectMeta +
    metadata
    +
    ObjectMeta
    +

    Metadata that will be used for all corresponding WorkloadEntries. User labels for a workload group should be set here in metadata rather than in template.

    - - -No -template -WorkloadEntry +
    template
    +
    WorkloadEntry
    +
    Required
    +

    Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup. Please note that address and labels fields should not be set in the template, and an empty serviceAccount @@ -93,21 +91,50 @@ should default to default. The workload identities (mTLS certificat specified service account’s token. Workload entries in this group will be in the same namespace as the workload group, and inherit the labels and annotations from the above metadata field.

    - - -Yes -probe -ReadinessProbe +
    probe
    +
    ReadinessProbe
    +

    ReadinessProbe describes the configuration the user must provide for healthchecking on their workload. This configuration mirrors K8S in both syntax and logic for the most part.

    + + + + +

    ObjectMeta

    +
    +

    ObjectMeta describes metadata that will be attached to a WorkloadEntry. +It is a subset of the supported Kubernetes metadata.

    + + + + + + + + + + + + + + + @@ -119,114 +146,94 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -238,67 +245,56 @@ No - - - - + - - - + - - - + - - - + - - - + - @@ -310,32 +306,26 @@ No - - - - + - - - + - @@ -347,32 +337,26 @@ No - - - - + - - - + - @@ -384,32 +368,27 @@ No - - - - + - - - + - @@ -421,61 +400,18 @@ Yes - - - - + - - - -
    FieldDescription
    labels
    +
    map<string, string>
    +
    		 -No +

    Labels to attach

    + +
    annotations
    +
    map<string, string>
    +
    		 +

    Annotations to attach

    +
    FieldType DescriptionRequired
    initialDelaySecondsint32
    initialDelaySeconds
    +
    int32
    +

    Number of seconds after the container has started before readiness probes are initiated.

    -    		 -No
    timeoutSecondsint32
    timeoutSeconds
    +
    int32
    +

    Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.

    -    		 -No
    periodSecondsint32
    periodSeconds
    +
    int32
    +

    How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1 second.

    -    		 -No
    successThresholdint32
    successThreshold
    +
    int32
    +

    Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1 second.

    -    		 -No
    failureThresholdint32
    failureThreshold
    +
    int32
    +

    Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3 seconds.

    -    		 -No
    httpGetHTTPHealthCheckConfig (oneof)
    httpGet
    +
    HTTPHealthCheckConfig (oneof)
    +

    httpGet is performed to a given endpoint and the status/able to connect determines health.

    -    		 -No
    tcpSocketTCPHealthCheckConfig (oneof)
    tcpSocket
    +
    TCPHealthCheckConfig (oneof)
    +

    Health is determined by if the proxy is able to connect.

    -    		 -No
    execExecHealthCheckConfig (oneof)
    exec
    +
    ExecHealthCheckConfig (oneof)
    +

    Health is determined by how the command that is executed exited.

    -    		 -No
    grpcGrpcHealthCheckConfig (oneof)
    grpc
    +
    GrpcHealthCheckConfig (oneof)
    +

    GRPC call is made and response/error is used to determine health.

    -    		 -No
    FieldType DescriptionRequired
    pathstring
    path
    +
    string
    +

    Path to access on the HTTP server.

    -    		 -No
    portuint32
    port
    +
    uint32
    +
    Required
    +

    Port on which the endpoint lives.

    -    		 -Yes
    hoststring
    host
    +
    string
    +

    Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.

    -    		 -No
    schemestring
    scheme
    +
    string
    +

    HTTP or HTTPS, defaults to HTTP

    -    		 -No
    httpHeadersHTTPHeader[]
    httpHeaders
    +
    HTTPHeader[]
    +

    Headers the proxy will pass on to make the request. Allows repeated headers.

    -    		 -No
    FieldType DescriptionRequired
    portuint32
    port
    +
    uint32
    +

    Port on which the endpoint lives.

    -    		 -No
    servicestring
    service
    +
    string
    +

    Service is the fully qualified name of the service to send the grpc health check request

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The header field name

    -    		 -No
    valuestring
    value
    +
    string
    +

    The header field value

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +

    Host to connect to, defaults to localhost

    -    		 -No
    portuint32
    port
    +
    uint32
    +
    Required
    +

    Port of host

    -    		 -Yes
    FieldType DescriptionRequired
    commandstring[]
    command
    +
    string[]
    +
    Required
    +

    Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

    -    		 -Yes -
    -
    -

    WorkloadGroup.ObjectMeta

    -
    -

    ObjectMeta describes metadata that will be attached to a WorkloadEntry. -It is a subset of the supported Kubernetes metadata.

    - - - - - - - - - - - - - - - - - - - - - - diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html index f8937d5416..aced700a4a 100644 --- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html +++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html @@ -178,15 +178,14 @@ the Istio proxy through WebAssembly filters.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldTypeDescriptionRequired
    labelsmap<string, string> -

    Labels to attach

    - -    		 -No -
    annotationsmap<string, string> -

    Annotations to attach

    - -    		 -No
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this plugin configuration should be applied. If omitted, this @@ -196,16 +195,14 @@ namespace, it will be applied to all applicable workloads in any namespace.

    At most, only one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -221,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    urlstring
    url
    +
    string
    +
    Required
    +

    URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes @@ -236,14 +232,12 @@ are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

    -    		 -Yes
    sha256string
    sha256
    +
    string
    +

    SHA256 checksum that will be used to verify Wasm module or OCI container. If the url field already references a SHA256 (using the @sha256: @@ -251,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is referenced by tag and this field is set, its checksum will be verified against the contents of this field after pulling.

    -    		 -No
    imagePullPolicyPullPolicy
    imagePullPolicy
    +
    PullPolicy
    +

    The pull behaviour to be applied when fetching Wasm module by either OCI image or http/https. Only relevant when referencing Wasm module without @@ -267,63 +259,53 @@ Defaults to IfNotPresent, except when an OCI image is referenced in and the latest tag is used, in which case Always is the default, mirroring Kubernetes behaviour.

    -    		 -No
    imagePullSecretstring
    imagePullSecret
    +
    string
    +

    Credentials to use for OCI image pulling. Name of a Kubernetes Secret in the same namespace as the WasmPlugin that contains a Docker pull secret which is to be used to authenticate against the registry when pulling the image.

    -    		 -No
    pluginConfigStruct
    pluginConfig
    +
    Struct
    +

    The configuration that will be passed on to the plugin.

    -    		 -No
    pluginNamestring
    pluginName
    +
    string
    +

    The plugin name to be used in the Envoy configuration (used to be called rootID). Some .wasm modules might require this value to select the Wasm plugin to execute.

    -    		 -No
    phasePluginPhase
    phase
    +
    PluginPhase
    +

    Determines where in the filter chain this WasmPlugin is to be injected.

    -    		 -No
    priorityInt32Value
    priority
    +
    Int32Value
    +

    Determines ordering of WasmPlugins in the same phase. When multiple WasmPlugins are applied to the same workload in the @@ -332,56 +314,90 @@ If priority is not set, or two WasmPlugins exist with value, the ordering will be deterministically derived from name and namespace of the WasmPlugins. Defaults to 0.

    -    		 -No
    failStrategyFailStrategy
    failStrategy
    +
    FailStrategy
    +

    Specifies the failure behavior for the plugin due to fatal errors.

    -    		 -No
    vmConfigVmConfig
    vmConfig
    +
    VmConfig
    +

    Configuration for a Wasm VM. More details can be found here.

    -    		 -No
    matchTrafficSelector[]
    match
    +
    TrafficSelector[]
    +

    Specifies the criteria to determine which traffic is passed to WasmPlugin. If a traffic satisfies any of TrafficSelectors, the traffic passes the WasmPlugin.

    -    		 -No
    typePluginType
    type
    +
    PluginType
    +

    Specifies the type of Wasm Extension to be used.

    +
    +

    TrafficSelector

    +
    +

    TrafficSelector provides a mechanism to select a specific traffic flow +for which this Wasm Plugin will be enabled. +When all the sub conditions in the TrafficSelector are satisfied, the +traffic will be selected.

    + + + + + + + + + + + + + + + @@ -396,22 +412,18 @@ more details can be found - - + - @@ -424,97 +436,39 @@ No - - - - + - - - + - - - + - - - -
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 -No +

    Criteria for selecting traffic by their direction. +Note that CLIENT and SERVER are analogous to OUTBOUND and INBOUND, +respectively. +For the gateway, the field should be CLIENT or CLIENT_AND_SERVER. +If not specified, the default value is CLIENT_AND_SERVER.

    + +
    ports
    +
    PortSelector[]
    +
    		 +

    Criteria for selecting traffic by their destination port. +More specifically, for the outbound traffic, the destination port would be +the port of the target service. On the other hand, for the inbound traffic, +the destination port is the port bound by the server process in the same Pod.

    +

    If one of the given ports is matched, this condition is evaluated to true. +If not specified, this condition is evaluated to true for any port.

    +
    envEnvVar[]
    env
    +
    EnvVar[]
    +

    Specifies environment variables to be injected to this VM. Note that if a key does not exist, it will be ignored.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    Name of the environment variable. Must be a C_IDENTIFIER.

    -    		 -Yes
    valueFromEnvValueSource
    valueFrom
    +
    EnvValueSource
    +

    Source for the environment variable’s value.

    -    		 -No
    valuestring
    value
    +
    string
    +

    Value for the environment variable. Only applicable if valueFrom is HOST. Defaults to “”.

    -    		 -No -
    -
    -

    WasmPlugin.TrafficSelector

    -
    -

    TrafficSelector provides a mechanism to select a specific traffic flow -for which this Wasm Plugin will be enabled. -When all the sub conditions in the TrafficSelector are satisfied, the -traffic will be selected.

    - - - - - - - - - - - - - - - - - - - - - - diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html index bab8e38d92..4bc43e1423 100644 --- a/content/en/docs/reference/config/security/authorization-policy/index.html +++ b/content/en/docs/reference/config/security/authorization-policy/index.html @@ -204,32 +204,29 @@ spec: - - - - + - - - + - - - + - - - + - - - + -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    Criteria for selecting traffic by their direction. -Note that CLIENT and SERVER are analogous to OUTBOUND and INBOUND, -respectively. -For the gateway, the field should be CLIENT or CLIENT_AND_SERVER. -If not specified, the default value is CLIENT_AND_SERVER.

    - -    		 -No -
    portsPortSelector[] -

    Criteria for selecting traffic by their destination port. -More specifically, for the outbound traffic, the destination port would be -the port of the target service. On the other hand, for the inbound traffic, -the destination port is the port bound by the server process in the same Pod.

    -

    If one of the given ports is matched, this condition is evaluated to true. -If not specified, this condition is evaluated to true for any port.

    - -    		 -No
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the authorization policy. The selector will match with workloads +

    The selector decides where to apply the authorization policy. The selector will match with workloads in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector will additionally match with workloads in all namespaces.

    If the selector and the targetRef are not set, the selector will match all workloads.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -245,535 +242,64 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    rulesRule[]
    rules
    +
    Rule[]
    +
    		 -

    Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.

    +

    A list of rules to match the request. A match occurs when at least one rule matches the request.

    If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if the action is ALLOW.

    -    		 -No
    actionAction
    action
    +
    Action
    +
    		 -

    Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified.

    +

    The action to take if the request is matched with the rules. Default is ALLOW if not specified.

    -    		 -No
    providerExtensionProvider (oneof)
    provider
    +
    ExtensionProvider (oneof)
    +

    Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.

    -    		 -No
    -

    Rule

    -
    -

    Rule matches requests from a list of sources that perform a list of operations subject to a -list of conditions. A match occurs when at least one source, one operation and all conditions -matches the request. An empty rule is always matched.

    -

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

    -
      -
    • Exact match: abc will match on value abc.
      • -
    • Prefix match: abc* will match on value abc and abcd.
      • -
    • Suffix match: *abc will match on value abc and xabc.
      • -
    • Presence match: * will match when value is not empty.
      • -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromFrom[] -

    Optional. from specifies the source of a request.

    -

    If not set, any source is allowed.

    - -    		 -No -
    toTo[] -

    Optional. to specifies the operation of a request.

    -

    If not set, any operation is allowed.

    - -    		 -No -
    whenCondition[] -

    Optional. when specifies a list of additional conditions of a request.

    -

    If not set, any condition is allowed.

    - -    		 -No -
    -
    -

    Source

    -
    -

    Source specifies the source identities of a request. Fields in the source are -ANDed together.

    -

    For example, the following source matches if the principal is admin or dev -and the namespace is prod or test and the ip is not 203.0.113.4.

    -
    principals: ["admin", "dev"]
-namespaces: ["prod", "test"]
-notIpBlocks: ["203.0.113.4"]
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    principalsstring[] -

    Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of -"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage". -This field requires mTLS enabled and is the same as the source.principal attribute.

    -

    If not set, any principal is allowed.

    - -    		 -No -
    notPrincipalsstring[] -

    Optional. A list of negative match of peer identities.

    - -    		 -No -
    requestPrincipalsstring[] -

    Optional. A list of request identities derived from the JWT. The request identity is in the format of -"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the -same as the request.auth.principal attribute.

    -

    If not set, any request principal is allowed.

    - -    		 -No -
    notRequestPrincipalsstring[] -

    Optional. A list of negative match of request identities.

    - -    		 -No -
    namespacesstring[] -

    Optional. A list of namespaces derived from the peer certificate. -This field requires mTLS enabled and is the same as the source.namespace attribute.

    -

    If not set, any namespace is allowed.

    - -    		 -No -
    notNamespacesstring[] -

    Optional. A list of negative match of namespaces.

    - -    		 -No -
    ipBlocksstring[] -

    Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. 203.0.113.4) and -CIDR (e.g. 203.0.113.0/24) are supported. This is the same as the source.ip attribute.

    -

    If not set, any IP is allowed.

    - -    		 -No -
    notIpBlocksstring[] -

    Optional. A list of negative match of IP blocks.

    - -    		 -No -
    remoteIpBlocksstring[] -

    Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. -To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig -when you install Istio or using an annotation on the ingress gateway. See the documentation here: -Configuring Gateway Network Topology. -Single IP (e.g. 203.0.113.4) and CIDR (e.g. 203.0.113.0/24) are supported. -This is the same as the remote.ip attribute.

    -

    If not set, any IP is allowed.

    - -    		 -No -
    notRemoteIpBlocksstring[] -

    Optional. A list of negative match of remote IP blocks.

    - -    		 -No -
    -
    -

    Operation

    -
    -

    Operation specifies the operations of a request. Fields in the operation are -ANDed together.

    -

    For example, the following operation matches if the host has suffix .example.com -and the method is GET or HEAD and the path doesn’t have prefix /admin.

    -
    hosts: ["*.example.com"]
-methods: ["GET", "HEAD"]
-notPaths: ["/admin*"]
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    hostsstring[] -

    Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive. -See the security best practices for -recommended usage of this field.

    -

    If not set, any host is allowed. Must be used only with HTTP.

    - -    		 -No -
    notHostsstring[] -

    Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.

    - -    		 -No -
    portsstring[] -

    Optional. A list of ports as specified in the connection.

    -

    If not set, any port is allowed.

    - -    		 -No -
    notPortsstring[] -

    Optional. A list of negative match of ports as specified in the connection.

    - -    		 -No -
    methodsstring[] -

    Optional. A list of methods as specified in the HTTP request. -For gRPC service, this will always be POST.

    -

    If not set, any method is allowed. Must be used only with HTTP.

    - -    		 -No -
    notMethodsstring[] -

    Optional. A list of negative match of methods as specified in the HTTP request.

    - -    		 -No -
    pathsstring[] -

    Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization -for details of the path normalization. -For gRPC service, this will be the fully-qualified name in the form of /package.service/method.

    -

    If a path in the list contains the {*} or {**} path template operator, it will be interpreted as an Envoy Uri Template. -To be a valid path template, the path must not contain *, {, or } outside of a supported operator. No other characters are allowed in the path segment with the path template operator.

    -
      -
    • {*} matches a single glob that cannot extend beyond a path segment.
      • -
    • {**} matches zero or more globs. If a path contains {**}, it must be the last operator.
      • -
    -

    Examples:

    -
      -
    • /foo/{*} matches /foo/bar but not /foo/bar/baz
      • -
    • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
      • -
    • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
      • -
    • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
      • -
    • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
      • -
    • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
      • -
    • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
      • -
    -

    If not set, any path is allowed. Must be used only with HTTP.

    - -    		 -No -
    notPathsstring[] -

    Optional. A list of negative match of paths.

    - -    		 -No -
    -
    -

    Condition

    -
    -

    Condition specifies additional required attributes.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    keystring -

    The name of an Istio attribute. -See the full list of supported attributes.

    - -    		 -Yes -
    valuesstring[] -

    Optional. A list of allowed values for the attribute. -Note: at least one of values or notValues must be set.

    - -    		 -No -
    notValuesstring[] -

    Optional. A list of negative match of values for the attribute. -Note: at least one of values or notValues must be set.

    - -    		 -No -
    -
    -

    AuthorizationPolicy.ExtensionProvider

    +

    ExtensionProvider

    - - - - + -
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig. Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.

    -    		 -No
    -

    Rule.From

    -
    -

    From includes a list of sources.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    sourceSource -

    Source specifies the source of a request.

    - -    		 -No -
    -
    -

    Rule.To

    -
    -

    To includes a list of operations.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Operation specifies the operation of a request.

    - -    		 -No -
    -
    -

    AuthorizationPolicy.Action

    +

    Action

    Action specifies the operation to take.

    @@ -842,3 +368,398 @@ spec:
    +

    Rule

    +
    +

    Rule matches requests from a list of sources that perform a list of operations subject to a +list of conditions. A match occurs when at least one source, one operation and all conditions +matches the request. An empty rule is always matched.

    +

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

    +
      +
    • Exact match: abc will match on value abc.
      • +
    • Prefix match: abc* will match on value abc and abcd.
      • +
    • Suffix match: *abc will match on value abc and xabc.
      • +
    • Presence match: * will match when value is not empty.
      • +
    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    From[]
    +
    		 +

    from specifies the source of a request.

    +

    If not set, any source is allowed.

    + +
    to
    +
    To[]
    +
    		 +

    to specifies the operation of a request.

    +

    If not set, any operation is allowed.

    + +
    when
    +
    Condition[]
    +
    		 +

    when specifies a list of additional conditions of a request.

    +

    If not set, any condition is allowed.

    + +
    +
    +

    From

    +
    +

    From includes a list of sources.

    + + + + + + + + + + + + + + +
    FieldDescription
    source
    +
    Source
    +
    		 +

    Source specifies the source of a request.

    + +
    +
    +

    To

    +
    +

    To includes a list of operations.

    + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Operation specifies the operation of a request.

    + +
    +
    +

    Source

    +
    +

    Source specifies the source identities of a request. Fields in the source are +ANDed together.

    +

    For example, the following source matches if the principal is admin or dev +and the namespace is prod or test and the ip is not 203.0.113.4.

    +
    principals: ["admin", "dev"]
+namespaces: ["prod", "test"]
+notIpBlocks: ["203.0.113.4"]
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    principals
    +
    string[]
    +
    		 +

    A list of peer identities derived from the peer certificate. The peer identity is in the format of +"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage". +This field requires mTLS enabled and is the same as the source.principal attribute.

    +

    If not set, any principal is allowed.

    + +
    notPrincipals
    +
    string[]
    +
    		 +

    A list of negative match of peer identities.

    + +
    requestPrincipals
    +
    string[]
    +
    		 +

    A list of request identities derived from the JWT. The request identity is in the format of +"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the +same as the request.auth.principal attribute.

    +

    If not set, any request principal is allowed.

    + +
    notRequestPrincipals
    +
    string[]
    +
    		 +

    A list of negative match of request identities.

    + +
    namespaces
    +
    string[]
    +
    		 +

    A list of namespaces derived from the peer certificate. +This field requires mTLS enabled and is the same as the source.namespace attribute.

    +

    If not set, any namespace is allowed.

    + +
    notNamespaces
    +
    string[]
    +
    		 +

    A list of negative match of namespaces.

    + +
    ipBlocks
    +
    string[]
    +
    		 +

    A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. 203.0.113.4) and +CIDR (e.g. 203.0.113.0/24) are supported. This is the same as the source.ip attribute.

    +

    If not set, any IP is allowed.

    + +
    notIpBlocks
    +
    string[]
    +
    		 +

    A list of negative match of IP blocks.

    + +
    remoteIpBlocks
    +
    string[]
    +
    		 +

    A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. +To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig +when you install Istio or using an annotation on the ingress gateway. See the documentation here: +Configuring Gateway Network Topology. +Single IP (e.g. 203.0.113.4) and CIDR (e.g. 203.0.113.0/24) are supported. +This is the same as the remote.ip attribute.

    +

    If not set, any IP is allowed.

    + +
    notRemoteIpBlocks
    +
    string[]
    +
    		 +

    A list of negative match of remote IP blocks.

    + +
    +
    +

    Operation

    +
    +

    Operation specifies the operations of a request. Fields in the operation are +ANDed together.

    +

    For example, the following operation matches if the host has suffix .example.com +and the method is GET or HEAD and the path doesn’t have prefix /admin.

    +
    hosts: ["*.example.com"]
+methods: ["GET", "HEAD"]
+notPaths: ["/admin*"]
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    hosts
    +
    string[]
    +
    		 +

    A list of hosts as specified in the HTTP request. The match is case-insensitive. +See the security best practices for +recommended usage of this field.

    +

    If not set, any host is allowed. Must be used only with HTTP.

    + +
    notHosts
    +
    string[]
    +
    		 +

    A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.

    + +
    ports
    +
    string[]
    +
    		 +

    A list of ports as specified in the connection.

    +

    If not set, any port is allowed.

    + +
    notPorts
    +
    string[]
    +
    		 +

    A list of negative match of ports as specified in the connection.

    + +
    methods
    +
    string[]
    +
    		 +

    A list of methods as specified in the HTTP request. +For gRPC service, this will always be POST.

    +

    If not set, any method is allowed. Must be used only with HTTP.

    + +
    notMethods
    +
    string[]
    +
    		 +

    A list of negative match of methods as specified in the HTTP request.

    + +
    paths
    +
    string[]
    +
    		 +

    A list of paths as specified in the HTTP request. See the Authorization Policy Normalization +for details of the path normalization. +For gRPC service, this will be the fully-qualified name in the form of /package.service/method.

    +

    If a path in the list contains the {*} or {**} path template operator, it will be interpreted as an Envoy Uri Template. +To be a valid path template, the path must not contain *, {, or } outside of a supported operator. No other characters are allowed in the path segment with the path template operator.

    +
      +
    • {*} matches a single glob that cannot extend beyond a path segment.
      • +
    • {**} matches zero or more globs. If a path contains {**}, it must be the last operator.
      • +
    +

    Examples:

    +
      +
    • /foo/{*} matches /foo/bar but not /foo/bar/baz
      • +
    • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
      • +
    • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
      • +
    • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
      • +
    • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
      • +
    • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
      • +
    • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
      • +
    +

    If not set, any path is allowed. Must be used only with HTTP.

    + +
    notPaths
    +
    string[]
    +
    		 +

    A list of negative match of paths.

    + +
    +
    +

    Condition

    +
    +

    Condition specifies additional required attributes.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    key
    +
    string
    +
    Required
    +
    		 +

    The name of an Istio attribute. +See the full list of supported attributes.

    + +
    values
    +
    string[]
    +
    		 +

    A list of allowed values for the attribute. +Note: at least one of values or notValues must be set.

    + +
    notValues
    +
    string[]
    +
    		 +

    A list of negative match of values for the attribute. +Note: at least one of values or notValues must be set.

    + +
    +
    diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html index d53af3c38c..620bdc9d86 100644 --- a/content/en/docs/reference/config/security/peer_authentication/index.html +++ b/content/en/docs/reference/config/security/peer_authentication/index.html @@ -95,54 +95,46 @@ spec: Field -Type Description -Required -    selector -WorkloadSelector +
    selector
    +
    WorkloadSelector
    +

    The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.

    If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied to all workloads in the mesh.

    - - -No -mtls -MutualTLS +
    mtls
    +
    MutualTLS
    +

    Mutual TLS settings for workload. If not defined, inherit from parent.

    - - -No -portLevelMtls -map<uint32, MutualTLS> +
    portLevelMtls
    +
    map<uint32, MutualTLS>
    +

    Port specific mutual TLS settings. These only apply when a workload selector is specified. The port refers to the port of the workload, not the port of the Kubernetes service.

    - - -No -

    PeerAuthentication.MutualTLS

    +

    MutualTLS

    Mutual TLS settings.

    @@ -150,27 +142,23 @@ No Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +

    Defines the mTLS mode used for peer authentication.

    - - -No
    -

    PeerAuthentication.MutualTLS.Mode

    +

    Mode

    diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html index 29bb8f7fe9..d966c43246 100644 --- a/content/en/docs/reference/config/security/request_authentication/index.html +++ b/content/en/docs/reference/config/security/request_authentication/index.html @@ -202,32 +202,29 @@ spec: - - - - + - - - + - - - + - @@ -296,15 +288,15 @@ fromHeaders: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -491,34 +460,29 @@ No - - - - + - - - + - @@ -532,33 +496,29 @@ No - - - - + - - - + - diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html index 4dd3b4cb70..162c1a3f71 100644 --- a/content/en/docs/reference/config/telemetry/index.html +++ b/content/en/docs/reference/config/telemetry/index.html @@ -203,31 +203,28 @@ spec: - - - - + - - - + - - - + - - - + - - - + - @@ -302,41 +290,36 @@ fully replace any values provided by parent configuration.

    - - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads +

    The selector decides where to apply the request authentication policy. The selector will match with workloads in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace, the selector will additionally match with workloads in all namespaces.

    If not set, the selector will match all workloads.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -243,14 +240,12 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    jwtRulesJWTRule[]
    jwtRules
    +
    JWTRule[]
    +

    Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token will be used to extract the authenticated identity. @@ -260,9 +255,6 @@ be rejected. Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    FieldType DescriptionRequired
    issuerstring
    issuer
    +
    string
    +
    Required
    +

    Identifies the issuer that issued the JWT. See issuer @@ -312,14 +304,12 @@ A JWT with different iss claim will be rejected.

    Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

    -    		 -Yes
    audiencesstring[]
    audiences
    +
    string[]
    +

    The list of JWT audiences @@ -332,14 +322,12 @@ audiences will be accepted.

    bookstore_web.apps.example.com -    		 -No
    jwksUristring
    jwksUri
    +
    string
    +

    URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

    @@ -351,27 +339,23 @@ Google service account).

    Example: https://www.googleapis.com/oauth2/v1/certs

    Note: Only one of jwksUri and jwks should be used.

    -    		 -No
    jwksstring
    jwks
    +
    string
    +

    JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.

    Note: Only one of jwksUri and jwks should be used.

    -    		 -No
    fromHeadersJWTHeader[]
    fromHeaders
    +
    JWTHeader[]
    +

    List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in x-jwt-assertion header, and have Bearer prefix:

    @@ -382,14 +366,12 @@ if JWT is expected to be found in x-jwt-assertion header, and have

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    fromParamsstring[]
    fromParams
    +
    string[]
    +

    List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter my_token (e.g /path?my_token=<JWT>), the config is:

    @@ -399,27 +381,23 @@ parameter my_token (e.g /path?my_token=<JWT>), t

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    outputPayloadToHeaderstring
    outputPayloadToHeader
    +
    string
    +

    This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

    -    		 -No
    fromCookiesstring[]
    fromCookies
    +
    string[]
    +

    List of cookie names from which JWT is expected. // For example, if config is:

    @@ -430,25 +408,21 @@ For example, if config is:

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    forwardOriginalTokenbool
    forwardOriginalToken
    +
    bool
    +

    If set to true, the original token will be kept for the upstream request. Default is false.

    -    		 -No
    outputClaimToHeadersClaimToHeader[]
    outputClaimToHeaders
    +
    ClaimToHeader[]
    +

    This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. This differs from the output_payload_to_header by allowing outputting individual claims instead of the whole payload. @@ -463,21 +437,16 @@ The header specified in each operation in the list must be unique. Nested claims

    [Experimental] This feature is a experimental feature.

    -    		 -No
    timeoutDuration
    timeout
    +
    Duration
    +

    The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. Default is 5s.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    The HTTP header name.

    -    		 -Yes
    prefixstring
    prefix
    +
    string
    +

    The prefix that should be stripped before decoding the token. For example, for Authorization: Bearer <token>, prefix=Bearer with a space at the end. If the header doesn’t have this exact prefix, it is considered invalid.

    -    		 -No
    FieldType DescriptionRequired
    headerstring
    header
    +
    string
    +
    Required
    +

    The name of the header to be created. The header will be overridden if it already exists in the request.

    -    		 -Yes
    claimstring
    claim
    +
    string
    +
    Required
    +

    The name of the claim to be copied from. Only claim of type string/int/bool is supported. The header will not be there if the claim does not exist or the type of the claim is not supported.

    -    		 -Yes
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the policy. +

    The selector decides where to apply the policy. If not set, the policy will be applied to all workloads in the same namespace as the policy.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -243,45 +240,36 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    tracingTracing[]
    tracing
    +
    Tracing[]
    +
    		 -

    Optional. Tracing configures the tracing behavior for all +

    Tracing configures the tracing behavior for all selected workloads.

    -    		 -No
    metricsMetrics[]
    metrics
    +
    Metrics[]
    +
    		 -

    Optional. Metrics configures the metrics behavior for all +

    Metrics configures the metrics behavior for all selected workloads.

    -    		 -No
    accessLoggingAccessLogging[]
    accessLogging
    +
    AccessLogging[]
    +
    		 -

    Optional. Access logging configures the access logging behavior for all +

    Access logging configures the access logging behavior for all selected workloads.

    -    		 -No
    FieldType DescriptionRequired
    matchTracingSelector
    match
    +
    TracingSelector
    +

    Allows tailoring of behavior to specific conditions.

    -    		 -No
    providersProviderRef[]
    providers
    +
    ProviderRef[]
    +
    		 -

    Optional. Name of provider(s) to use for span reporting. If a provider is +

    Name of provider(s) to use for span reporting. If a provider is not specified, the default tracing provider will be used. NOTE: At the moment, only a single provider can be specified in a given Tracing rule.

    -    		 -No
    randomSamplingPercentageDoubleValue
    randomSamplingPercentage
    +
    DoubleValue
    +

    Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. If a prior sampling decision has @@ -347,45 +330,199 @@ generation at the percentage specified.

    Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01% increments.

    -    		 -No
    disableSpanReportingBoolValue
    disableSpanReporting
    +
    BoolValue
    +

    Controls span reporting. If set to true, no spans will be reported for impacted workloads. This does NOT impact context propagation or trace sampling behavior.

    -    		 -No
    customTagsmap<string, CustomTag>
    customTags
    +
    map<string, CustomTag>
    +
    		 -

    Optional. Configures additional custom tags to the generated trace spans.

    +

    Configures additional custom tags to the generated trace spans.

    -    		 -No
    enableIstioTagsBoolValue
    enableIstioTags
    +
    BoolValue
    +

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. By default Istio specific tags are included in the trace spans.

    +
    +

    TracingSelector

    +
    +

    TracingSelector provides a coarse-grained ability to configure tracing +behavior based on certain traffic metadata (such as traffic direction).

    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 -No +

    This determines whether or not to apply the tracing configuration +based on the direction of traffic relative to the proxied workload.

    + +
    +
    +

    CustomTag

    +
    +

    CustomTag defines a tag to be added to a trace span that is based on +an operator-supplied value. This value can either be a hard-coded value, +a value taken from an environment variable known to the sidecar proxy, or +from a request header.

    +

    NOTE: when specified, custom_tags will fully replace any values provided +by parent configuration.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    literal
    +
    Literal (oneof)
    +
    		 +

    Literal adds the same, hard-coded value to each span.

    + +
    environment
    +
    Environment (oneof)
    +
    		 +

    Environment adds the value of an environment variable to each span.

    + +
    header
    +
    RequestHeader (oneof)
    +
    		 +

    RequestHeader adds the value of an header from the request to each +span.

    + +
    +
    +

    Literal

    +
    + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    string
    +
    Required
    +
    		 +

    The tag value to use.

    + +
    +
    +

    Environment

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    Required
    +
    		 +

    Name of the environment variable from which to extract the tag value.

    + +
    defaultValue
    +
    string
    +
    		 +

    If the environment variable is not found, this value will be +used instead.

    + +
    +
    +

    RequestHeader

    +
    + + + + + + + + + + + + + + + @@ -400,21 +537,18 @@ targeted customization.

    - - - - + - @@ -430,31 +564,28 @@ as to customize the dimensions of the generated metrics.

    - - - - + - - - + - - - + - @@ -498,488 +624,43 @@ behaviors.

    - - - - + - - - + - - - + -
    FieldDescription
    name
    +
    string
    +
    Required
    +
    		 +

    Name of the header from which to extract the tag value.

    + +
    defaultValue
    +
    string
    +
    		 +

    If the header is not found, this value will be +used instead.

    +
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +
    		 -

    Required. Name of Telemetry provider in MeshConfig.

    +

    Name of Telemetry provider in MeshConfig.

    -    		 -Yes
    FieldType DescriptionRequired
    providersProviderRef[]
    providers
    +
    ProviderRef[]
    +
    		 -

    Optional. Name of providers to which this configuration should apply. +

    Name of providers to which this configuration should apply. If a provider is not specified, the default metrics provider will be used.

    -    		 -No
    overridesMetricsOverrides[]
    overrides
    +
    MetricsOverrides[]
    +
    		 -

    Optional. Ordered list of overrides to metrics generation behavior.

    +

    Ordered list of overrides to metrics generation behavior.

    Specified overrides will be applied in order. They will be applied on top of inherited overrides from other resources in the hierarchy in the following order:

    @@ -468,22 +599,17 @@ overrides from least specific to most specific matches. That is, it is a best practice to list any universal overrides first, with tailored overrides following them.

    -    		 -No
    reportingIntervalDuration
    reportingInterval
    +
    Duration
    +
    		 -

    Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting. +

    Reporting interval allows configuration of the time between calls out to for metrics reporting. This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future. The default duration is 5s.

    -    		 -No
    FieldType DescriptionRequired
    metricIstioMetric (oneof)
    metric
    +
    IstioMetric (oneof)
    +

    One of the well-known Istio Standard Metrics.

    -    		 -No
    customMetricstring (oneof)
    customMetric
    +
    string (oneof)
    +

    Allows free-form specification of a metric. No validation of custom metrics is provided.

    -    		 -No
    modeWorkloadMode
    mode
    +
    WorkloadMode
    +

    Controls which mode of metrics generation is selected: CLIENT, SERVER, or CLIENT_AND_SERVER.

    -    		 -No
    -

    MetricsOverrides

    -
    -

    MetricsOverrides defines custom metric generation behavior for an individual -metric or the set of all standard metrics.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchMetricSelector -

    Match allows providing the scope of the override. It can be used to select -individual metrics, as well as the workload modes (server, client, or both) -in which the metrics will be generated.

    -

    If match is not specified, the overrides will apply to all metrics for -both modes of operation (client and server).

    - -    		 -No -
    disabledBoolValue -

    Optional. Must explicitly set this to true to turn off metrics reporting -for the listed metrics. If disabled has been set to true in a parent -configuration, it must explicitly be set to false to turn metrics -reporting on in the workloads selected by the Telemetry resource.

    - -    		 -No -
    tagOverridesmap<string, TagOverride> -

    Optional. Collection of tag names and tag expressions to override in the -selected metric(s). -The key in the map is the name of the tag. -The value in the map is the operation to perform on the the tag. -WARNING: some providers may not support adding/removing tags. -See also: https://istio.io/latest/docs/reference/config/metrics/#labels

    - -    		 -No -
    -
    -

    AccessLogging

    -
    -

    Access logging defines the workload-level overrides for access log -generation. It can be used to select provider or enable/disable access log -generation for a workload.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchLogSelector -

    Allows tailoring of logging behavior to specific conditions.

    - -    		 -No -
    providersProviderRef[] -

    Optional. Name of providers to which this configuration should apply. -If a provider is not specified, the default logging -provider will be used.

    - -    		 -No -
    disabledBoolValue -

    Controls logging. If set to true, no access logs will be generated for -impacted workloads (for the specified providers). -NOTE: currently default behavior will be controlled by the provider(s) -selected above. Customization controls will be added to this API in -future releases.

    - -    		 -No -
    filterFilter -

    Optional. If specified, this filter will be used to select specific -requests/connections for logging.

    - -    		 -No -
    -
    -

    Tracing.TracingSelector

    -
    -

    TracingSelector provides a coarse-grained ability to configure tracing -behavior based on certain traffic metadata (such as traffic direction).

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    This determines whether or not to apply the tracing configuration -based on the direction of traffic relative to the proxied workload.

    - -    		 -No -
    -
    -

    Tracing.CustomTag

    -
    -

    CustomTag defines a tag to be added to a trace span that is based on -an operator-supplied value. This value can either be a hard-coded value, -a value taken from an environment variable known to the sidecar proxy, or -from a request header.

    -

    NOTE: when specified, custom_tags will fully replace any values provided -by parent configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    literalLiteral (oneof) -

    Literal adds the same, hard-coded value to each span.

    - -    		 -No -
    environmentEnvironment (oneof) -

    Environment adds the value of an environment variable to each span.

    - -    		 -No -
    headerRequestHeader (oneof) -

    RequestHeader adds the value of an header from the request to each -span.

    - -    		 -No -
    -
    -

    Tracing.Literal

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuestring -

    The tag value to use.

    - -    		 -Yes -
    -
    -

    Tracing.Environment

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    Name of the environment variable from which to extract the tag value.

    - -    		 -Yes -
    defaultValuestring -

    Optional. If the environment variable is not found, this value will be -used instead.

    - -    		 -No -
    -
    -

    Tracing.RequestHeader

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    Name of the header from which to extract the tag value.

    - -    		 -Yes -
    defaultValuestring -

    Optional. If the header is not found, this value will be -used instead.

    - -    		 -No -
    -
    -

    MetricsOverrides.TagOverride

    -
    -

    TagOverride specifies an operation to perform on a metric dimension (also -known as a label). Tags may be added, removed, or have their default -values overridden.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Operation controls whether or not to update/add a tag, or to remove it.

    - -    		 -No -
    valuestring -

    Value is only considered if the operation is UPSERT. -Values are CEL expressions over -attributes. Examples include: string(destination.port) and -request.host. Istio exposes all standard Envoy -attributes. -Additionally, Istio exposes node metadata as attributes. -More information is provided in the customization -docs.

    - -    		 -No -
    -
    -

    AccessLogging.LogSelector

    -
    -

    LogSelector provides a coarse-grained ability to configure logging behavior -based on certain traffic metadata (such as traffic direction). LogSelector -applies to traffic metadata which is not represented in the attribute set -currently supported by filters. -It allows control planes to limit the configuration sent to individual workloads. -Finer-grained logging behavior can be further configured via filter.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    This determines whether or not to apply the access logging configuration -based on the direction of traffic relative to the proxied workload.

    - -    		 -No -
    -
    -

    AccessLogging.Filter

    -
    -

    Allows specification of an access log filter.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    expressionstring -

    CEL expression for selecting when requests/connections should be logged.

    -

    Examples:

    -
      -
    • response.code >= 400
      • -
    • connection.mtls && request.url_path.contains('v1beta3')
      • -
    • !has(request.useragent) || !(request.useragent.startsWith("Amazon-Route53-Health-Check-Service"))
      • -
    - -    		 -No -
    -
    -

    MetricSelector.IstioMetric

    +

    IstioMetric

    Curated list of known metric types that is supported by Istio metric providers. See also: @@ -1135,7 +816,104 @@ traffic.

    -

    MetricsOverrides.TagOverride.Operation

    +

    MetricsOverrides

    +
    +

    MetricsOverrides defines custom metric generation behavior for an individual +metric or the set of all standard metrics.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    match
    +
    MetricSelector
    +
    		 +

    Match allows providing the scope of the override. It can be used to select +individual metrics, as well as the workload modes (server, client, or both) +in which the metrics will be generated.

    +

    If match is not specified, the overrides will apply to all metrics for +both modes of operation (client and server).

    + +
    disabled
    +
    BoolValue
    +
    		 +

    Must explicitly set this to true to turn off metrics reporting +for the listed metrics. If disabled has been set to true in a parent +configuration, it must explicitly be set to false to turn metrics +reporting on in the workloads selected by the Telemetry resource.

    + +
    tagOverrides
    +
    map<string, TagOverride>
    +
    		 +

    Collection of tag names and tag expressions to override in the +selected metric(s). +The key in the map is the name of the tag. +The value in the map is the operation to perform on the the tag. +WARNING: some providers may not support adding/removing tags. +See also: https://istio.io/latest/docs/reference/config/metrics/#labels

    + +
    +
    +

    TagOverride

    +
    +

    TagOverride specifies an operation to perform on a metric dimension (also +known as a label). Tags may be added, removed, or have their default +values overridden.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Operation controls whether or not to update/add a tag, or to remove it.

    + +
    value
    +
    string
    +
    		 +

    Value is only considered if the operation is UPSERT. +Values are CEL expressions over +attributes. Examples include: string(destination.port) and +request.host. Istio exposes all standard Envoy +attributes. +Additionally, Istio exposes node metadata as attributes. +More information is provided in the customization +docs.

    + +
    +
    +

    Operation

    @@ -1159,6 +937,126 @@ traffic.

    Specifies that the tag should not be included in the metric when generated.

    + + + +
    +
    +

    AccessLogging

    +
    +

    Access logging defines the workload-level overrides for access log +generation. It can be used to select provider or enable/disable access log +generation for a workload.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    match
    +
    LogSelector
    +
    		 +

    Allows tailoring of logging behavior to specific conditions.

    + +
    providers
    +
    ProviderRef[]
    +
    		 +

    Name of providers to which this configuration should apply. +If a provider is not specified, the default logging +provider will be used.

    + +
    disabled
    +
    BoolValue
    +
    		 +

    Controls logging. If set to true, no access logs will be generated for +impacted workloads (for the specified providers). +NOTE: currently default behavior will be controlled by the provider(s) +selected above. Customization controls will be added to this API in +future releases.

    + +
    filter
    +
    Filter
    +
    		 +

    If specified, this filter will be used to select specific +requests/connections for logging.

    + +
    +
    +

    LogSelector

    +
    +

    LogSelector provides a coarse-grained ability to configure logging behavior +based on certain traffic metadata (such as traffic direction). LogSelector +applies to traffic metadata which is not represented in the attribute set +currently supported by filters. +It allows control planes to limit the configuration sent to individual workloads. +Finer-grained logging behavior can be further configured via filter.

    + + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 +

    This determines whether or not to apply the access logging configuration +based on the direction of traffic relative to the proxied workload.

    + +
    +
    +

    Filter

    +
    +

    Allows specification of an access log filter.

    + + + + + + + + + + + + diff --git a/content/en/docs/reference/config/type/workload-selector/index.html b/content/en/docs/reference/config/type/workload-selector/index.html index 182bfcda66..f0269af6b9 100644 --- a/content/en/docs/reference/config/type/workload-selector/index.html +++ b/content/en/docs/reference/config/type/workload-selector/index.html @@ -21,23 +21,19 @@ selected. Currently, only label based selection mechanism is supported.

    - - - - + - @@ -52,21 +48,18 @@ a listener having a specific port.

    - - - - + - @@ -107,55 +100,47 @@ spec: - - - - + - - - + - - - + - - - + - diff --git a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html index d8746cc5ad..4d43621c47 100644 --- a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html +++ b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html @@ -20,216 +20,42 @@ messages. All information should be static with respect to the error code.

    - - - - + - - - + - - - + -
    FieldDescription
    expression
    +
    string
    +
    		 +

    CEL expression for selecting when requests/connections should be logged.

    +

    Examples:

    +
      +
    • response.code >= 400
      • +
    • connection.mtls && request.url_path.contains('v1beta3')
      • +
    • !has(request.useragent) || !(request.useragent.startsWith("Amazon-Route53-Health-Check-Service"))
      • +
    +
    FieldType DescriptionRequired
    matchLabelsmap<string, string>
    matchLabels
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.

    -    		 -No
    FieldType DescriptionRequired
    numberuint32
    number
    +
    uint32
    +
    Required
    +

    Port number

    -    		 -Yes
    FieldType DescriptionRequired
    groupstring
    group
    +
    string
    +

    group is the group of the target resource.

    -    		 -No
    kindstring
    kind
    +
    string
    +
    Required
    +

    kind is kind of the target resource.

    -    		 -Yes
    namestring
    name
    +
    string
    +
    Required
    +

    name is the name of the target resource.

    -    		 -Yes
    namespacestring
    namespace
    +
    string
    +

    namespace is the namespace of the referent. When unspecified, the local namespace is inferred.

    -    		 -No
    FieldType DescriptionRequired
    typeType
    type
    +
    Type
    +
    		 -No -
    levelLevel
    level
    +
    Level
    +

    Represents how severe a message is. Required.

    -    		 -No
    documentationUrlstring
    documentationUrl
    +
    string
    +

    A url pointing to the Istio documentation for this specific error type. Should be of the form ^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/ Required.

    -    		 -No
    -

    AnalysisMessageWeakSchema

    -
    -

    AnalysisMessageWeakSchema is the set of information that’s needed to define a -weakly-typed schema. The purpose of this proto is to provide a mechanism for -validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make -sure that we don’t allow committing underspecified types.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    messageBaseAnalysisMessageBase -

    Required

    - -    		 -No -
    descriptionstring -

    A human readable description of what the error means. Required.

    - -    		 -No -
    templatestring -

    A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing) -defining how to combine the args for a particular message into a log line. -Required.

    - -    		 -No -
    argsArgType[] -

    A description of the arguments for a particular message type

    - -    		 -No -
    -
    -

    GenericAnalysisMessage

    -
    -

    GenericAnalysisMessage is an instance of an AnalysisMessage defined by a -schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code -should be able to perform validation of arguments as needed by using the -message type information to look at the AnalysisMessageWeakSchema and examine the -list of args at runtime. Developers can also create stronger-typed versions -of GenericAnalysisMessage for well-known and stable message types.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    messageBaseAnalysisMessageBase -

    Required

    - -    		 -No -
    argsStruct -

    Any message-type specific arguments that need to get codified. Optional.

    - -    		 -No -
    resourcePathsstring[] -

    A list of strings specifying the resource identifiers that were the cause -of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME -tuple that uniquely identifies a particular resource. There doesn’t seem to -be a single concept for this, but this is intuitively taken from -https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology -At least one is required.

    - -    		 -No -
    -
    -

    InternalErrorAnalysisMessage

    -
    -

    InternalErrorAnalysisMessage is a strongly-typed message representing some -error in Istio code that prevented us from performing analysis at all.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    messageBaseAnalysisMessageBase -

    Required

    - -    		 -No -
    detailstring -

    Any detail regarding specifics of the error. Should be human-readable.

    - -    		 -No -
    -
    -

    AnalysisMessageBase.Type

    +

    Type

    A unique identifier for the type of message. Name is intended to be human-readable, code is intended to be machine readable. There should be a @@ -240,82 +66,36 @@ codes between message types.)

    Field -Type Description -Required -name -string +
    name
    +
    string
    +

    A human-readable name for the message type. e.g. “InternalError”, “PodMissingProxy”. This should be the same for all messages of the same type. Required.

    - - -No -code -string +
    code
    +
    string
    +

    A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify the message type. (e.g. “IST0001” is mapped to the “InternalError” message type.) 0000-0100 are reserved. Required.

    - - -No
    -

    AnalysisMessageWeakSchema.ArgType

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    Required

    - -    		 -No -
    goTypestring -

    Required. Should be a golang type, used in code generation. -Ideally this will change to a less language-pinned type before this gets -out of alpha, but for compatibility with current istio/istio code it’s -go_type for now.

    - -    		 -No -
    -
    -

    AnalysisMessageBase.Level

    +

    Level

    The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later

    @@ -353,3 +133,179 @@ as well as leaving space in between to add more later

    +

    AnalysisMessageWeakSchema

    +
    +

    AnalysisMessageWeakSchema is the set of information that’s needed to define a +weakly-typed schema. The purpose of this proto is to provide a mechanism for +validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make +sure that we don’t allow committing underspecified types.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    messageBase
    +
    AnalysisMessageBase
    +
    		 +

    Required

    + +
    description
    +
    string
    +
    		 +

    A human readable description of what the error means. Required.

    + +
    template
    +
    string
    +
    		 +

    A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing) +defining how to combine the args for a particular message into a log line. +Required.

    + +
    args
    +
    ArgType[]
    +
    		 +

    A description of the arguments for a particular message type

    + +
    +
    +

    ArgType

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    Required

    + +
    goType
    +
    string
    +
    		 +

    Should be a golang type, used in code generation. +Ideally this will change to a less language-pinned type before this gets +out of alpha, but for compatibility with current istio/istio code it’s +go_type for now.

    + +
    +
    +

    GenericAnalysisMessage

    +
    +

    GenericAnalysisMessage is an instance of an AnalysisMessage defined by a +schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code +should be able to perform validation of arguments as needed by using the +message type information to look at the AnalysisMessageWeakSchema and examine the +list of args at runtime. Developers can also create stronger-typed versions +of GenericAnalysisMessage for well-known and stable message types.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    messageBase
    +
    AnalysisMessageBase
    +
    		 +

    Required

    + +
    args
    +
    Struct
    +
    		 +

    Any message-type specific arguments that need to get codified. Optional.

    + +
    resourcePaths
    +
    string[]
    +
    		 +

    A list of strings specifying the resource identifiers that were the cause +of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME +tuple that uniquely identifies a particular resource. There doesn’t seem to +be a single concept for this, but this is intuitively taken from +https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology +At least one is required.

    + +
    +
    +

    InternalErrorAnalysisMessage

    +
    +

    InternalErrorAnalysisMessage is a strongly-typed message representing some +error in Istio code that prevented us from performing analysis at all.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    messageBase
    +
    AnalysisMessageBase
    +
    		 +

    Required

    + +
    detail
    +
    string
    +
    		 +

    Any detail regarding specifics of the error. Should be human-readable.

    + +
    +
    diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html index 8af48d6912..73ea8b5686 100644 --- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html +++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html @@ -19,110 +19,93 @@ number_of_entries: 78 Field -Type Description -Required -proxyListenPort -int32 +
    proxyListenPort
    +
    int32
    +

    Port on which Envoy should listen for all outbound traffic to other services. Default port is 15001.

    - - -No -proxyInboundListenPort -int32 +
    proxyInboundListenPort
    +
    int32
    +

    Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. Default port is 15006.

    - - -No -proxyHttpPort -int32 +
    proxyHttpPort
    +
    int32
    +

    Port on which Envoy should listen for HTTP PROXY requests if set.

    - - -No -connectTimeout -Duration +
    connectTimeout
    +
    Duration
    +

    Connection timeout used by Envoy. (MUST be >=1ms) Default timeout is 10s.

    - - -No -tcpKeepalive -TcpKeepalive +
    tcpKeepalive
    +
    TcpKeepalive
    +

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    - - -No -ingressClass -string +
    ingressClass
    +
    string
    +

    Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of kubernetes.io/ingress.class annotation.

    - - -No -ingressService -string +
    ingressService
    +
    string
    +

    Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value istio-ingressgateway is used.

    - - -No -ingressControllerMode -IngressControllerMode +
    ingressControllerMode
    +
    IngressControllerMode
    +

    Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is STRICT.

    - - -No -ingressSelector -string +
    ingressSelector
    +
    string
    +

    Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR. @@ -130,90 +113,76 @@ By default, ingressgateway is used, which will select the default I istio: ingressgateway labels. It is recommended that this is the same value as ingressService.

    - - -No -enableTracing -bool +
    enableTracing
    +
    bool
    +

    Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.

    - - -No -accessLogFile -string +
    accessLogFile
    +
    string
    +

    File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.

    - - -No -accessLogFormat -string +
    accessLogFormat
    +
    string
    +

    Format for the proxy access log Empty value results in proxy’s default access log format

    - - -No -accessLogEncoding -AccessLogEncoding +
    accessLogEncoding
    +
    AccessLogEncoding
    +

    Encoding for the proxy access log (TEXT or JSON). Default value is TEXT.

    - - -No -enableEnvoyAccessLogService -bool +
    enableEnvoyAccessLogService
    +
    bool
    +

    This flag enables Envoy’s gRPC Access Log Service. See Access Log Service for details about Envoy’s gRPC Access Log Service API. Default value is false.

    - - -No -disableEnvoyListenerLog -bool +
    disableEnvoyListenerLog
    +
    bool
    +

    This flag disables Envoy Listener logs. See Listener Access Log Istio Enables Envoy’s listener access logs on “NoRoute” response flag. Default value is false.

    - - -No -defaultConfig -ProxyConfig +
    defaultConfig
    +
    ProxyConfig
    +

    Default proxy config used by gateway and sidecars. In case of Kubernetes, the proxy config is applied once during the injection process, @@ -221,14 +190,12 @@ and remain constant for the duration of the pod. The rest of the mesh config can at runtime and config gets distributed dynamically. On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

    - - -No -outboundTrafficPolicy -OutboundTrafficPolicy +
    outboundTrafficPolicy
    +
    OutboundTrafficPolicy
    +

    Set the default behavior of the sidecar for handling outbound traffic from the application.

    @@ -236,40 +203,34 @@ traffic from the application.

    Sidecar API.

    Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

    - - -No -inboundTrafficPolicy -InboundTrafficPolicy +
    inboundTrafficPolicy
    +
    InboundTrafficPolicy
    +

    Set the default behavior of the sidecar for handling inbound traffic to the application. If your application listens on localhost, you will need to set this to LOCALHOST.

    - - -No -configSources -ConfigSource[] +
    configSources
    +
    ConfigSource[]
    +

    ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.

    - - -No -enableAutoMtls -BoolValue +
    enableAutoMtls
    +
    BoolValue
    +

    This flag is used to enable mutual TLS automatically for service to service communication within the mesh, default true. @@ -283,26 +244,22 @@ If the upstream authentication policy is in PERMISSIVE mode, Istio configures cl mutual TLS when server sides are capable of accepting mutual TLS traffic. If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

    - - -No -trustDomain -string +
    trustDomain
    +
    string
    +

    The trust domain corresponds to the trust root of a system. Refer to SPIFFE-ID

    - - -No -trustDomainAliases -string[] +
    trustDomainAliases
    +
    string[]
    +

    The trust domain aliases represent the aliases of trustDomain. For example, if we have

    @@ -312,28 +269,24 @@ trustDomainAliases: ["td2", "td3"]

    Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

    - - -No -caCertificates -CertificateData[] +
    caCertificates
    +
    CertificateData[]
    +

    The extra root certificates for workload-to-workload communication. The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.

    - - -No -defaultServiceExportTo -string[] +
    defaultServiceExportTo
    +
    string[]
    +

    The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to @@ -357,42 +310,36 @@ namespace.

    For further discussion see the reference documentation for ServiceEntry, Sidecar, and Gateway.

    - - -No -defaultVirtualServiceExportTo -string[] +
    defaultVirtualServiceExportTo
    +
    string[]
    +

    The default value for the VirtualService.exportTo field. Has the same syntax as defaultServiceExportTo.

    If not set the system will use “*” as the default value which implies that virtual services are exported to all namespaces

    - - -No -defaultDestinationRuleExportTo -string[] +
    defaultDestinationRuleExportTo
    +
    string[]
    +

    The default value for the DestinationRule.exportTo field. Has the same syntax as defaultServiceExportTo.

    If not set the system will use “*” as the default value which implies that destination rules are exported to all namespaces

    - - -No -rootNamespace -string +
    rootNamespace
    +
    string
    +

    The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for @@ -402,54 +349,46 @@ namespace is processed as if it were declared in the leaf namespace.

    The precise semantics of this processing are documented on each resource type.

    - - -No -localityLbSetting -LocalityLoadBalancerSetting +
    localityLbSetting
    +
    LocalityLoadBalancerSetting
    +

    Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/

    - - -No -dnsRefreshRate -Duration +
    dnsRefreshRate
    +
    Duration
    +

    Configures DNS refresh rate for Envoy clusters of type STRICT_DNS Default refresh rate is 60s.

    - - -No -h2UpgradePolicy -H2UpgradePolicy +
    h2UpgradePolicy
    +
    H2UpgradePolicy
    +

    Specify if http1.1 connections should be upgraded to http2 by default. if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE. It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

    - - -No -inboundClusterStatName -string +
    inboundClusterStatName
    +
    string
    +

    Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. @@ -470,14 +409,12 @@ For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local%SERVICE% will use reviews.prod as the stats name. - - -No -outboundClusterStatName -string +

    outboundClusterStatName
    +
    string
    +

    Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. @@ -498,14 +435,12 @@ For example outbound|8080|v2|reviews.prod.svc.cluster.local. This c

  • %SERVICE% will use reviews.prod as the stats name.
    • - - -No -enablePrometheusMerge -BoolValue +
    enablePrometheusMerge
    +
    BoolValue
    +

    If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod @@ -517,37 +452,31 @@ In this case, it is recommended to disable aggregation on that deployment with t prometheus.istio.io/merge-metrics: "false" annotation. If not specified, this will be enabled by default.

    - - -No -extensionProviders -ExtensionProvider[] +
    extensionProviders
    +
    ExtensionProvider[]
    +

    Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.

    - - -No -defaultProviders -DefaultProviders +
    defaultProviders
    +
    DefaultProviders
    +

    Specifies extension providers to use by default in Istio configuration resources.

    - - -No -discoverySelectors -LabelSelector[] +
    discoverySelectors
    +
    LabelSelector[]
    +

    A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio’s computational load @@ -573,14 +502,12 @@ The following example selects any namespace that matches either below:

    Refer to the Kubernetes selector docs for additional detail on selector semantics.

    - - -No -pathNormalization -ProxyPathNormalization +
    pathNormalization
    +
    ProxyPathNormalization
    +

    ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. @@ -590,14 +517,12 @@ authorization policy match and enforcement in inbound direction (server proxy), path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used.

    - - -No -defaultHttpRetryPolicy -HTTPRetry +
    defaultHttpRetryPolicy
    +
    HTTPRetry
    +

    Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: @@ -608,14 +533,12 @@ API. All settings in the retry policy except perTryTimeout can currently be configured globally via this field.

    - - -No -meshMTLS -TLSConfig +
    meshMTLS
    +
    TLSConfig
    +

    The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:

    @@ -631,184 +554,23 @@ For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and sp

    Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.

    Note: Mesh mTLS does not respect ECDH curves.

    - - -No -tlsDefaults -TLSConfig +
    tlsDefaults
    +
    TLSConfig
    +

    Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.

    - - -No -

    LabelSelector

    -
    -

    A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. -Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchLabelsmap<string, string> -

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels -map is equivalent to an element of matchExpressions, whose key field is “key”, the -operator is “In”, and the values array contains only “value”. The requirements are ANDed.

    - -    		 -No -
    matchExpressionsLabelSelectorRequirement[] -

    matchExpressions is a list of label selector requirements. The requirements are ANDed.

    - -    		 -No -
    -
    -

    LabelSelectorRequirement

    -
    -

    A label selector requirement is a selector that contains values, a key, and an operator that -relates the key and values. -Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    keystring -

    key is the label key that the selector applies to.

    - -    		 -No -
    operatorstring -

    operator represents a key’s relationship to a set of values. -Valid operators are In, NotIn, Exists and DoesNotExist.

    - -    		 -No -
    valuesstring[] -

    values is an array of string values. If the operator is In or NotIn, -the values array must be non-empty. If the operator is Exists or DoesNotExist, -the values array must be empty. This array is replaced during a strategic -merge patch.

    - -    		 -No -
    -
    -

    ConfigSource

    -
    -

    ConfigSource describes information about a configuration store inside a -mesh. A single control plane instance can interact with one or more data -sources.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the server implementing the Istio Mesh Configuration -protocol (MCP). Can be IP address or a fully qualified DNS name. -Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or -fs:/// to specify a file-based backend with absolute path to the directory.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the MCP server -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    subscribedResourcesResource[] -

    Describes the source of configuration, if nothing is specified default is MCP

    - -    		 -No -
    -
    -

    MeshConfig.OutboundTrafficPolicy

    +

    OutboundTrafficPolicy

    OutboundTrafficPolicy sets the default behavior of the sidecar for handling unknown outbound traffic from the application.

    @@ -817,3787 +579,21 @@ handling unknown outbound traffic from the application.

    Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +
    - -No -
    -

    MeshConfig.InboundTrafficPolicy

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeMode - -No -
    -
    -

    MeshConfig.CertificateData

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pemstring (oneof) -

    The PEM data of the certificate.

    - -    		 -No -
    spiffeBundleUrlstring (oneof) -

    The SPIFFE bundle endpoint URL that complies to: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle -The endpoint should support authentication based on Web PKI: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki -The certificate is retrieved from the endpoint.

    - -    		 -No -
    certSignersstring[] -

    Optional. Specify the kubernetes signers (External CA) that use this trustAnchor -when Istiod is acting as RA(registration authority) -If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

    - -    		 -No -
    trustDomainsstring[] -

    Optional. Specify the list of trust domains to which this trustAnchor data belongs. -If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain -and its aliases. -Note that we can have multiple trustAnchor data for a same trustDomain. -In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. -If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. -If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. -If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. -If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

    - -    		 -No -
    -
    -

    MeshConfig.CA

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    REQUIRED. Address of the CA server implementing the Istio CA gRPC API. -Can be IP address or a fully qualified DNS name with port -Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. -Regarding tlsSettings:

    -
      -
    • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. -DISABLE MODE can also be used for testing
      • -
    • TLS MUTUAL MODE be on by default. If the CA certificates -(cert bundle to verify the CA server’s certificate) is omitted, Istiod will -use the system root certs to verify the CA server’s certificate.
      • -
    - -    		 -No -
    requestTimeoutDuration -

    timeout for forward CSR requests from Istiod to External CA -Default: 10s

    - -    		 -No -
    istiodSidebool -

    Use istiodSide to specify CA Server integrate to Istiod side or Agent side -Default: true

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    REQUIRED. A unique name identifying the extension provider.

    - -    		 -No -
    envoyExtAuthzHttpEnvoyExternalAuthorizationHttpProvider (oneof) -

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

    - -    		 -No -
    envoyExtAuthzGrpcEnvoyExternalAuthorizationGrpcProvider (oneof) -

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

    - -    		 -No -
    zipkinZipkinTracingProvider (oneof) -

    Configures a tracing provider that uses the Zipkin API.

    - -    		 -No -
    datadogDatadogTracingProvider (oneof) -

    Configures a Datadog tracing provider.

    - -    		 -No -
    skywalkingSkyWalkingTracingProvider (oneof) -

    Configures a Apache SkyWalking provider.

    - -    		 -No -
    opentelemetryOpenTelemetryTracingProvider (oneof) -

    Configures an OpenTelemetry tracing provider.

    - -    		 -No -
    prometheusPrometheusMetricsProvider (oneof) -

    Configures a Prometheus metrics provider.

    - -    		 -No -
    envoyFileAccessLogEnvoyFileAccessLogProvider (oneof) -

    Configures an Envoy File Access Log provider.

    - -    		 -No -
    envoyHttpAlsEnvoyHttpGrpcV3LogProvider (oneof) -

    Configures an Envoy Access Logging Service provider for HTTP traffic.

    - -    		 -No -
    envoyTcpAlsEnvoyTcpGrpcV3LogProvider (oneof) -

    Configures an Envoy Access Logging Service provider for TCP traffic.

    - -    		 -No -
    envoyOtelAlsEnvoyOpenTelemetryLogProvider (oneof) -

    Configures an Envoy Open Telemetry Access Logging Service provider.

    - -    		 -No -
    -
    -

    MeshConfig.DefaultProviders

    -
    -

    Holds the name references to the providers that will be used by default -in other Istio configuration resources if the provider is not specified.

    -

    These names must match a provider defined in extensionProviders that is -one of the supported tracing providers.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tracingstring[] -

    Name of the default provider(s) for tracing.

    - -    		 -No -
    metricsstring[] -

    Name of the default provider(s) for metrics.

    - -    		 -No -
    accessLoggingstring[] -

    Name of the default provider(s) for access logging.

    - -    		 -No -
    -
    -

    MeshConfig.ProxyPathNormalization

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    normalizationNormalizationType - -No -
    -
    -

    MeshConfig.TLSConfig

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    minProtocolVersionTLSProtocol -

    Optional: the minimum TLS protocol version. The default minimum -TLS version will be TLS 1.2. As servers may not be Envoy and be -set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the -minimum TLS version for clients may also be TLS 1.2. -In the current Istio implementation, the maximum TLS protocol version -is TLS 1.3.

    - -    		 -No -
    ecdhCurvesstring[] -

    Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. -If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to -Ecdh Curves.

    - -    		 -No -
    cipherSuitesstring[] -

    Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. -If not specified, the following cipher suites will be used:

    -
    ECDHE-ECDSA-AES256-GCM-SHA384
-ECDHE-RSA-AES256-GCM-SHA384
-ECDHE-ECDSA-AES128-GCM-SHA256
-ECDHE-RSA-AES128-GCM-SHA256
-AES256-GCM-SHA384
-AES128-GCM-SHA256
-
    - -    		 -No -
    -
    -

    MeshConfig.ServiceSettings.Settings

    -
    -

    Settings for the selected services.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    clusterLocalbool -

    If true, specifies that the client and service endpoints must reside in the same cluster. -By default, in multi-cluster deployments, the Istio control plane assumes all service -endpoints to be reachable from any client in any of the clusters which are part of the -mesh. This configuration option limits the set of service endpoints visible to a client -to be cluster scoped.

    -

    There are some common scenarios when this can be useful:

    -
      -
    • A service (or group of services) is inherently local to the cluster and has local storage -for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      • -
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first -having services cluster-local and then slowly transition them to mesh-wide. They could do -this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group -(e.g. *.myns.svc.cluster.local).
      • -
    -

    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all -services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxRequestBytesuint32 -

    Sets the maximum size of a message body that the ext-authz filter will hold in memory. -If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). -Otherwise the request will be sent to the provider with a partial message. -Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the -failOpen is set to true.

    - -    		 -No -
    allowPartialMessagebool -

    When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. -The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. -A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message -indicating if the body data is partial.

    - -    		 -No -
    packAsBytesbool -

    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes -in the raw_body field. -Otherwise, it will be filled with UTF-8 string in the body field. -This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    timeoutDuration -

    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. -In this situation, the response sent back to the client will depend on the configured failOpen field.

    - -    		 -No -
    pathPrefixstring -

    Sets a prefix to the value of authorization request header Path. -For example, setting this to “/check” for an original user request at path “/admin” will cause the -authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

    - -    		 -No -
    failOpenbool -

    If true, the user request will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. -Default is false and the request will be rejected with “Forbidden” response.

    - -    		 -No -
    clearRouteCachebool -

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. -If true, recalculate routes with the new ExtAuthZ added/removed headers. -Default is false

    - -    		 -No -
    statusOnErrorstring -

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

    - -    		 -No -
    includeRequestHeadersInCheckstring[] -

    List of client request headers that should be included in the authorization request sent to the authorization service. -Note that in addition to the headers specified here following headers are included by default:

    -
      -
    1. Host, Method, Path and Content-Length are automatically sent.
      2. -
    2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization -request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), -consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      3. -
    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    includeAdditionalHeadersInCheckmap<string, string> -

    Set of additional fixed headers that should be included in the authorization request sent to the authorization service. -Key is the header name and value is the header value. -Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.

    - -    		 -No -
    includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody -

    If set, the client request body will be included in the authorization request sent to the authorization service.

    - -    		 -No -
    headersToUpstreamOnAllowstring[] -

    List of headers from the authorization service that should be added or overridden in the original request and -forwarded to the upstream when the authorization check result is allowed (HTTP code 200). -If not specified, the original request will not be modified and forwarded to backend as-is. -Note, any existing headers will be overridden.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    headersToDownstreamOnDenystring[] -

    List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is not allowed (HTTP code other than 200). -If not specified, all the authorization response headers, except Authority (Host) will be in the response to -the downstream. -When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are -automatically added. -Note, the body from the authorization service is always included in the response to downstream.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    headersToDownstreamOnAllowstring[] -

    List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is allowed (HTTP code 200). -If not specified, the original response will not be modified and forwarded to downstream as-is. -Note, any existing headers will be overridden.

    -

    Exact, prefix and suffix matches are supported (similar to the -authorization policy rule syntax -except the presence match):

    -
      -
    • Exact match: “abc” will match on value “abc”.
      • -
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • -
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • -
    - -    		 -No -
    includeHeadersInCheckstring[] -

    DEPRECATED. Use includeRequestHeadersInCheck instead.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    timeoutDuration -

    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. -In this situation, the response sent back to the client will depend on the configured failOpen field.

    - -    		 -No -
    failOpenbool -

    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. -Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

    - -    		 -No -
    clearRouteCachebool -

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. -If true, recalculate routes with the new ExtAuthZ added/removed headers. -Default is false

    - -    		 -No -
    statusOnErrorstring -

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

    - -    		 -No -
    includeRequestBodyInCheckEnvoyExternalAuthorizationRequestBody -

    If set, the client request body will be included in the authorization request sent to the authorization service.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ZipkinTracingProvider

    -
    -

    Defines configuration for a Zipkin tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that the Zipkin API. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    enable64bitTraceIdbool -

    Optional. A 128 bit trace id will be used in Istio. -If true, will result in a 64 bit trace id being used.

    - -    		 -No -
    pathstring -

    Optional. Specifies the endpoint of Zipkin API. -The default value is “/api/v2/spans”.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.LightstepTracingProvider

    -
    -

    Defines configuration for a Lightstep tracer. -Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+ -will generate OpenTelemetry-compatible configuration when using this option.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the Lightstep collector. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    accessTokenstring -

    The Lightstep access token.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.DatadogTracingProvider

    -
    -

    Defines configuration for a Datadog tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the Datadog agent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.SkyWalkingTracingProvider

    -
    -

    Defines configuration for a SkyWalking tracer.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the SkyWalking receiver. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    accessTokenstring -

    Optional. The SkyWalking OAP access token.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.StackdriverProvider

    -
    -

    Defines configuration for Stackdriver.

    -

    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used -alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus -driver in Envoy.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    loggingLogging -

    Optional. Controls Stackdriver logging behavior.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider

    -
    -

    Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

    -

    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of -OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation -in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration -may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider -configuration MUST be accompanied by a restart of all proxies that will use that configuration.

    -

    NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used -alongside OpenCensus provider configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service for the OpenCensusAgent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    contextTraceContext[] -

    Specifies the set of context propagation headers used for distributed -tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, -the proxy will attempt to read each header for each request and will -write all headers.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.PrometheusMetricsProvider

    -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider

    -
    -

    Defines configuration for Envoy-based access logging that writes to -local files (and/or standard streams).

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pathstring -

    Path to a local file to write the access log entries. -This may be used to write to streams, via /dev/stderr and /dev/stdout -If unspecified, defaults to /dev/stdout.

    - -    		 -No -
    logFormatLogFormat -

    Optional. Allows overriding of the default access log format.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider

    -
    -

    Defines configuration for an Envoy Access Logging Service -integration for HTTP traffic.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “http_envoy_accesslog”
      • -
    • “listener_envoy_accesslog”
      • -
    - -    		 -No -
    filterStateObjectsToLogstring[] -

    Optional. Additional filter state objects to log.

    - -    		 -No -
    additionalRequestHeadersToLogstring[] -

    Optional. Additional request headers to log.

    - -    		 -No -
    additionalResponseHeadersToLogstring[] -

    Optional. Additional response headers to log.

    - -    		 -No -
    additionalResponseTrailersToLogstring[] -

    Optional. Additional response trailers to log.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider

    -
    -

    Defines configuration for an Envoy Access Logging Service -integration for TCP traffic.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “tcp_envoy_accesslog”
      • -
    • “listener_envoy_accesslog”
      • -
    - -    		 -No -
    filterStateObjectsToLogstring[] -

    Optional. Additional filter state objects to log.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider

    -
    -

    Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    logNamestring -

    Optional. The friendly name of the access log. -Defaults:

    -
      -
    • “otel_envoy_accesslog”
      • -
    - -    		 -No -
    logFormatLogFormat -

    Optional. Format for the proxy access log -Empty value results in proxy’s default access log format, following Envoy access logging formatting.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider

    -
    -

    Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a -service defined by the Kubernetes service or ServiceEntry.

    -

    Example: “otlp.default.svc.cluster.local” or “bar/otlp.example.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    maxTagLengthuint32 -

    Optional. Controls the overall path length allowed in a reported span. -NOTE: currently only controls max length of the path tag.

    - -    		 -No -
    httpHttpService -

    Optional. Specifies the configuration for exporting OTLP traces via HTTP. -When empty, traces will be exported via gRPC.

    -

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

    -
      -
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. -
    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: my.olly-backend.com
-    http:
-      path: "/api/otlp/traces"
-      timeout: 10s
-      headers:
-      - name: "my-custom-header"
-        value: "some value"
-
    -
      -
    1. Deploy a ServiceEntry for the observability back-end
      2. -
    -
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: my-olly-backend
-spec:
-  hosts:
-  - my.olly-backend.com
-  ports:
-  - number: 443
-    name: https-port
-    protocol: HTTPS
-  resolution: DNS
-  location: MESH_EXTERNAL
----
-apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: my-olly-backend
-spec:
-  host: my.olly-backend.com
-  trafficPolicy:
-    portLevelSettings:
-    - port:
-        number: 443
-      tls:
-        mode: SIMPLE
-
    - -    		 -No -
    grpcGrpcService -

    Optional. Specifies the configuration for exporting OTLP traces via GRPC. -When empty, traces will check whether HTTP is set. -If not, traces will use default GRPC configurations.

    -

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

    -
      -
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. -
    -
    - name: opentelemetry
-  opentelemetry:
-    port: 8090
-    service: tracing.example.com
-    grpc:
-      timeout: 10s
-      initialMetadata:
-      - name: "Authentication"
-        value: "token-xxxxx"
-
    -
      -
    1. Deploy a ServiceEntry for the observability back-end
      2. -
    -
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: tracing-grpc
-spec:
-  hosts:
-  - tracing.example.com
-  ports:
-  - number: 8090
-    name: grpc-port
-    protocol: GRPC
-  resolution: DNS
-  location: MESH_EXTERNAL
-
    - -    		 -No -
    resourceDetectorsResourceDetectors -

    Optional. Specifies Resource Detectors -to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged -according to the OpenTelemetry Resource specification.

    -

    The following example shows how to configure the Environment Resource Detector, that will -read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: my.olly-backend.com
-    resourceDetectors:
-      environment: {}
-
    - -    		 -No -
    dynatraceSamplerDynatraceSampler (oneof) -

    The Dynatrace adaptive traffic management (ATM) sampler.

    -

    Example configuration:

    -
    - name: otel-tracing
-  opentelemetry:
-    port: 443
-    service: "{your-environment-id}.live.dynatrace.com"
-    http:
-      path: "/api/v2/otlp/v1/traces"
-      timeout: 10s
-      headers:
-        - name: "Authorization"
-          value: "Api-Token dt0c01."
-    resourceDetectors:
-      dynatrace: {}
-    dynatraceSampler:
-      tenant: "{your-environment-id}"
-      clusterId: 1234
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.HttpService

    -
    -

    Defines configuration for an HTTP service that can be used by an Extension Provider. -that does communication via HTTP.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pathstring -

    REQUIRED. Specifies the path on the service.

    - -    		 -No -
    timeoutDuration -

    Optional. Specifies the timeout for the HTTP request. -If not specified, the default is 3s.

    - -    		 -No -
    headersHttpHeader[] -

    Optional. Allows specifying custom HTTP headers that will be added -to each HTTP request sent.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.HttpHeader

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    REQUIRED. The HTTP header name.

    - -    		 -No -
    valuestring -

    REQUIRED. The HTTP header value.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    environmentEnvironmentResourceDetector - -No -
    dynatraceDynatraceResourceDetector - -No -
    -
    -

    MeshConfig.ExtensionProvider.GrpcService

    -
    -

    Defines configuration for an GRPC service that can be used by an Extension Provider. -that does communication via GRPC.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    timeoutDuration -

    Optional. Specifies the timeout for the GRPC request.

    - -    		 -No -
    initialMetadataHttpHeader[] -

    Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for -scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key”) are to -be injected.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.StackdriverProvider.Logging

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    labelsmap<string, string> -

    Collection of tag names and tag expressions to include in the log -entry. Conflicts are resolved by the tag name by overriding previously -supplied values.

    -

    Example: -labels: -path: request.url_path -foo: request.headers[‘x-foo’]

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    textstring (oneof) -

    Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation -provides more information.

    -

    NOTE: Istio will insert a newline (’\n’) on all formats (if missing).

    -

    Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    - -    		 -No -
    labelsStruct (oneof) -

    JSON structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). -Use labels: {} for default envoy JSON log format.

    -

    Example:

    -
    labels:
-  status: "%RESPONSE_CODE%"
-  message: "%LOCAL_REPLY_BODY%"
-
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    textstring -

    Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation -provides more information. -Alias to body field in Open Telemetry -Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    - -    		 -No -
    labelsStruct -

    Optional. Additional attributes that describe the specific event occurrence. -Structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). -Alias to attributes field in Open Telemetry

    -

    Example:

    -
    labels:
-  status: "%RESPONSE_CODE%"
-  message: "%LOCAL_REPLY_BODY%"
-
    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider.DynatraceSampler

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tenantstring -

    REQUIRED. The Dynatrace customer’s tenant identifier.

    -

    The value can be obtained from the Istio deployment page in Dynatrace.

    - -    		 -No -
    clusterIdint32 -

    REQUIRED. The identifier of the cluster in the Dynatrace platform. -The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

    -

    The value can be obtained from the Istio deployment page in Dynatrace.

    - -    		 -No -
    rootSpansPerMinuteuint32 -

    Optional. Number of sampled spans per minute to be used -when the adaptive value cannot be obtained from the Dynatrace API.

    -

    A default value of 1000 is used when:

    -
      -
    • rootSpansPerMinute is unset
      • -
    • rootSpansPerMinute is set to 0
      • -
    - -    		 -No -
    httpServiceDynatraceApi -

    Optional. Dynatrace HTTP API to obtain sampling configuration.

    -

    When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter -(service, port and http), including the access token.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider.DynatraceSampler.DynatraceApi

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    servicestring -

    REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. -The format is <Hostname>, where <Hostname> is the fully qualified Dynatrace environment -host name defined in the ServiceEntry.

    -

    Example: “{your-environment-id}.live.dynatrace.com”.

    - -    		 -No -
    portuint32 -

    REQUIRED. Specifies the port of the service.

    - -    		 -No -
    httpHttpService -

    REQUIRED. Specifies sampling configuration URI.

    - -    		 -No -
    -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors.EnvironmentResourceDetector

    -
    -

    OpenTelemetry Environment Resource Detector. -The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES -and adds them to the OpenTelemetry resource.

    -

    See: Resource specification

    - -
    -

    MeshConfig.ExtensionProvider.ResourceDetectors.DynatraceResourceDetector

    -
    -

    Dynatrace Resource Detector. -The resource detector reads from the Dynatrace enrichment files -and adds host/process related attributes to the OpenTelemetry resource.

    -

    See: Enrich ingested data with Dynatrace-specific dimensions

    - -
    -

    Tracing

    -
    -

    Tracing defines configuration for the tracing performed by Envoy instances.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    zipkinZipkin (oneof) -

    Use a Zipkin tracer.

    - -    		 -No -
    datadogDatadog (oneof) -

    Use a Datadog tracer.

    - -    		 -No -
    samplingdouble -

    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, -if not requested by the client or not forced. Default is 1.0.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the remote tracing service -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    enableIstioTagsBoolValue -

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. -By default Istio specific tags are included in the trace spans.

    - -    		 -No -
    -
    -

    Topology

    -
    -

    Topology describes the configuration for relative location of a proxy with -respect to intermediate trusted proxies and the client. These settings -control how the client attributes are retrieved from the incoming traffic by -the gateway proxy and propagated to the upstream services in the cluster.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numTrustedProxiesuint32 -

    Number of trusted proxies deployed in front of the Istio gateway proxy. -When this option is set to value N greater than zero, the trusted client -address is assumed to be the Nth address from the right end of the -X-Forwarded-For (XFF) header from the incoming request. If the -X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the -gateway proxy falls back to using the immediate downstream connection’s -source address as the trusted client address. -Note that the gateway proxy will append the downstream connection’s source -address to the X-Forwarded-For (XFF) address and set the -X-Envoy-External-Address header to the trusted client address before -forwarding it to the upstream services in the cluster. -The default value of numTrustedProxies is 0. -See Envoy XFF -header handling for more details.

    - -    		 -No -
    forwardClientCertDetailsForwardClientCertDetails -

    Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) -header in the incoming request.

    - -    		 -No -
    proxyProtocolProxyProtocolConfiguration -

    Enables PROXY protocol for -downstream connections on a gateway.

    - -    		 -No -
    -
    -

    PrivateKeyProvider

    -
    -

    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured -mesh-wide or individual per-workload basis.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    cryptombCryptoMb (oneof) -

    Use CryptoMb private key provider

    - -    		 -No -
    qatQAT (oneof) -

    Use QAT private key provider

    - -    		 -No -
    -
    -

    ProxyConfig

    -
    -

    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis -as well as by the mesh-wide defaults. -To set the mesh-wide defaults, configure the defaultConfig section of meshConfig. For example:

    -
    meshConfig:
-  defaultConfig:
-    discoveryAddress: istiod:15012
-
    -

    This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

    -
    annotations:
-  proxy.istio.io/config: |
-    discoveryAddress: istiod:15012
-
    -

    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. -This is different than a deep merge provided by protobuf. -For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider -such as "tracing": { "zipkin": { "address": "..." } }.

    -

    Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    configPathstring -

    Path to the generated configuration file directory. -Proxy agent generates the actual configuration and stores it in this directory.

    - -    		 -No -
    binaryPathstring -

    Path to the proxy binary

    - -    		 -No -
    serviceClusterstring (oneof) -

    Service cluster defines the name for the service_cluster that is -shared by all Envoy instances. This setting corresponds to ---service-cluster flag in Envoy. In a typical Envoy deployment, the -service-cluster flag is used to identify the caller, for -source-based routing scenarios.

    -

    Since Istio does not assign a local service/service version to each -Envoy instance, the name is same for all of them. However, the -source/caller’s identity (e.g., IP address) is encoded in the ---service-node flag when launching Envoy. When the RDS service -receives API calls from Envoy, it uses the value of the service-node -flag to compute routes that are relative to the service instances -located at that IP address.

    - -    		 -No -
    tracingServiceNameTracingServiceName (oneof) -

    Used by Envoy proxies to assign the values for the service names in trace -spans.

    - -    		 -No -
    drainDurationDuration -

    The time in seconds that Envoy will drain connections during a hot -restart. MUST be >=1s (e.g., 1s/1m/1h) -Default drain duration is 45s.

    - -    		 -No -
    discoveryAddressstring -

    Address of the discovery service exposing xDS with mTLS connection. -The inject configuration may override this value.

    - -    		 -No -
    statsdUdpAddressstring -

    IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

    - -    		 -No -
    proxyAdminPortint32 -

    Port on which Envoy should listen for administrative commands. -Default port is 15000.

    - -    		 -No -
    controlPlaneAuthPolicyAuthenticationPolicy -

    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. -Default is set to MUTUAL_TLS.

    - -    		 -No -
    customConfigFilestring -

    File path of custom proxy configuration, currently used by proxies -in front of istiod.

    - -    		 -No -
    statNameLengthint32 -

    Maximum length of name field in Envoy’s metrics. The length of the name field -is determined by the length of a name field in a service and the set of labels that -comprise a particular version of the service. The default value is set to 189 characters. -Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. -Increase the value of this field if you find that the metrics from Envoys are truncated.

    - -    		 -No -
    concurrencyInt32Value -

    The number of worker threads to run. -If unset, which is recommended, this will be automatically determined based on CPU requests/limits. -If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance -issues if CPU limits are also set.

    - -    		 -No -
    proxyBootstrapTemplatePathstring -

    Path to the proxy bootstrap template file

    - -    		 -No -
    interceptionModeInboundInterceptionMode -

    The mode used to redirect inbound traffic to Envoy.

    - -    		 -No -
    tracingTracing -

    Tracing configuration to be used by the proxy.

    - -    		 -No -
    envoyAccessLogServiceRemoteService -

    Address of the service to which access logs from Envoys should be -sent. (e.g. accesslog-service:15000). See Access Log -Service -for details about Envoy’s gRPC Access Log Service API.

    - -    		 -No -
    envoyMetricsServiceRemoteService -

    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). -See Metric Service -for details about Envoy’s Metrics Service API.

    - -    		 -No -
    proxyMetadatamap<string, string> -

    Additional environment variables for the proxy. -Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

    - -    		 -No -
    runtimeValuesmap<string, string> -

    Envoy runtime configuration to set during bootstrapping. -This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

    - -    		 -No -
    statusPortint32 -

    Port on which the agent should listen for administrative commands such as readiness probe. -Default is set to port 15020.

    - -    		 -No -
    extraStatTagsstring[] -

    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be -added by configuring the telemetry extension. Each additional tag needs to be present in this list. -Extra tags emitted by the telemetry extensions must be listed here so that they can be processed -and exposed as Prometheus metrics. -Deprecated: istio.stats is a native filter now, this field is no longer needed.

    - -    		 -No -
    gatewayTopologyTopology -

    Topology encapsulates the configuration which describes where the proxy is -located i.e. behind a (or N) trusted proxy (proxies) or directly exposed -to the internet. This configuration only effects gateways and is applied -to all the gateways in the cluster unless overridden via annotations of the -gateway workloads.

    - -    		 -No -
    terminationDrainDurationDuration -

    The amount of time allowed for connections to complete on proxy shutdown. -On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, -discouraging any new connections and allowing existing connections to complete. It then -sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. -If not set, a default of 5s will be applied.

    - -    		 -No -
    meshIdstring -

    The unique identifier for the service mesh -All control planes running in the same service mesh should specify the same mesh ID. -Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

    - -    		 -No -
    readinessProbeReadinessProbe -

    VM Health Checking readiness probe. This health check config exactly mirrors the -kubernetes readiness probe configuration both in schema and logic. -Only one health check method of 3 can be set at a time.

    - -    		 -No -
    proxyStatsMatcherProxyStatsMatcher -

    Proxy stats matcher defines configuration for reporting custom Envoy stats. -To reduce memory and CPU overhead from Envoy stats system, Istio proxies by -default create and expose only a subset of Envoy stats. This option is to -control creation of additional Envoy stats with prefix, suffix, and regex -expressions match on the name of the stats. This replaces the stats -inclusion annotations -(sidecar.istio.io/statsInclusionPrefixes, -sidecar.istio.io/statsInclusionRegexps, and -sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats -for circuit breakers, request retries, upstream connections, and request timeouts, -you can specify stats matcher as follows:

    -
    proxyStatsMatcher:
-  inclusionRegexps:
-    - .*outlier_detection.*
-    - .*upstream_rq_retry.*
-    - .*upstream_cx_.*
-  inclusionSuffixes:
-    - upstream_rq_timeout
-
    -

    Note including more Envoy stats might increase number of time series -collected by prometheus significantly. Care needs to be taken on Prometheus -resource provision and configuration to reduce cardinality.

    - -    		 -No -
    holdApplicationUntilProxyStartsBoolValue -

    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. -This feature adds hooks to delay application startup until the pod proxy -is ready to accept traffic, mitigating some startup race conditions. -Default value is ‘false’.

    - -    		 -No -
    caCertificatesPemstring[] -

    The PEM data of the extra root certificates for workload-to-workload communication. -This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. -The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) -are added automatically by Istiod.

    - -    		 -No -
    imageProxyImage -

    Specifies the details of the proxy image.

    - -    		 -No -
    privateKeyProviderPrivateKeyProvider -

    Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

    - -    		 -No -
    proxyHeadersProxyHeaders -

    Define the set of headers to add/modify for HTTP request/responses.

    -

    To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. -Note: currently all headers are enabled by default.

    -

    Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

    -
    proxyHeaders:
-  server:
-    value: "my-custom-server"
-  # Explicitly enable Request IDs.
-  # As this is the default, this has no effect.
-  requestId: {}
-  attemptCount:
-    disabled: true
-
    -

    Below shows an example of preserving the header case for HTTP 1.x requests

    -
    proxyHeaders:
-  perserveHttp1HeaderCase: true
-
    -

    Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

    -
    proxyHeaders:
-  forwardedClientCert: SANITIZE
-  server:
-    disabled: true
-  requestId:
-    disabled: true
-  attemptCount:
-    disabled: true
-  envoyDebugHeaders:
-    disabled: true
-  metadataExchangeHeaders:
-    mode: IN_MESH
-
    - -    		 -No -
    zipkinAddressstring -

    Address of the Zipkin service (e.g. zipkin:9411). -DEPRECATED: Use tracing instead.

    - -    		 -No -
    -
    -

    RemoteService

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of a remove service used for various purposes (access log -receiver, metrics receiver, etc.). Can be IP address or a fully -qualified DNS name.

    - -    		 -No -
    tlsSettingsClientTLSSettings -

    Use the tlsSettings to specify the tls mode to use. If the remote service -uses Istio mutual TLS and shares the root CA with istiod, specify the TLS -mode as ISTIO_MUTUAL.

    - -    		 -No -
    tcpKeepaliveTcpKeepalive -

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    - -    		 -No -
    -
    -

    Tracing.Zipkin

    -
    -

    Zipkin defines configuration for a Zipkin tracer.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the Zipkin service (e.g. zipkin:9411).

    - -    		 -No -
    -
    -

    Tracing.Datadog

    -
    -

    Datadog defines configuration for a Datadog tracer.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    Address of the Datadog Agent.

    - -    		 -No -
    -
    -

    Tracing.Stackdriver

    -
    -

    Stackdriver defines configuration for a Stackdriver tracer. -See Envoy’s OpenCensus trace configuration -and -OpenCensus trace config for details.

    - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    -
    -

    Tracing.OpenCensusAgent

    -
    -

    OpenCensusAgent defines configuration for an OpenCensus tracer writing to -an OpenCensus agent backend. See -Envoy’s OpenCensus trace configuration -and -OpenCensus trace config -for details.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    addressstring -

    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or -unix:path). See gRPC naming -docs for -details.

    - -    		 -No -
    contextTraceContext[] -

    Specifies the set of context propagation headers used for distributed -tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, -the proxy will attempt to read each header for each request and will -write all headers.

    - -    		 -No -
    -
    -

    Topology.ProxyProtocolConfiguration

    -
    -

    PROXY protocol configuration.

    - -
    -

    PrivateKeyProvider.CryptoMb

    -
    -

    CryptoMb PrivateKeyProvider configuration

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pollDelayDuration -

    How long to wait until the per-thread processing queue should be processed. If the processing queue -gets full (eight sign or decrypt requests are received) it is processed immediately. -However, if the queue is not filled before the delay has expired, the requests already in the queue -are processed, even if the queue is not full. -In effect, this value controls the balance between latency and throughput. -The duration needs to be set to a value greater than or equal to 1 millisecond.

    - -    		 -No -
    fallbackBoolValue -

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) -Envoy will fallback to the BoringSSL default implementation when the fallback is true. -The default value is false.

    - -    		 -No -
    -
    -

    PrivateKeyProvider.QAT

    -
    -

    QAT (QuickAssist Technology) PrivateKeyProvider configuration

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    pollDelayDuration -

    How long to wait before polling the hardware accelerator after a request has been submitted there. -Having a small value leads to quicker answers from the hardware but causes more polling loop spins, -leading to potentially larger CPU usage. -The duration needs to be set to a value greater than or equal to 1 millisecond.

    - -    		 -No -
    fallbackBoolValue -

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) -Envoy will fallback to the BoringSSL default implementation when the fallback is true. -The default value is false.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyStatsMatcher

    -
    -

    Proxy stats name matchers for stats creation. Note this is in addition to -the minimum Envoy stats that Istio generates by default.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    inclusionPrefixesstring[] -

    Proxy stats name prefix matcher for inclusion.

    - -    		 -No -
    inclusionSuffixesstring[] -

    Proxy stats name suffix matcher for inclusion.

    - -    		 -No -
    inclusionRegexpsstring[] -

    Proxy stats name regexps matcher for inclusion.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    forwardedClientCertForwardClientCertDetails -

    Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. -To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). -By default, APPEND_FORWARD will be used.

    - -    		 -No -
    setCurrentClientCertDetailsSetCurrentClientCertDetails -

    This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET -and the client connection is mTLS. It specifies the fields in -the client certificate to be forwarded. Note that Hash is always set, and -By is always set when the client certificate presents the URI type Subject Alternative Name value.

    - -    		 -No -
    requestIdRequestId -

    Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. -This applies to all types of traffic (inbound, outbound, and gateways). -If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. -Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. -This header is enabled by default if not configured.

    - -    		 -No -
    serverServer -

    Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). -If disabled, the Server header is not modified. If it is already present, it will be preserved.

    - -    		 -No -
    attemptCountAttemptCount -

    Controls the X-Envoy-Attempt-Count header. -If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. -If disabled, this header will not be set. If it is already present, it will be preserved. -This header is enabled by default if not configured.

    - -    		 -No -
    envoyDebugHeadersEnvoyDebugHeaders -

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, -these headers will be included. -If disabled, these headers will not be set. If they are already present, they will be preserved. -See the Envoy documentation for more details. -These headers are enabled by default if not configured.

    - -    		 -No -
    metadataExchangeHeadersMetadataExchangeHeaders -

    Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. -By default, the behavior is unspecified. -If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

    - -    		 -No -
    preserveHttp1HeaderCaseBoolValue -

    When true, the original case of HTTP/1.x headers will be preserved -as they pass through the proxy, rather than normalizing them to lowercase. -This field is particularly useful for applications that require case-sensitive -headers for interoperability with downstream systems or APIs that expect specific -casing. -The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers -to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 -requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 -standards.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders.Server

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    valuestring -

    If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

    - -    		 -No -
    -
    -

    ProxyConfig.ProxyHeaders.RequestId

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.AttemptCount

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.EnvoyDebugHeaders

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    disabledBoolValue - -No -
    -
    -

    ProxyConfig.ProxyHeaders.MetadataExchangeHeaders

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeMetadataExchangeMode - -No -
    -
    -

    ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    subjectBoolValue -

    Whether to forward the subject of the client cert. Defaults to true.

    - -    		 -No -
    certBoolValue -

    Whether to forward the entire client cert in URL encoded PEM format. This will appear in the -XFCC header comma separated from other values with the value Cert=“PEM”. -Defaults to false.

    - -    		 -No -
    chainBoolValue -

    Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM -format. This will appear in the XFCC header comma separated from other values with the value -Chain=“PEM”. -Defaults to false.

    - -    		 -No -
    dnsBoolValue -

    Whether to forward the DNS type Subject Alternative Names of the client cert. -Defaults to true.

    - -    		 -No -
    uriBoolValue -

    Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to -true.

    - -    		 -No -
    -
    -

    Network

    -
    -

    Network provides information about the endpoints in a routable L3 -network. A single routable L3 network can have one or more service -registries. Note that the network has no relation to the locality of the -endpoint. The endpoint locality will be obtained from the service -registry.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    endpointsNetworkEndpoints[] -

    The list of endpoints in the network (obtained through the -constituent service registries or from CIDR ranges). All endpoints in -the network are directly accessible to one another.

    - -    		 -Yes -
    gatewaysIstioNetworkGateway[] -

    Set of gateways associated with the network.

    - -    		 -Yes -
    -
    -

    MeshNetworks

    -
    -

    MeshNetworks (config map) provides information about the set of networks -inside a mesh and how to route to endpoints in each network. For example

    -

    MeshNetworks(file/config map):

    -
    networks:
-  network1:
-    endpoints:
-    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
-    - fromCidr: 192.168.100.0/22 #a VM network for example
-    gateways:
-    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-      port: 15443
-      locality: us-east-1a
-    - address: 192.168.100.1
-      port: 15443
-      locality: us-east-1a
-
    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    networksmap<string, Network> -

    The set of networks inside this mesh. Each network should -have a unique name and information about how to infer the endpoints in -the network as well as the gateways associated with the network.

    - -    		 -Yes -
    -
    -

    Network.NetworkEndpoints

    -
    -

    NetworkEndpoints describes how the network associated with an endpoint -should be inferred. An endpoint will be assigned to a network based on -the following rules:

    -
      -
    1. -

      Implicitly: If the registry explicitly provides information about -the network to which the endpoint belongs to. In some cases, its -possible to indicate the network associated with the endpoint by -adding the ISTIO_META_NETWORK environment variable to the sidecar.

      -
      2. -
    2. -

      Explicitly:

      -

      a. By matching the registry name with one of the “fromRegistry” -in the mesh config. A “fromRegistry” can only be assigned to a -single network.

      -

      b. By matching the IP against one of the CIDR ranges in a mesh -config network. The CIDR ranges must not overlap and be assigned to -a single network.

      -
      3. -
    -

    (2) will override (1) if both are present.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromCidrstring (oneof) -

    A CIDR range for the set of endpoints in this network. The CIDR -ranges for endpoints from different networks must not overlap.

    - -    		 -No -
    fromRegistrystring (oneof) -

    Add all endpoints from the specified registry into this network. -The names of the registries should correspond to the kubeconfig file name -inside the secret that was used to configure the registry (Kubernetes -multicluster) or supplied by MCP server.

    - -    		 -No -
    -
    -

    Network.IstioNetworkGateway

    -
    -

    The gateway associated with this network. Traffic from remote networks -will arrive at the specified gateway:port. All incoming traffic must -use mTLS.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    registryServiceNamestring (oneof) -

    A fully qualified domain name of the gateway service. istiod will -lookup the service from the service registries in the network and -obtain the endpoint IPs of the gateway from the service -registry. Note that while the service name is a fully qualified -domain name, it need not be resolvable outside the orchestration -platform for the registry. e.g., this could be -istio-ingressgateway.istio-system.svc.cluster.local.

    - -    		 -No -
    addressstring (oneof) -

    IP address or externally resolvable DNS address associated with the gateway.

    - -    		 -No -
    portuint32 -

    The port associated with the gateway.

    - -    		 -Yes -
    localitystring -

    The locality associated with an explicitly specified gateway (i.e. ip)

    - -    		 -No -
    -
    -

    MeshConfig.OutboundTrafficPolicy.Mode

    +

    Mode

    @@ -4631,7 +627,27 @@ to arbitrary destinations.

    -

    MeshConfig.InboundTrafficPolicy.Mode

    +

    InboundTrafficPolicy

    +
    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    Mode
    +
    		 +
    +
    +

    Mode

    @@ -4660,7 +676,943 @@ allowing proxy to be transparent.

    -

    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext

    +

    CertificateData

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pem
    +
    string (oneof)
    +
    		 +

    The PEM data of the certificate.

    + +
    spiffeBundleUrl
    +
    string (oneof)
    +
    		 +

    The SPIFFE bundle endpoint URL that complies to: +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle +The endpoint should support authentication based on Web PKI: +https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki +The certificate is retrieved from the endpoint.

    + +
    certSigners
    +
    string[]
    +
    		 +

    Specify the kubernetes signers (External CA) that use this trustAnchor +when Istiod is acting as RA(registration authority) +If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

    + +
    trustDomains
    +
    string[]
    +
    		 +

    Specify the list of trust domains to which this trustAnchor data belongs. +If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain +and its aliases. +Note that we can have multiple trustAnchor data for a same trustDomain. +In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. +If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. +If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. +If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. +If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.

    + +
    +
    +

    CA

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    REQUIRED. Address of the CA server implementing the Istio CA gRPC API. +Can be IP address or a fully qualified DNS name with port +Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. +Regarding tlsSettings:

    +
      +
    • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. +DISABLE MODE can also be used for testing
      • +
    • TLS MUTUAL MODE be on by default. If the CA certificates +(cert bundle to verify the CA server’s certificate) is omitted, Istiod will +use the system root certs to verify the CA server’s certificate.
      • +
    + +
    requestTimeout
    +
    Duration
    +
    		 +

    timeout for forward CSR requests from Istiod to External CA +Default: 10s

    + +
    istiodSide
    +
    bool
    +
    		 +

    Use istiodSide to specify CA Server integrate to Istiod side or Agent side +Default: true

    + +
    +
    +

    ExtensionProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    REQUIRED. A unique name identifying the extension provider.

    + +
    envoyExtAuthzHttp
    +
    EnvoyExternalAuthorizationHttpProvider (oneof)
    +
    		 +

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.

    + +
    envoyExtAuthzGrpc
    +
    EnvoyExternalAuthorizationGrpcProvider (oneof)
    +
    		 +

    Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.

    + +
    zipkin
    +
    ZipkinTracingProvider (oneof)
    +
    		 +

    Configures a tracing provider that uses the Zipkin API.

    + +
    datadog
    +
    DatadogTracingProvider (oneof)
    +
    		 +

    Configures a Datadog tracing provider.

    + +
    skywalking
    +
    SkyWalkingTracingProvider (oneof)
    +
    		 +

    Configures a Apache SkyWalking provider.

    + +
    opentelemetry
    +
    OpenTelemetryTracingProvider (oneof)
    +
    		 +

    Configures an OpenTelemetry tracing provider.

    + +
    prometheus
    +
    PrometheusMetricsProvider (oneof)
    +
    		 +

    Configures a Prometheus metrics provider.

    + +
    envoyFileAccessLog
    +
    EnvoyFileAccessLogProvider (oneof)
    +
    		 +

    Configures an Envoy File Access Log provider.

    + +
    envoyHttpAls
    +
    EnvoyHttpGrpcV3LogProvider (oneof)
    +
    		 +

    Configures an Envoy Access Logging Service provider for HTTP traffic.

    + +
    envoyTcpAls
    +
    EnvoyTcpGrpcV3LogProvider (oneof)
    +
    		 +

    Configures an Envoy Access Logging Service provider for TCP traffic.

    + +
    envoyOtelAls
    +
    EnvoyOpenTelemetryLogProvider (oneof)
    +
    		 +

    Configures an Envoy Open Telemetry Access Logging Service provider.

    + +
    +
    +

    EnvoyExternalAuthorizationRequestBody

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxRequestBytes
    +
    uint32
    +
    		 +

    Sets the maximum size of a message body that the ext-authz filter will hold in memory. +If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). +Otherwise the request will be sent to the provider with a partial message. +Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the +failOpen is set to true.

    + +
    allowPartialMessage
    +
    bool
    +
    		 +

    When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. +The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. +A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message +indicating if the body data is partial.

    + +
    packAsBytes
    +
    bool
    +
    		 +

    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes +in the raw_body field. +Otherwise, it will be filled with UTF-8 string in the body field. +This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.

    + +
    +
    +

    EnvoyExternalAuthorizationHttpProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). +When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +In this situation, the response sent back to the client will depend on the configured failOpen field.

    + +
    pathPrefix
    +
    string
    +
    		 +

    Sets a prefix to the value of authorization request header Path. +For example, setting this to “/check” for an original user request at path “/admin” will cause the +authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

    + +
    failOpen
    +
    bool
    +
    		 +

    If true, the user request will be allowed even if the communication with the authorization service has failed, +or if the authorization service has returned a HTTP 5xx error. +Default is false and the request will be rejected with “Forbidden” response.

    + +
    clearRouteCache
    +
    bool
    +
    		 +

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. +If true, recalculate routes with the new ExtAuthZ added/removed headers. +Default is false

    + +
    statusOnError
    +
    string
    +
    		 +

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. +The default status is “403” (HTTP Forbidden).

    + +
    includeRequestHeadersInCheck
    +
    string[]
    +
    		 +

    List of client request headers that should be included in the authorization request sent to the authorization service. +Note that in addition to the headers specified here following headers are included by default:

    +
      +
    1. Host, Method, Path and Content-Length are automatically sent.
      2. +
    2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization +request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), +consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      3. +
    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    includeAdditionalHeadersInCheck
    +
    map<string, string>
    +
    		 +

    Set of additional fixed headers that should be included in the authorization request sent to the authorization service. +Key is the header name and value is the header value. +Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.

    + +
    includeRequestBodyInCheck
    +
    EnvoyExternalAuthorizationRequestBody
    +
    		 +

    If set, the client request body will be included in the authorization request sent to the authorization service.

    + +
    headersToUpstreamOnAllow
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be added or overridden in the original request and +forwarded to the upstream when the authorization check result is allowed (HTTP code 200). +If not specified, the original request will not be modified and forwarded to backend as-is. +Note, any existing headers will be overridden.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    headersToDownstreamOnDeny
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be forwarded to downstream when the authorization +check result is not allowed (HTTP code other than 200). +If not specified, all the authorization response headers, except Authority (Host) will be in the response to +the downstream. +When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are +automatically added. +Note, the body from the authorization service is always included in the response to downstream.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    headersToDownstreamOnAllow
    +
    string[]
    +
    		 +

    List of headers from the authorization service that should be forwarded to downstream when the authorization +check result is allowed (HTTP code 200). +If not specified, the original response will not be modified and forwarded to downstream as-is. +Note, any existing headers will be overridden.

    +

    Exact, prefix and suffix matches are supported (similar to the +authorization policy rule syntax +except the presence match):

    +
      +
    • Exact match: “abc” will match on value “abc”.
      • +
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • +
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • +
    + +
    includeHeadersInCheck
    +
    string[]
    +
    		 +

    DEPRECATED. Use includeRequestHeadersInCheck instead.

    + +
    +
    +

    EnvoyExternalAuthorizationGrpcProvider

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). +When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +In this situation, the response sent back to the client will depend on the configured failOpen field.

    + +
    failOpen
    +
    bool
    +
    		 +

    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, +or if the authorization service has returned a HTTP 5xx error. +Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

    + +
    clearRouteCache
    +
    bool
    +
    		 +

    If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. +If true, recalculate routes with the new ExtAuthZ added/removed headers. +Default is false

    + +
    statusOnError
    +
    string
    +
    		 +

    Sets the HTTP status that is returned to the client when there is a network error to the authorization service. +The default status is “403” (HTTP Forbidden).

    + +
    includeRequestBodyInCheck
    +
    EnvoyExternalAuthorizationRequestBody
    +
    		 +

    If set, the client request body will be included in the authorization request sent to the authorization service.

    + +
    +
    +

    ZipkinTracingProvider

    +
    +

    Defines configuration for a Zipkin tracer.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that the Zipkin API. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    enable64bitTraceId
    +
    bool
    +
    		 +

    A 128 bit trace id will be used in Istio. +If true, will result in a 64 bit trace id being used.

    + +
    path
    +
    string
    +
    		 +

    Specifies the endpoint of Zipkin API. +The default value is “/api/v2/spans”.

    + +
    +
    +

    LightstepTracingProvider

    +
    +

    Defines configuration for a Lightstep tracer. +Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+ +will generate OpenTelemetry-compatible configuration when using this option.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the Lightstep collector. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    accessToken
    +
    string
    +
    		 +

    The Lightstep access token.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +

    DatadogTracingProvider

    +
    +

    Defines configuration for a Datadog tracer.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the Datadog agent. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +

    SkyWalkingTracingProvider

    +
    +

    Defines configuration for a SkyWalking tracer.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the SkyWalking receiver. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    accessToken
    +
    string
    +
    		 +

    The SkyWalking OAP access token.

    + +
    +
    +

    StackdriverProvider

    +
    +

    Defines configuration for Stackdriver.

    +

    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used +alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus +driver in Envoy.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    logging
    +
    Logging
    +
    		 +

    Controls Stackdriver logging behavior.

    + +
    +
    +
    Logging
    +
    + + + + + + + + + + + + + +
    FieldDescription
    labels
    +
    map<string, string>
    +
    		 +

    Collection of tag names and tag expressions to include in the log +entry. Conflicts are resolved by the tag name by overriding previously +supplied values.

    +

    Example: +labels: +path: request.url_path +foo: request.headers[‘x-foo’]

    + +
    +
    +

    OpenCensusAgentTracingProvider

    +
    +

    Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

    +

    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of +OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation +in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration +may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider +configuration MUST be accompanied by a restart of all proxies that will use that configuration.

    +

    NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used +alongside OpenCensus provider configuration.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service for the OpenCensusAgent. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    context
    +
    TraceContext[]
    +
    		 +

    Specifies the set of context propagation headers used for distributed +tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, +the proxy will attempt to read each header for each request and will +write all headers.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    +
    +
    TraceContext

    TraceContext selects the context propagation headers used for distributed tracing.

    @@ -4710,7 +1662,858 @@ for details.

    -

    MeshConfig.ProxyPathNormalization.NormalizationType

    +

    PrometheusMetricsProvider

    +
    +
    +

    EnvoyFileAccessLogProvider

    +
    +

    Defines configuration for Envoy-based access logging that writes to +local files (and/or standard streams).

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    path
    +
    string
    +
    		 +

    Path to a local file to write the access log entries. +This may be used to write to streams, via /dev/stderr and /dev/stdout +If unspecified, defaults to /dev/stdout.

    + +
    logFormat
    +
    LogFormat
    +
    		 +

    Allows overriding of the default access log format.

    + +
    +
    +
    LogFormat
    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    text
    +
    string (oneof)
    +
    		 +

    Textual format for the envoy access logs. Envoy command operators may be +used in the format. The format string documentation +provides more information.

    +

    NOTE: Istio will insert a newline (’\n’) on all formats (if missing).

    +

    Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    + +
    labels
    +
    Struct (oneof)
    +
    		 +

    JSON structured format for the envoy access logs. Envoy command operators +can be used as values for fields within the Struct. Values are rendered +as strings, numbers, or boolean values, as appropriate +(see: format dictionaries). Nested JSON is +supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +Use labels: {} for default envoy JSON log format.

    +

    Example:

    +
    labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+
    + +
    +
    +

    EnvoyHttpGrpcV3LogProvider

    +
    +

    Defines configuration for an Envoy Access Logging Service +integration for HTTP traffic.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “http_envoy_accesslog”
      • +
    • “listener_envoy_accesslog”
      • +
    + +
    filterStateObjectsToLog
    +
    string[]
    +
    		 +

    Additional filter state objects to log.

    + +
    additionalRequestHeadersToLog
    +
    string[]
    +
    		 +

    Additional request headers to log.

    + +
    additionalResponseHeadersToLog
    +
    string[]
    +
    		 +

    Additional response headers to log.

    + +
    additionalResponseTrailersToLog
    +
    string[]
    +
    		 +

    Additional response trailers to log.

    + +
    +
    +

    EnvoyTcpGrpcV3LogProvider

    +
    +

    Defines configuration for an Envoy Access Logging Service +integration for TCP traffic.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “tcp_envoy_accesslog”
      • +
    • “listener_envoy_accesslog”
      • +
    + +
    filterStateObjectsToLog
    +
    string[]
    +
    		 +

    Additional filter state objects to log.

    + +
    +
    +

    EnvoyOpenTelemetryLogProvider

    +
    +

    Defines configuration for an Envoy OpenTelemetry (gRPC) Access Log

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    logName
    +
    string
    +
    		 +

    The friendly name of the access log. +Defaults:

    +
      +
    • “otel_envoy_accesslog”
      • +
    + +
    logFormat
    +
    LogFormat
    +
    		 +

    Format for the proxy access log +Empty value results in proxy’s default access log format, following Envoy access logging formatting.

    + +
    +
    +
    LogFormat
    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    text
    +
    string
    +
    		 +

    Textual format for the envoy access logs. Envoy command operators may be +used in the format. The format string documentation +provides more information. +Alias to body field in Open Telemetry +Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

    + +
    labels
    +
    Struct
    +
    		 +

    Additional attributes that describe the specific event occurrence. +Structured format for the envoy access logs. Envoy command operators +can be used as values for fields within the Struct. Values are rendered +as strings, numbers, or boolean values, as appropriate +(see: format dictionaries). Nested JSON is +supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +Alias to attributes field in Open Telemetry

    +

    Example:

    +
    labels:
+  status: "%RESPONSE_CODE%"
+  message: "%LOCAL_REPLY_BODY%"
+
    + +
    +
    +

    OpenTelemetryTracingProvider

    +
    +

    Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. +The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient +to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +service defined by the Kubernetes service or ServiceEntry.

    +

    Example: “otlp.default.svc.cluster.local” or “bar/otlp.example.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    maxTagLength
    +
    uint32
    +
    		 +

    Controls the overall path length allowed in a reported span. +NOTE: currently only controls max length of the path tag.

    + +
    http
    +
    HttpService
    +
    		 +

    Specifies the configuration for exporting OTLP traces via HTTP. +When empty, traces will be exported via gRPC.

    +

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:

    +
      +
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. +
    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    http:
+      path: "/api/otlp/traces"
+      timeout: 10s
+      headers:
+      - name: "my-custom-header"
+        value: "some value"
+
    +
      +
    1. Deploy a ServiceEntry for the observability back-end
      2. +
    +
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: my-olly-backend
+spec:
+  hosts:
+  - my.olly-backend.com
+  ports:
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: my-olly-backend
+spec:
+  host: my.olly-backend.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 443
+      tls:
+        mode: SIMPLE
+
    + +
    grpc
    +
    GrpcService
    +
    		 +

    Specifies the configuration for exporting OTLP traces via GRPC. +When empty, traces will check whether HTTP is set. +If not, traces will use default GRPC configurations.

    +

    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:

    +
      +
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. +
    +
    - name: opentelemetry
+  opentelemetry:
+    port: 8090
+    service: tracing.example.com
+    grpc:
+      timeout: 10s
+      initialMetadata:
+      - name: "Authentication"
+        value: "token-xxxxx"
+
    +
      +
    1. Deploy a ServiceEntry for the observability back-end
      2. +
    +
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: tracing-grpc
+spec:
+  hosts:
+  - tracing.example.com
+  ports:
+  - number: 8090
+    name: grpc-port
+    protocol: GRPC
+  resolution: DNS
+  location: MESH_EXTERNAL
+
    + +
    resourceDetectors
    +
    ResourceDetectors
    +
    		 +

    Specifies Resource Detectors +to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged +according to the OpenTelemetry Resource specification.

    +

    The following example shows how to configure the Environment Resource Detector, that will +read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:

    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    resourceDetectors:
+      environment: {}
+
    + +
    dynatraceSampler
    +
    DynatraceSampler (oneof)
    +
    		 +

    The Dynatrace adaptive traffic management (ATM) sampler.

    +

    Example configuration:

    +
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: "{your-environment-id}.live.dynatrace.com"
+    http:
+      path: "/api/v2/otlp/v1/traces"
+      timeout: 10s
+      headers:
+        - name: "Authorization"
+          value: "Api-Token dt0c01."
+    resourceDetectors:
+      dynatrace: {}
+    dynatraceSampler:
+      tenant: "{your-environment-id}"
+      clusterId: 1234
    + +
    +
    +
    DynatraceSampler
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tenant
    +
    string
    +
    		 +

    REQUIRED. The Dynatrace customer’s tenant identifier.

    +

    The value can be obtained from the Istio deployment page in Dynatrace.

    + +
    clusterId
    +
    int32
    +
    		 +

    REQUIRED. The identifier of the cluster in the Dynatrace platform. +The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.

    +

    The value can be obtained from the Istio deployment page in Dynatrace.

    + +
    rootSpansPerMinute
    +
    uint32
    +
    		 +

    Number of sampled spans per minute to be used +when the adaptive value cannot be obtained from the Dynatrace API.

    +

    A default value of 1000 is used when:

    +
      +
    • rootSpansPerMinute is unset
      • +
    • rootSpansPerMinute is set to 0
      • +
    + +
    httpService
    +
    DynatraceApi
    +
    		 +

    Dynatrace HTTP API to obtain sampling configuration.

    +

    When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter +(service, port and http), including the access token.

    + +
    +
    +
    DynatraceApi
    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    service
    +
    string
    +
    		 +

    REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. +The format is <Hostname>, where <Hostname> is the fully qualified Dynatrace environment +host name defined in the ServiceEntry.

    +

    Example: “{your-environment-id}.live.dynatrace.com”.

    + +
    port
    +
    uint32
    +
    		 +

    REQUIRED. Specifies the port of the service.

    + +
    http
    +
    HttpService
    +
    		 +

    REQUIRED. Specifies sampling configuration URI.

    + +
    +
    +

    HttpService

    +
    +

    Defines configuration for an HTTP service that can be used by an Extension Provider. +that does communication via HTTP.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    path
    +
    string
    +
    		 +

    REQUIRED. Specifies the path on the service.

    + +
    timeout
    +
    Duration
    +
    		 +

    Specifies the timeout for the HTTP request. +If not specified, the default is 3s.

    + +
    headers
    +
    HttpHeader[]
    +
    		 +

    Allows specifying custom HTTP headers that will be added +to each HTTP request sent.

    + +
    +
    +

    HttpHeader

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    REQUIRED. The HTTP header name.

    + +
    value
    +
    string
    +
    		 +

    REQUIRED. The HTTP header value.

    + +
    +
    +

    ResourceDetectors

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    environment
    +
    EnvironmentResourceDetector
    +
    		 +
    dynatrace
    +
    DynatraceResourceDetector
    +
    		 +
    +
    +
    EnvironmentResourceDetector
    +
    +

    OpenTelemetry Environment Resource Detector. +The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES +and adds them to the OpenTelemetry resource.

    +

    See: Resource specification

    + +
    +
    DynatraceResourceDetector
    +
    +

    Dynatrace Resource Detector. +The resource detector reads from the Dynatrace enrichment files +and adds host/process related attributes to the OpenTelemetry resource.

    +

    See: Enrich ingested data with Dynatrace-specific dimensions

    + +
    +

    GrpcService

    +
    +

    Defines configuration for an GRPC service that can be used by an Extension Provider. +that does communication via GRPC.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    timeout
    +
    Duration
    +
    		 +

    Specifies the timeout for the GRPC request.

    + +
    initialMetadata
    +
    HttpHeader[]
    +
    		 +

    Additional metadata to include in streams initiated to the GrpcService. This can be used for +scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key”) are to +be injected.

    + +
    +
    +

    DefaultProviders

    +
    +

    Holds the name references to the providers that will be used by default +in other Istio configuration resources if the provider is not specified.

    +

    These names must match a provider defined in extensionProviders that is +one of the supported tracing providers.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tracing
    +
    string[]
    +
    		 +

    Name of the default provider(s) for tracing.

    + +
    metrics
    +
    string[]
    +
    		 +

    Name of the default provider(s) for metrics.

    + +
    accessLogging
    +
    string[]
    +
    		 +

    Name of the default provider(s) for access logging.

    + +
    +
    +

    ProxyPathNormalization

    +
    + + + + + + + + + + + + + +
    FieldDescription
    normalization
    +
    NormalizationType
    +
    		 +
    +
    +

    NormalizationType

    @@ -4763,7 +2566,62 @@ For example, /a%2f/b normalizes to a/b.

    -

    MeshConfig.TLSConfig.TLSProtocol

    +

    TLSConfig

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    minProtocolVersion
    +
    TLSProtocol
    +
    		 +

    the minimum TLS protocol version. The default minimum +TLS version will be TLS 1.2. As servers may not be Envoy and be +set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the +minimum TLS version for clients may also be TLS 1.2. +In the current Istio implementation, the maximum TLS protocol version +is TLS 1.3.

    + +
    ecdhCurves
    +
    string[]
    +
    		 +

    Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. +If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to +Ecdh Curves.

    + +
    cipherSuites
    +
    string[]
    +
    		 +

    Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. +If not specified, the following cipher suites will be used:

    +
    ECDHE-ECDSA-AES256-GCM-SHA384
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+AES256-GCM-SHA384
+AES128-GCM-SHA256
+
    + +
    +
    +

    TLSProtocol

    TLS protocol versions.

    @@ -4799,7 +2657,46 @@ For example, /a%2f/b normalizes to a/b.

    -

    MeshConfig.IngressControllerMode

    +

    Settings

    +
    +

    Settings for the selected services.

    + + + + + + + + + + + + + + +
    FieldDescription
    clusterLocal
    +
    bool
    +
    		 +

    If true, specifies that the client and service endpoints must reside in the same cluster. +By default, in multi-cluster deployments, the Istio control plane assumes all service +endpoints to be reachable from any client in any of the clusters which are part of the +mesh. This configuration option limits the set of service endpoints visible to a client +to be cluster scoped.

    +

    There are some common scenarios when this can be useful:

    +
      +
    • A service (or group of services) is inherently local to the cluster and has local storage +for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      • +
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first +having services cluster-local and then slowly transition them to mesh-wide. They could do +this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group +(e.g. *.myns.svc.cluster.local).
      • +
    +

    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all +services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

    + +
    +
    +

    IngressControllerMode

    @@ -4848,7 +2745,7 @@ cloud-provided ingress controller).

    -

    MeshConfig.AccessLogEncoding

    +

    AccessLogEncoding

    @@ -4875,7 +2772,7 @@ cloud-provided ingress controller).

    -

    MeshConfig.H2UpgradePolicy

    +

    H2UpgradePolicy

    Default Policy for upgrading http1.1 connections to http2.

    @@ -4904,31 +2801,315 @@ cloud-provided ingress controller).

    -

    Resource

    +

    LabelSelector

    -

    Resource describes the source of configuration

    +

    A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. +Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    - +
    - + - - + + + + + +
    NameField Description
    SERVICE_REGISTRY
    matchLabels
    +
    map<string, string>
    +
    		 -

    Set to only receive service entries that are generated by the platform. -These auto generated service entries are combination of services and endpoints -that are generated by a specific platform e.g. k8

    +

    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is “key”, the +operator is “In”, and the values array contains only “value”. The requirements are ANDed.

    + +
    matchExpressions
    +
    LabelSelectorRequirement[]
    +
    		 +

    matchExpressions is a list of label selector requirements. The requirements are ANDed.
    -

    Tracing.OpenCensusAgent.TraceContext

    +

    LabelSelectorRequirement

    +
    +

    A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. +Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    key
    +
    string
    +
    		 +

    key is the label key that the selector applies to.

    + +
    operator
    +
    string
    +
    		 +

    operator represents a key’s relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist.

    + +
    values
    +
    string[]
    +
    		 +

    values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.

    + +
    +
    +

    ConfigSource

    +
    +

    ConfigSource describes information about a configuration store inside a +mesh. A single control plane instance can interact with one or more data +sources.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the server implementing the Istio Mesh Configuration +protocol (MCP). Can be IP address or a fully qualified DNS name. +Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or +fs:/// to specify a file-based backend with absolute path to the directory.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the MCP server +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    subscribedResources
    +
    Resource[]
    +
    		 +

    Describes the source of configuration, if nothing is specified default is MCP

    + +
    +
    +

    Tracing

    +
    +

    Tracing defines configuration for the tracing performed by Envoy instances.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    zipkin
    +
    Zipkin (oneof)
    +
    		 +

    Use a Zipkin tracer.

    + +
    datadog
    +
    Datadog (oneof)
    +
    		 +

    Use a Datadog tracer.

    + +
    sampling
    +
    double
    +
    		 +

    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, +if not requested by the client or not forced. Default is 1.0.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the remote tracing service +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    enableIstioTags
    +
    BoolValue
    +
    		 +

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. +By default Istio specific tags are included in the trace spans.

    + +
    +
    +

    Zipkin

    +
    +

    Zipkin defines configuration for a Zipkin tracer.

    + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the Zipkin service (e.g. zipkin:9411).

    + +
    +
    +

    Datadog

    +
    +

    Datadog defines configuration for a Datadog tracer.

    + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of the Datadog Agent.

    + +
    +
    +

    Stackdriver

    +
    +

    Stackdriver defines configuration for a Stackdriver tracer. +See Envoy’s OpenCensus trace configuration +and +OpenCensus trace config for details.

    + + + + + + + + + + +
    FieldDescription
    +
    +

    OpenCensusAgent

    +
    +

    OpenCensusAgent defines configuration for an OpenCensus tracer writing to +an OpenCensus agent backend. See +Envoy’s OpenCensus trace configuration +and +OpenCensus trace config +for details.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or +unix:path). See gRPC naming +docs for +details.

    + +
    context
    +
    TraceContext[]
    +
    		 +

    Specifies the set of context propagation headers used for distributed +tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, +the proxy will attempt to read each header for each request and will +write all headers.

    + +
    +
    +

    TraceContext

    TraceContext selects the context propagation headers used for distributed tracing.

    @@ -4978,7 +3159,940 @@ for details.

    -

    ProxyConfig.ProxyHeaders.MetadataExchangeMode

    +

    Topology

    +
    +

    Topology describes the configuration for relative location of a proxy with +respect to intermediate trusted proxies and the client. These settings +control how the client attributes are retrieved from the incoming traffic by +the gateway proxy and propagated to the upstream services in the cluster.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    numTrustedProxies
    +
    uint32
    +
    		 +

    Number of trusted proxies deployed in front of the Istio gateway proxy. +When this option is set to value N greater than zero, the trusted client +address is assumed to be the Nth address from the right end of the +X-Forwarded-For (XFF) header from the incoming request. If the +X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the +gateway proxy falls back to using the immediate downstream connection’s +source address as the trusted client address. +Note that the gateway proxy will append the downstream connection’s source +address to the X-Forwarded-For (XFF) address and set the +X-Envoy-External-Address header to the trusted client address before +forwarding it to the upstream services in the cluster. +The default value of numTrustedProxies is 0. +See Envoy XFF +header handling for more details.

    + +
    forwardClientCertDetails
    +
    ForwardClientCertDetails
    +
    		 +

    Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) +header in the incoming request.

    + +
    proxyProtocol
    +
    ProxyProtocolConfiguration
    +
    		 +

    Enables PROXY protocol for +downstream connections on a gateway.

    + +
    +
    +

    ProxyProtocolConfiguration

    +
    +

    PROXY protocol configuration.

    + +
    +

    PrivateKeyProvider

    +
    +

    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured +mesh-wide or individual per-workload basis.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    cryptomb
    +
    CryptoMb (oneof)
    +
    		 +

    Use CryptoMb private key provider

    + +
    qat
    +
    QAT (oneof)
    +
    		 +

    Use QAT private key provider

    + +
    +
    +

    CryptoMb

    +
    +

    CryptoMb PrivateKeyProvider configuration

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pollDelay
    +
    Duration
    +
    		 +

    How long to wait until the per-thread processing queue should be processed. If the processing queue +gets full (eight sign or decrypt requests are received) it is processed immediately. +However, if the queue is not filled before the delay has expired, the requests already in the queue +are processed, even if the queue is not full. +In effect, this value controls the balance between latency and throughput. +The duration needs to be set to a value greater than or equal to 1 millisecond.

    + +
    fallback
    +
    BoolValue
    +
    		 +

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) +Envoy will fallback to the BoringSSL default implementation when the fallback is true. +The default value is false.

    + +
    +
    +

    QAT

    +
    +

    QAT (QuickAssist Technology) PrivateKeyProvider configuration

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    pollDelay
    +
    Duration
    +
    		 +

    How long to wait before polling the hardware accelerator after a request has been submitted there. +Having a small value leads to quicker answers from the hardware but causes more polling loop spins, +leading to potentially larger CPU usage. +The duration needs to be set to a value greater than or equal to 1 millisecond.

    + +
    fallback
    +
    BoolValue
    +
    		 +

    If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) +Envoy will fallback to the BoringSSL default implementation when the fallback is true. +The default value is false.

    + +
    +
    +

    ProxyConfig

    +
    +

    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis +as well as by the mesh-wide defaults. +To set the mesh-wide defaults, configure the defaultConfig section of meshConfig. For example:

    +
    meshConfig:
+  defaultConfig:
+    discoveryAddress: istiod:15012
+
    +

    This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

    +
    annotations:
+  proxy.istio.io/config: |
+    discoveryAddress: istiod:15012
+
    +

    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. +This is different than a deep merge provided by protobuf. +For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider +such as "tracing": { "zipkin": { "address": "..." } }.

    +

    Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    configPath
    +
    string
    +
    		 +

    Path to the generated configuration file directory. +Proxy agent generates the actual configuration and stores it in this directory.

    + +
    binaryPath
    +
    string
    +
    		 +

    Path to the proxy binary

    + +
    serviceCluster
    +
    string (oneof)
    +
    		 +

    Service cluster defines the name for the service_cluster that is +shared by all Envoy instances. This setting corresponds to +--service-cluster flag in Envoy. In a typical Envoy deployment, the +service-cluster flag is used to identify the caller, for +source-based routing scenarios.

    +

    Since Istio does not assign a local service/service version to each +Envoy instance, the name is same for all of them. However, the +source/caller’s identity (e.g., IP address) is encoded in the +--service-node flag when launching Envoy. When the RDS service +receives API calls from Envoy, it uses the value of the service-node +flag to compute routes that are relative to the service instances +located at that IP address.

    + +
    tracingServiceName
    +
    TracingServiceName (oneof)
    +
    		 +

    Used by Envoy proxies to assign the values for the service names in trace +spans.

    + +
    drainDuration
    +
    Duration
    +
    		 +

    The time in seconds that Envoy will drain connections during a hot +restart. MUST be >=1s (e.g., 1s/1m/1h) +Default drain duration is 45s.

    + +
    discoveryAddress
    +
    string
    +
    		 +

    Address of the discovery service exposing xDS with mTLS connection. +The inject configuration may override this value.

    + +
    statsdUdpAddress
    +
    string
    +
    		 +

    IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125).

    + +
    proxyAdminPort
    +
    int32
    +
    		 +

    Port on which Envoy should listen for administrative commands. +Default port is 15000.

    + +
    controlPlaneAuthPolicy
    +
    AuthenticationPolicy
    +
    		 +

    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. +Default is set to MUTUAL_TLS.

    + +
    customConfigFile
    +
    string
    +
    		 +

    File path of custom proxy configuration, currently used by proxies +in front of istiod.

    + +
    statNameLength
    +
    int32
    +
    		 +

    Maximum length of name field in Envoy’s metrics. The length of the name field +is determined by the length of a name field in a service and the set of labels that +comprise a particular version of the service. The default value is set to 189 characters. +Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric. +Increase the value of this field if you find that the metrics from Envoys are truncated.

    + +
    concurrency
    +
    Int32Value
    +
    		 +

    The number of worker threads to run. +If unset, which is recommended, this will be automatically determined based on CPU requests/limits. +If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance +issues if CPU limits are also set.

    + +
    proxyBootstrapTemplatePath
    +
    string
    +
    		 +

    Path to the proxy bootstrap template file

    + +
    interceptionMode
    +
    InboundInterceptionMode
    +
    		 +

    The mode used to redirect inbound traffic to Envoy.

    + +
    tracing
    +
    Tracing
    +
    		 +

    Tracing configuration to be used by the proxy.

    + +
    envoyAccessLogService
    +
    RemoteService
    +
    		 +

    Address of the service to which access logs from Envoys should be +sent. (e.g. accesslog-service:15000). See Access Log +Service +for details about Envoy’s gRPC Access Log Service API.

    + +
    envoyMetricsService
    +
    RemoteService
    +
    		 +

    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). +See Metric Service +for details about Envoy’s Metrics Service API.

    + +
    proxyMetadata
    +
    map<string, string>
    +
    		 +

    Additional environment variables for the proxy. +Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

    + +
    runtimeValues
    +
    map<string, string>
    +
    		 +

    Envoy runtime configuration to set during bootstrapping. +This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

    + +
    statusPort
    +
    int32
    +
    		 +

    Port on which the agent should listen for administrative commands such as readiness probe. +Default is set to port 15020.

    + +
    extraStatTags
    +
    string[]
    +
    		 +

    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be +added by configuring the telemetry extension. Each additional tag needs to be present in this list. +Extra tags emitted by the telemetry extensions must be listed here so that they can be processed +and exposed as Prometheus metrics. +Deprecated: istio.stats is a native filter now, this field is no longer needed.

    + +
    gatewayTopology
    +
    Topology
    +
    		 +

    Topology encapsulates the configuration which describes where the proxy is +located i.e. behind a (or N) trusted proxy (proxies) or directly exposed +to the internet. This configuration only effects gateways and is applied +to all the gateways in the cluster unless overridden via annotations of the +gateway workloads.

    + +
    terminationDrainDuration
    +
    Duration
    +
    		 +

    The amount of time allowed for connections to complete on proxy shutdown. +On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start gracefully draining, +discouraging any new connections and allowing existing connections to complete. It then +sleeps for the terminationDrainDuration and then kills any remaining active Envoy processes. +If not set, a default of 5s will be applied.

    + +
    meshId
    +
    string
    +
    		 +

    The unique identifier for the service mesh +All control planes running in the same service mesh should specify the same mesh ID. +Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

    + +
    readinessProbe
    +
    ReadinessProbe
    +
    		 +

    VM Health Checking readiness probe. This health check config exactly mirrors the +kubernetes readiness probe configuration both in schema and logic. +Only one health check method of 3 can be set at a time.

    + +
    proxyStatsMatcher
    +
    ProxyStatsMatcher
    +
    		 +

    Proxy stats matcher defines configuration for reporting custom Envoy stats. +To reduce memory and CPU overhead from Envoy stats system, Istio proxies by +default create and expose only a subset of Envoy stats. This option is to +control creation of additional Envoy stats with prefix, suffix, and regex +expressions match on the name of the stats. This replaces the stats +inclusion annotations +(sidecar.istio.io/statsInclusionPrefixes, +sidecar.istio.io/statsInclusionRegexps, and +sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats +for circuit breakers, request retries, upstream connections, and request timeouts, +you can specify stats matcher as follows:

    +
    proxyStatsMatcher:
+  inclusionRegexps:
+    - .*outlier_detection.*
+    - .*upstream_rq_retry.*
+    - .*upstream_cx_.*
+  inclusionSuffixes:
+    - upstream_rq_timeout
+
    +

    Note including more Envoy stats might increase number of time series +collected by prometheus significantly. Care needs to be taken on Prometheus +resource provision and configuration to reduce cardinality.

    + +
    holdApplicationUntilProxyStarts
    +
    BoolValue
    +
    		 +

    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. +This feature adds hooks to delay application startup until the pod proxy +is ready to accept traffic, mitigating some startup race conditions. +Default value is ‘false’.

    + +
    caCertificatesPem
    +
    string[]
    +
    		 +

    The PEM data of the extra root certificates for workload-to-workload communication. +This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. +The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret) +are added automatically by Istiod.

    + +
    image
    +
    ProxyImage
    +
    		 +

    Specifies the details of the proxy image.

    + +
    privateKeyProvider
    +
    PrivateKeyProvider
    +
    		 +

    Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.

    + +
    proxyHeaders
    +
    ProxyHeaders
    +
    		 +

    Define the set of headers to add/modify for HTTP request/responses.

    +

    To enable an optional header, simply set the field. If no specific configuration is required, an empty object ({}) will enable it. +Note: currently all headers are enabled by default.

    +

    Below shows an example of customizing the server header and disabling the X-Envoy-Attempt-Count header:

    +
    proxyHeaders:
+  server:
+    value: "my-custom-server"
+  # Explicitly enable Request IDs.
+  # As this is the default, this has no effect.
+  requestId: {}
+  attemptCount:
+    disabled: true
+
    +

    Below shows an example of preserving the header case for HTTP 1.x requests

    +
    proxyHeaders:
+  perserveHttp1HeaderCase: true
+
    +

    Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:

    +
    proxyHeaders:
+  forwardedClientCert: SANITIZE
+  server:
+    disabled: true
+  requestId:
+    disabled: true
+  attemptCount:
+    disabled: true
+  envoyDebugHeaders:
+    disabled: true
+  metadataExchangeHeaders:
+    mode: IN_MESH
+
    + +
    zipkinAddress
    +
    string
    +
    		 +

    Address of the Zipkin service (e.g. zipkin:9411). +DEPRECATED: Use tracing instead.

    + +
    +
    +

    ProxyStatsMatcher

    +
    +

    Proxy stats name matchers for stats creation. Note this is in addition to +the minimum Envoy stats that Istio generates by default.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    inclusionPrefixes
    +
    string[]
    +
    		 +

    Proxy stats name prefix matcher for inclusion.

    + +
    inclusionSuffixes
    +
    string[]
    +
    		 +

    Proxy stats name suffix matcher for inclusion.

    + +
    inclusionRegexps
    +
    string[]
    +
    		 +

    Proxy stats name regexps matcher for inclusion.

    + +
    +
    +

    ProxyHeaders

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    forwardedClientCert
    +
    ForwardClientCertDetails
    +
    		 +

    Controls the X-Forwarded-Client-Cert header for inbound sidecar requests. To set this on gateways, use the Topology setting. +To disable the header, configure either SANITIZE (to always remove the header, if present) or FORWARD_ONLY (to leave the header as-is). +By default, APPEND_FORWARD will be used.

    + +
    setCurrentClientCertDetails
    +
    SetCurrentClientCertDetails
    +
    		 +

    This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET +and the client connection is mTLS. It specifies the fields in +the client certificate to be forwarded. Note that Hash is always set, and +By is always set when the client certificate presents the URI type Subject Alternative Name value.

    + +
    requestId
    +
    RequestId
    +
    		 +

    Controls the X-Request-Id header. If enabled, a request ID is generated for each request if one is not already set. +This applies to all types of traffic (inbound, outbound, and gateways). +If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. +Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. +This header is enabled by default if not configured.

    + +
    server
    +
    Server
    +
    		 +

    Controls the server header. If enabled, the Server: istio-envoy header is set in response headers for inbound traffic (including gateways). +If disabled, the Server header is not modified. If it is already present, it will be preserved.

    + +
    attemptCount
    +
    AttemptCount
    +
    		 +

    Controls the X-Envoy-Attempt-Count header. +If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. +If disabled, this header will not be set. If it is already present, it will be preserved. +This header is enabled by default if not configured.

    + +
    envoyDebugHeaders
    +
    EnvoyDebugHeaders
    +
    		 +

    Controls various X-Envoy-* headers, such as X-Envoy-Overloaded and X-Envoy-Upstream-Service-Time. If enabled, +these headers will be included. +If disabled, these headers will not be set. If they are already present, they will be preserved. +See the Envoy documentation for more details. +These headers are enabled by default if not configured.

    + +
    metadataExchangeHeaders
    +
    MetadataExchangeHeaders
    +
    		 +

    Controls Istio metadata exchange headers X-Envoy-Peer-Metadata and X-Envoy-Peer-Metadata-Id. +By default, the behavior is unspecified. +If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.

    + +
    preserveHttp1HeaderCase
    +
    BoolValue
    +
    		 +

    When true, the original case of HTTP/1.x headers will be preserved +as they pass through the proxy, rather than normalizing them to lowercase. +This field is particularly useful for applications that require case-sensitive +headers for interoperability with downstream systems or APIs that expect specific +casing. +The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers +to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 +requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 +standards.

    + +
    +
    +

    Server

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    value
    +
    string
    +
    		 +

    If set, and the server header is enabled, this value will be set as the server header. By default, istio-envoy will be used.

    + +
    +
    +

    RequestId

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    AttemptCount

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    EnvoyDebugHeaders

    +
    + + + + + + + + + + + + + +
    FieldDescription
    disabled
    +
    BoolValue
    +
    		 +
    +
    +

    MetadataExchangeHeaders

    +
    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    MetadataExchangeMode
    +
    		 +
    +
    +

    SetCurrentClientCertDetails

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    subject
    +
    BoolValue
    +
    		 +

    Whether to forward the subject of the client cert. Defaults to true.

    + +
    cert
    +
    BoolValue
    +
    		 +

    Whether to forward the entire client cert in URL encoded PEM format. This will appear in the +XFCC header comma separated from other values with the value Cert=“PEM”. +Defaults to false.

    + +
    chain
    +
    BoolValue
    +
    		 +

    Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM +format. This will appear in the XFCC header comma separated from other values with the value +Chain=“PEM”. +Defaults to false.

    + +
    dns
    +
    BoolValue
    +
    		 +

    Whether to forward the DNS type Subject Alternative Names of the client cert. +Defaults to true.

    + +
    uri
    +
    BoolValue
    +
    		 +

    Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to +true.

    + +
    +
    +

    MetadataExchangeMode

    @@ -5006,7 +4120,7 @@ Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means
    -

    ProxyConfig.TracingServiceName

    +

    TracingServiceName

    Allows specification of various Istio-supported naming schemes for the Envoy service_cluster value. The service_cluster value is primarily used @@ -5045,7 +4159,7 @@ a cluster name. If the app label does not exist istio-proxy

    -

    ProxyConfig.InboundInterceptionMode

    +

    InboundInterceptionMode

    The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables REDIRECT is always used for @@ -5083,6 +4197,274 @@ filtering and manipulation. This mode also configures the sidecar to run with th

    The NONE mode does not configure redirect to Envoy at all. This is an advanced configuration that typically requires changes to user applications.

    + + + + +
    +

    RemoteService

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    address
    +
    string
    +
    		 +

    Address of a remove service used for various purposes (access log +receiver, metrics receiver, etc.). Can be IP address or a fully +qualified DNS name.

    + +
    tlsSettings
    +
    ClientTLSSettings
    +
    		 +

    Use the tlsSettings to specify the tls mode to use. If the remote service +uses Istio mutual TLS and shares the root CA with istiod, specify the TLS +mode as ISTIO_MUTUAL.

    + +
    tcpKeepalive
    +
    TcpKeepalive
    +
    		 +

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    + +
    +
    +

    Network

    +
    +

    Network provides information about the endpoints in a routable L3 +network. A single routable L3 network can have one or more service +registries. Note that the network has no relation to the locality of the +endpoint. The endpoint locality will be obtained from the service +registry.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    endpoints
    +
    NetworkEndpoints[]
    +
    Required
    +
    		 +

    The list of endpoints in the network (obtained through the +constituent service registries or from CIDR ranges). All endpoints in +the network are directly accessible to one another.

    + +
    gateways
    +
    IstioNetworkGateway[]
    +
    Required
    +
    		 +

    Set of gateways associated with the network.

    + +
    +
    +

    NetworkEndpoints

    +
    +

    NetworkEndpoints describes how the network associated with an endpoint +should be inferred. An endpoint will be assigned to a network based on +the following rules:

    +
      +
    1. +

      Implicitly: If the registry explicitly provides information about +the network to which the endpoint belongs to. In some cases, its +possible to indicate the network associated with the endpoint by +adding the ISTIO_META_NETWORK environment variable to the sidecar.

      +
      2. +
    2. +

      Explicitly:

      +

      a. By matching the registry name with one of the “fromRegistry” +in the mesh config. A “fromRegistry” can only be assigned to a +single network.

      +

      b. By matching the IP against one of the CIDR ranges in a mesh +config network. The CIDR ranges must not overlap and be assigned to +a single network.

      +
      3. +
    +

    (2) will override (1) if both are present.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    fromCidr
    +
    string (oneof)
    +
    		 +

    A CIDR range for the set of endpoints in this network. The CIDR +ranges for endpoints from different networks must not overlap.

    + +
    fromRegistry
    +
    string (oneof)
    +
    		 +

    Add all endpoints from the specified registry into this network. +The names of the registries should correspond to the kubeconfig file name +inside the secret that was used to configure the registry (Kubernetes +multicluster) or supplied by MCP server.

    + +
    +
    +

    IstioNetworkGateway

    +
    +

    The gateway associated with this network. Traffic from remote networks +will arrive at the specified gateway:port. All incoming traffic must +use mTLS.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    registryServiceName
    +
    string (oneof)
    +
    		 +

    A fully qualified domain name of the gateway service. istiod will +lookup the service from the service registries in the network and +obtain the endpoint IPs of the gateway from the service +registry. Note that while the service name is a fully qualified +domain name, it need not be resolvable outside the orchestration +platform for the registry. e.g., this could be +istio-ingressgateway.istio-system.svc.cluster.local.

    + +
    address
    +
    string (oneof)
    +
    		 +

    IP address or externally resolvable DNS address associated with the gateway.

    + +
    port
    +
    uint32
    +
    Required
    +
    		 +

    The port associated with the gateway.

    + +
    locality
    +
    string
    +
    		 +

    The locality associated with an explicitly specified gateway (i.e. ip)

    + +
    +
    +

    MeshNetworks

    +
    +

    MeshNetworks (config map) provides information about the set of networks +inside a mesh and how to route to endpoints in each network. For example

    +

    MeshNetworks(file/config map):

    +
    networks:
+  network1:
+    endpoints:
+    - fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
+    - fromCidr: 192.168.100.0/22 #a VM network for example
+    gateways:
+    - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+      port: 15443
+      locality: us-east-1a
+    - address: 192.168.100.1
+      port: 15443
+      locality: us-east-1a
+
    + + + + + + + + + + + + + + +
    FieldDescription
    networks
    +
    map<string, Network>
    +
    Required
    +
    		 +

    The set of networks inside this mesh. Each network should +have a unique name and information about how to infer the endpoints in +the network as well as the gateways associated with the network.

    + +
    +
    +

    Resource

    +
    +

    Resource describes the source of configuration

    + + + + + + + + + + + + diff --git a/content/zh/docs/reference/config/labels/index.html b/content/zh/docs/reference/config/labels/index.html index d587638060..5edcbcaa2b 100644 --- a/content/zh/docs/reference/config/labels/index.html +++ b/content/zh/docs/reference/config/labels/index.html @@ -289,6 +289,29 @@ indicates the type of traffic this waypoint can handle.

    NameDescription
    SERVICE_REGISTRY +

    Set to only receive service entries that are generated by the platform. +These auto generated service entries are combination of services and endpoints +that are generated by a specific platform e.g. k8

    +
    +

    service.istio.io/workload-name

    + + + + + + + + + + + + + + + + + + + +
    Nameservice.istio.io/workload-name
    Feature StatusAlpha
    Resource Types[Pod WorkloadEntry]
    Description

    The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource. +For example, a Pod resource may default to the Deployment name.

    +

    sidecar.istio.io/inject

    diff --git a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html index dd323fd255..5789451952 100644 --- a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html +++ b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html @@ -14,33 +14,27 @@ number_of_entries: 2 - - - - + - - - + - @@ -52,88 +46,72 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html index 8ac9cf8247..af205b0f23 100644 --- a/content/zh/docs/reference/config/networking/destination-rule/index.html +++ b/content/zh/docs/reference/config/networking/destination-rule/index.html @@ -103,15 +103,15 @@ after routing has occurred.

    - - - - + - - - + - - - + - - - + - - - + - @@ -209,59 +198,50 @@ destination ports. See DestinationRule for examples.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldType DescriptionRequired
    conditionsIstioCondition[]
    conditions
    +
    IstioCondition[]
    +

    Current service state of the resource. More info: https://istio.io/docs/reference/config/config-status/

    -    		 -No
    validationMessagesAnalysisMessageBase[]
    validationMessages
    +
    AnalysisMessageBase[]
    +

    Includes any errors or warnings detected by Istio’s analyzers.

    -    		 -No
    FieldType DescriptionRequired
    typestring
    type
    +
    string
    +

    Type is the type of the condition.

    -    		 -No
    statusstring
    status
    +
    string
    +

    Status is the status of the condition. Can be True, False, Unknown.

    -    		 -No
    lastProbeTimeTimestamp
    lastProbeTime
    +
    Timestamp
    +

    Last time we probed the condition.

    -    		 -No
    lastTransitionTimeTimestamp
    lastTransitionTime
    +
    Timestamp
    +

    Last time the condition transitioned from one status to another.

    -    		 -No
    reasonstring
    reason
    +
    string
    +

    Unique, one-word, CamelCase reason for the condition’s last transition.

    -    		 -No
    messagestring
    message
    +
    string
    +

    Human-readable message indicating details about last transition.

    -    		 -No
    observedGenerationint64
    observedGeneration
    +
    int64
    +

    Resource Generation to which the Condition refers.

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +
    Required
    +

    The name of a service from the service registry. Service names are looked up from the platform’s service registry (e.g., @@ -128,38 +128,32 @@ potential misconfigurations, it is recommended to always use fully qualified domain names over short names.

    Note that the host field applies to both HTTP and TCP services.

    -    		 -Yes
    trafficPolicyTrafficPolicy
    trafficPolicy
    +
    TrafficPolicy
    +

    Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection).

    -    		 -No
    subsetsSubset[]
    subsets
    +
    Subset[]
    +

    One or more named sets that represent individual versions of a service. Traffic policies can be overridden at subset level.

    -    		 -No
    exportTostring[]
    exportTo
    +
    string[]
    +

    A list of namespaces to which this destination rule is exported. The resolution of a destination rule to apply to a service occurs in the @@ -174,14 +168,12 @@ namespaces by default.

    the destination rule is declared in. Similarly, the value “*” is reserved and defines an export to all namespaces.

    -    		 -No
    workloadSelectorWorkloadSelector
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this DestinationRule configuration should be applied. If specified, the DestinationRule @@ -192,9 +184,6 @@ For example, if specific sidecars need to have egress TLS settings for services of the mesh, instead of every sidecar in the mesh needing to have the configuration (which is the default behaviour), a workload selector can be specified.

    -    		 -No
    FieldType DescriptionRequired
    loadBalancerLoadBalancerSettings
    loadBalancer
    +
    LoadBalancerSettings
    +

    Settings controlling the load balancer algorithms.

    -    		 -No
    connectionPoolConnectionPoolSettings
    connectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections to an upstream service

    -    		 -No
    outlierDetectionOutlierDetection
    outlierDetection
    +
    OutlierDetection
    +

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    -    		 -No
    tlsClientTLSSettings
    tls
    +
    ClientTLSSettings
    +

    TLS related settings for connections to the upstream service.

    -    		 -No
    portLevelSettingsPortTrafficPolicy[]
    portLevelSettings
    +
    PortTrafficPolicy[]
    +

    Traffic policies specific to individual ports. Note that port level settings will override the destination-level settings. Traffic @@ -269,33 +249,187 @@ settings specified at the destination-level will not be inherited when overridden by port-level settings, i.e. default values will be applied to fields omitted in port-level traffic policies.

    -    		 -No
    tunnelTunnelSettings
    tunnel
    +
    TunnelSettings
    +

    Configuration of tunneling TCP over other transport or application layers for the host configured in the DestinationRule. Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.

    -    		 -No
    proxyProtocolProxyProtocol
    proxyProtocol
    +
    ProxyProtocol
    +

    The upstream PROXY protocol settings.

    +
    +

    PortTrafficPolicy

    +
    +

    Traffic policies that apply to specific ports of the service

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    port
    +
    PortSelector
    +
    		 -No +

    Specifies the number of a port on the destination service +on which this policy is being applied.

    + +
    loadBalancer
    +
    LoadBalancerSettings
    +
    		 +

    Settings controlling the load balancer algorithms.

    + +
    connectionPool
    +
    ConnectionPoolSettings
    +
    		 +

    Settings controlling the volume of connections to an upstream service

    + +
    outlierDetection
    +
    OutlierDetection
    +
    		 +

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    + +
    tls
    +
    ClientTLSSettings
    +
    		 +

    TLS related settings for connections to the upstream service.

    + +
    +
    +

    TunnelSettings

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    protocol
    +
    string
    +
    		 +

    Specifies which protocol to use for tunneling the downstream connection. +Supported protocols are:

    +
      +
    • CONNECT - uses HTTP CONNECT;
      • +
    • POST - uses HTTP POST.
      • +
    +

    CONNECT is used by default if not specified.

    +

    HTTP version for upstream requests is determined by the service protocol defined for the proxy.

    + +
    targetHost
    +
    string
    +
    Required
    +
    		 +

    Specifies a host to which the downstream connection is tunneled. +Target host must be an FQDN or IP address.

    + +
    targetPort
    +
    uint32
    +
    Required
    +
    		 +

    Specifies a port to which the downstream connection is tunneled.

    + +
    +
    +

    ProxyProtocol

    +
    + + + + + + + + + + + + + +
    FieldDescription
    version
    +
    VERSION
    +
    		 +

    The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details. +By default it is V1.

    + +
    +
    +

    VERSION

    +
    + + + + + + + + + + + + + + + @@ -340,48 +474,41 @@ can be used to identify a specific SNI host corresponding to the named subset. - - - - + - - - + - - - + - @@ -426,56 +553,47 @@ spec: - - - - + - - - + - - - + - - - + - - - + -
    NameDescription
    V1 +

    ⁣PROXY protocol version 1. Human readable format.

    + +
    V2 +

    ⁣PROXY protocol version 2. Binary format.

    +
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    Name of the subset. The service name and the subset name can be used for traffic splitting in a route rule.

    -    		 -Yes
    labelsmap<string, string>
    labels
    +
    map<string, string>
    +

    Labels apply a filter over the endpoints of a service in the service registry. See route rules for examples of usage.

    -    		 -No
    trafficPolicyTrafficPolicy
    trafficPolicy
    +
    TrafficPolicy
    +

    Traffic policies that apply to this subset. Subsets inherit the traffic policies specified at the DestinationRule level. Settings specified at the subset level will override the corresponding settings specified at the DestinationRule level.

    -    		 -No
    FieldType DescriptionRequired
    simpleSimpleLB (oneof)
    simple
    +
    SimpleLB (oneof)
    +
    		 -No -
    consistentHashConsistentHashLB (oneof)
    consistentHash
    +
    ConsistentHashLB (oneof)
    +
    		 -No -
    localityLbSettingLocalityLoadBalancerSetting
    localityLbSetting
    +
    LocalityLoadBalancerSetting
    +

    Locality load balancer settings, this will override mesh-wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig

    -    		 -No
    warmupDurationSecsDuration
    warmupDurationSecs
    +
    Duration
    +

    Deprecated: use warmup instead.

    -    		 -No
    warmupWarmupConfiguration
    warmup
    +
    WarmupConfiguration
    +

    Represents the warmup configuration of Service. If set, the newly created endpoint of service remains in warmup mode starting from its creation time for the duration of this window and @@ -486,825 +604,12 @@ endpoints are relatively new like new deployment, this is not very effective as amount of requests. Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.

    -    		 -No
    -

    WarmupConfiguration

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    durationDuration -

    Duration of warmup mode

    - -    		 -Yes -
    minimumPercentDoubleValue -

    Configures the minimum percentage of origin weight -If unspecified, defaults to 10

    - -    		 -No -
    aggressionDoubleValue -

    This parameter controls the speed of traffic increase over the warmup duration. Defaults to 1.0, so that endpoints would -get linearly increasing amount of traffic. When increasing the value for this parameter, -the speed of traffic ramp-up increases non-linearly.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings

    -
    -

    Connection pool settings for an upstream host. The settings apply to -each individual host in the upstream service. See Envoy’s circuit -breaker -for more details. Connection pool settings can be applied at the TCP -level as well as at HTTP level.

    -

    For example, the following rule sets a limit of 100 connections to redis -service called myredissrv with a connect timeout of 30ms

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: bookinfo-redis
-spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
-
    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    tcpTCPSettings -

    Settings common to both HTTP and TCP upstream connections.

    - -    		 -No -
    httpHTTPSettings -

    HTTP connection pool settings.

    - -    		 -No -
    -
    -

    OutlierDetection

    -
    -

    A Circuit breaker implementation that tracks the status of each -individual host in the upstream service. Applicable to both HTTP and -TCP services. For HTTP services, hosts that continually return 5xx -errors for API calls are ejected from the pool for a pre-defined period -of time. For TCP services, connection timeouts or connection -failures to a given host counts as an error when measuring the -consecutive errors metric. See Envoy’s outlier -detection -for more details.

    -

    The following rule sets a connection pool size of 100 HTTP1 connections -with no more than 10 req/connection to the “reviews” service. In addition, -it sets a limit of 1000 concurrent HTTP2 requests and configures upstream -hosts to be scanned every 5 mins so that any host that fails 7 consecutive -times with a 502, 503, or 504 error code will be ejected for 15 minutes.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutive5xxErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    splitExternalLocalOriginErrorsbool -

    Determines whether to distinguish local origin failures from external errors. If set to true -consecutiveLocalOriginFailures is taken into account for outlier detection calculations. -This should be used when you want to derive the outlier detection status based on the errors -seen locally such as failure to connect, timeout while connecting etc. rather than the status code -returned by upstream service. This is especially useful when the upstream service explicitly returns -a 5xx for some requests and you want to ignore those responses from upstream service while determining -the outlier detection status of a host. -Defaults to false.

    - -    		 -No -
    consecutiveLocalOriginFailuresUInt32Value -

    The number of consecutive locally originated failures before ejection -occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors -is set to true.

    - -    		 -No -
    consecutiveGatewayErrorsUInt32Value -

    Number of gateway errors before a host is ejected from the connection pool. -When the upstream host is accessed over HTTP, a 502, 503, or 504 return -code qualifies as a gateway error. When the upstream host is accessed over -an opaque TCP connection, connect timeouts and connection error/failure -events qualify as a gateway error. -This feature is disabled by default or when set to the value 0.

    -

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be -used separately or together. Because the errors counted by -consecutiveGatewayErrors are also included in consecutive5xxErrors, -if the value of consecutiveGatewayErrors is greater than or equal to -the value of consecutive5xxErrors, consecutiveGatewayErrors will have -no effect.

    - -    		 -No -
    consecutive5xxErrorsUInt32Value -

    Number of 5xx errors before a host is ejected from the connection pool. -When the upstream host is accessed over an opaque TCP connection, connect -timeouts, connection error/failure and request failure events qualify as a -5xx error. -This feature defaults to 5 but can be disabled by setting the value to 0.

    -

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be -used separately or together. Because the errors counted by -consecutiveGatewayErrors are also included in consecutive5xxErrors, -if the value of consecutiveGatewayErrors is greater than or equal to -the value of consecutive5xxErrors, consecutiveGatewayErrors will have -no effect.

    - -    		 -No -
    intervalDuration -

    Time interval between ejection sweep analysis. format: -1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    - -    		 -No -
    baseEjectionTimeDuration -

    Minimum ejection duration. A host will remain ejected for a period -equal to the product of minimum ejection duration and the number of -times the host has been ejected. This technique allows the system to -automatically increase the ejection period for unhealthy upstream -servers. format: 1h/1m/1s/1ms. MUST be >=1ms. Default is 30s.

    - -    		 -No -
    maxEjectionPercentint32 -

    Maximum % of hosts in the load balancing pool for the upstream -service that can be ejected. Defaults to 10%.

    - -    		 -No -
    minHealthPercentint32 -

    Outlier detection will be enabled as long as the associated load balancing -pool has at least minHealthPercent hosts in healthy mode. When the -percentage of healthy hosts in the load balancing pool drops below this -threshold, outlier detection will be disabled and the proxy will load balance -across all hosts in the pool (healthy and unhealthy). The threshold can be -disabled by setting it to 0%. The default is 0% as it’s not typically -applicable in k8s environments with few pods per service.

    - -    		 -No -
    -
    -

    ClientTLSSettings

    -
    -

    SSL/TLS related settings for upstream connections. See Envoy’s TLS -context -for more details. These settings are common to both HTTP and TCP upstreams.

    -

    For example, the following rule configures a client to use mutual TLS -for connections to upstream database cluster.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    -

    The following rule configures a client to use TLS when talking to a -foreign service whose domain matches *.foo.com.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-
    -

    The following rule configures a client to use Istio mutual TLS when talking -to rating services.

    -
    apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeTLSmode -

    Indicates whether connections to this port should be secured -using TLS. The value of this field determines how TLS is enforced.

    - -    		 -No -
    clientCertificatestring -

    REQUIRED if mode is MUTUAL. The path to the file holding the -client-side TLS certificate to use. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    privateKeystring -

    REQUIRED if mode is MUTUAL. The path to the file holding the -client’s private key. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    caCertificatesstring -

    OPTIONAL: The path to the file containing certificate authority -certificates to use in verifying a presented server certificate. If -omitted, the proxy will verify the server’s certificate using -the OS CA certificates. -Should be empty if mode is ISTIO_MUTUAL.

    - -    		 -No -
    credentialNamestring -

    The name of the secret that holds the TLS certs for the -client including the CA certificates. This secret must exist in -the namespace of the proxy using the certificates. -An Opaque secret should contain the following keys and values: -key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, -crl: <certificateRevocationList> -Here CACertificate is used to verify the server certificate. -For mutual TLS, cacert: <CACertificate> can be provided in the -same secret or a separate secret named <secret>-cacert. -A TLS secret for client certificates with an additional -ca.crt key for CA certificates and ca.crl key for -certificate revocation list(CRL) is also supported. -Only one of client certificates and CA certificate -or credentialName can be specified.

    -

    NOTE: This field is applicable at sidecars only if -DestinationRule has a workloadSelector specified. -Otherwise the field will be applicable only at gateways, and -sidecars will continue to use the certificate paths.

    - -    		 -No -
    subjectAltNamesstring[] -

    A list of alternate names to verify the subject identity in the -certificate. If specified, the proxy will verify that the server -certificate’s subject alt name matches one of the specified values. -If specified, this list overrides the value of subjectAltNames -from the ServiceEntry. If unspecified, automatic validation of upstream -presented certificate for new upstream connections will be done based on the -downstream HTTP host/authority header.

    - -    		 -No -
    snistring -

    SNI string to present to the server during TLS handshake. -If unspecified, SNI will be automatically set based on downstream HTTP -host/authority header for SIMPLE and MUTUAL TLS modes.

    - -    		 -No -
    insecureSkipVerifyBoolValue -

    insecureSkipVerify specifies whether the proxy should skip verifying the -CA signature and SAN for the server certificate corresponding to the host. -The default value of this field is false.

    - -    		 -No -
    caCrlstring -

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) -to use in verifying a presented server certificate. CRL is a list of certificates -that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. -If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. -If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, -CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting

    -
    -

    Locality-weighted load balancing allows administrators to control the -distribution of traffic to endpoints based on the localities of where the -traffic originates and where it will terminate. These localities are -specified using arbitrary labels that designate a hierarchy of localities in -{region}/{zone}/{sub-zone} form. For additional detail refer to -Locality Weight -The following example shows how to setup locality weights mesh-wide.

    -

    Given a mesh with workloads and their service deployed to “us-west/zone1/*” -and “us-west/zone2/*”. This example specifies that when traffic accessing a -service originates from workloads in “us-west/zone1/*”, 80% of the traffic -will be sent to endpoints in “us-west/zone1/*”, i.e the same zone, and the -remaining 20% will go to endpoints in “us-west/zone2/*”. This setup is -intended to favor routing traffic to endpoints in the same locality. -A similar setting is specified for traffic originating in “us-west/zone2/*”.

    -
      distribute:
-    - from: us-west/zone1/*
-      to:
-        "us-west/zone1/*": 80
-        "us-west/zone2/*": 20
-    - from: us-west/zone2/*
-      to:
-        "us-west/zone1/*": 20
-        "us-west/zone2/*": 80
-
    -

    If the goal of the operator is not to distribute load across zones and -regions but rather to restrict the regionality of failover to meet other -operational requirements an operator can set a ‘failover’ policy instead of -a ‘distribute’ policy.

    -

    The following example sets up a locality failover policy for regions. -Assume a service resides in zones within us-east, us-west & eu-west -this example specifies that when endpoints within us-east become unhealthy -traffic should failover to endpoints in any zone or sub-zone within eu-west -and similarly us-west should failover to us-east.

    -
     failover:
-   - from: us-east
-     to: eu-west
-   - from: us-west
-     to: us-east
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    distributeDistribute[] -

    Optional: only one of distribute, failover or failoverPriority can be set. -Explicitly specify loadbalancing weight across different zones and geographical locations. -Refer to Locality weighted load balancing -If empty, the locality weight is set according to the endpoints number within it.

    - -    		 -No -
    failoverFailover[] -

    Optional: only one of distribute, failover or failoverPriority can be set. -Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. -Should be used together with OutlierDetection to detect unhealthy endpoints. -Note: if no OutlierDetection specified, this will not take effect.

    - -    		 -No -
    failoverPrioritystring[] -

    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. -This is to support traffic failover across different groups of endpoints. -Two kinds of labels can be specified:

    -
      -
    • -

      Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. -Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:

      -
        -
      1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
        2. -
      2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
        3. -
      3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
        4. -
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. -
      -
      • -
    • -

      Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. -Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:

      -
        -
      1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
        2. -
      2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
        3. -
      3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
        4. -
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. -
      -
      • -
    -

    Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

    -

    It can be any label specified on both client and server workloads. -The following labels which have special semantic meaning are also supported:

    -
      -
    • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
      • -
    • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
      • -
    • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
      • -
    • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
      • -
    • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
      • -
    • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
      • -
    -

    The below topology config indicates the following priority levels:

    -
    failoverPriority:
-- "topology.istio.io/network"
-- "topology.kubernetes.io/region"
-- "topology.kubernetes.io/zone"
-- "topology.istio.io/subzone"
-
    -
      -
    1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
      2. -
    2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
      3. -
    3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
      4. -
    4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
      5. -
    5. all the other endpoints have the same lowest priority.
      6. -
    -

    Suppose a service associated endpoints reside in multi clusters, the below example represents:

    -
      -
    1. endpoints in clusterA and has version=v1 label have P(0) priority.
      2. -
    2. endpoints not in clusterA but has version=v1 label have P(1) priority.
      3. -
    3. all the other endpoints have P(2) priority.
      4. -
    -
    failoverPriority:
-- "version=v1"
-- "topology.istio.io/cluster=clusterA"
-
    -

    Optional: only one of distribute, failover or failoverPriority can be set. -And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

    - -    		 -No -
    enabledBoolValue -

    Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. -e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.

    - -    		 -No -
    -
    -

    TrafficPolicy.PortTrafficPolicy

    -
    -

    Traffic policies that apply to specific ports of the service

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    portPortSelector -

    Specifies the number of a port on the destination service -on which this policy is being applied.

    - -    		 -No -
    loadBalancerLoadBalancerSettings -

    Settings controlling the load balancer algorithms.

    - -    		 -No -
    connectionPoolConnectionPoolSettings -

    Settings controlling the volume of connections to an upstream service

    - -    		 -No -
    outlierDetectionOutlierDetection -

    Settings controlling eviction of unhealthy hosts from the load balancing pool

    - -    		 -No -
    tlsClientTLSSettings -

    TLS related settings for connections to the upstream service.

    - -    		 -No -
    -
    -

    TrafficPolicy.TunnelSettings

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    protocolstring -

    Specifies which protocol to use for tunneling the downstream connection. -Supported protocols are:

    -
      -
    • CONNECT - uses HTTP CONNECT;
      • -
    • POST - uses HTTP POST.
      • -
    -

    CONNECT is used by default if not specified.

    -

    HTTP version for upstream requests is determined by the service protocol defined for the proxy.

    - -    		 -No -
    targetHoststring -

    Specifies a host to which the downstream connection is tunneled. -Target host must be an FQDN or IP address.

    - -    		 -Yes -
    targetPortuint32 -

    Specifies a port to which the downstream connection is tunneled.

    - -    		 -Yes -
    -
    -

    TrafficPolicy.ProxyProtocol

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    versionVERSION -

    The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details. -By default it is V1.

    - -    		 -No -
    -
    -

    LoadBalancerSettings.ConsistentHashLB

    +

    ConsistentHashLB

    Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other @@ -1325,108 +630,91 @@ or a high level load balancer handles locality affinity.

    Field -Type Description -Required -httpHeaderName -string (oneof) +
    httpHeaderName
    +
    string (oneof)
    +

    Hash based on a specific HTTP header.

    - - -No -httpCookie -HTTPCookie (oneof) +
    httpCookie
    +
    HTTPCookie (oneof)
    +

    Hash based on HTTP cookie.

    - - -No -useSourceIp -bool (oneof) +
    useSourceIp
    +
    bool (oneof)
    +

    Hash based on the source IP address. This is applicable for both TCP and HTTP connections.

    - - -No -httpQueryParameterName -string (oneof) +
    httpQueryParameterName
    +
    string (oneof)
    +

    Hash based on a specific HTTP query parameter.

    - - -No -ringHash -RingHash (oneof) +
    ringHash
    +
    RingHash (oneof)
    +

    The ring/modulo hash load balancer implements consistent hashing to backend hosts.

    - - -No -maglev -MagLev (oneof) +
    maglev
    +
    MagLev (oneof)
    +

    The Maglev load balancer implements consistent hashing to backend hosts.

    - - -No -minimumRingSize -uint64 +
    minimumRingSize
    +
    uint64
    +

    Deprecated. Use RingHash instead.

    - - -No
    -

    LoadBalancerSettings.ConsistentHashLB.RingHash

    +

    RingHash

    - - - - + -
    FieldType DescriptionRequired
    minimumRingSizeuint64
    minimumRingSize
    +
    uint64
    +

    The minimum number of virtual nodes to use for the hash ring. Defaults to 1024. Larger ring sizes result in more granular @@ -1434,29 +722,25 @@ load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node.

    -    		 -No
    -

    LoadBalancerSettings.ConsistentHashLB.MagLev

    +

    MagLev

    - - - - + -
    FieldType DescriptionRequired
    tableSizeuint64
    tableSize
    +
    uint64
    +

    The table size for Maglev hashing. This helps in controlling the disruption when the backend hosts change. @@ -1464,15 +748,12 @@ Increasing the table size reduces the amount of disruption. The table size must be prime number less than 5000011. If it is not specified, the default is 65537.

    -    		 -No
    -

    LoadBalancerSettings.ConsistentHashLB.HTTPCookie

    +

    HTTPCookie

    Describes a HTTP cookie that will be used as the hash key for the Consistent Hash load balancer.

    @@ -1481,460 +762,44 @@ Consistent Hash load balancer.

    Field -Type Description -Required -name -string +
    name
    +
    string
    +
    Required
    +

    Name of the cookie.

    - - -Yes -path -string +
    path
    +
    string
    +

    Path to set for the cookie.

    - - -No -ttl -Duration +
    ttl
    +
    Duration
    +

    Lifetime of the cookie. If specified, a cookie with the TTL will be generated if the cookie is not present. If the TTL is present and zero, the generated cookie will be a session cookie.

    - - -No
    -

    ConnectionPoolSettings.TCPSettings

    -
    -

    Settings common to both HTTP and TCP upstream connections.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    maxConnectionsint32 -

    Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

    - -    		 -No -
    connectTimeoutDuration -

    TCP connection timeout. format: -1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    - -    		 -No -
    tcpKeepaliveTcpKeepalive -

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    - -    		 -No -
    maxConnectionDurationDuration -

    The maximum duration of a connection. The duration is defined as the period since a connection -was established. If not set, there is no max duration. When maxConnectionDuration -is reached the connection will be closed. Duration must be at least 1ms.

    - -    		 -No -
    idleTimeoutDuration -

    The idle timeout for TCP connections. -The idle timeout is defined as the period in which there are no bytes sent or received on either -the upstream or downstream connection. -If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled. -Idle timeout is not configured per each cluster individually when weighted destinations are used, -because idleTimeout is a property of a listener, not a cluster. In that case, idleTimeout -specified in a destination rule for the first weighted route is configured in the listener, -which means also for all weighted routes.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings.HTTPSettings

    -
    -

    Settings applicable to HTTP1.1/HTTP2/GRPC connections.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    http1MaxPendingRequestsint32 -

    Maximum number of requests that will be queued while waiting for -a ready connection pool connection. Default 2^32-1. -Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking -under which conditions a new connection is created for HTTP2. -Please note that this is applicable to both HTTP/1.1 and HTTP2.

    - -    		 -No -
    http2MaxRequestsint32 -

    Maximum number of active requests to a destination. Default 2^32-1. -Please note that this is applicable to both HTTP/1.1 and HTTP2.

    - -    		 -No -
    maxRequestsPerConnectionint32 -

    Maximum number of requests per connection to a backend. Setting this -parameter to 1 disables keep alive. Default 0, meaning “unlimited”, -up to 2^29.

    - -    		 -No -
    maxRetriesint32 -

    Maximum number of retries that can be outstanding to all hosts in a -cluster at a given time. Defaults to 2^32-1.

    - -    		 -No -
    idleTimeoutDuration -

    The idle timeout for upstream connection pool connections. The idle timeout -is defined as the period in which there are no active requests. -If not set, the default is 1 hour. When the idle timeout is reached, -the connection will be closed. If the connection is an HTTP/2 -connection a drain sequence will occur prior to closing the connection. -Note that request based timeouts mean that HTTP/2 PINGs will not -keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

    - -    		 -No -
    h2UpgradePolicyH2UpgradePolicy -

    Specify if http1.1 connection should be upgraded to http2 for the associated destination.

    - -    		 -No -
    useClientProtocolbool -

    If set to true, client protocol will be preserved while initiating connection to backend. -Note that when this is set to true, h2UpgradePolicy will be ineffective i.e. the client -connections will not be upgraded to http2.

    - -    		 -No -
    maxConcurrentStreamsint32 -

    The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. -Defaults to 2^31-1.

    - -    		 -No -
    -
    -

    ConnectionPoolSettings.TCPSettings.TcpKeepalive

    -
    -

    TCP keepalive.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    probesuint32 -

    Maximum number of keepalive probes to send without response before -deciding the connection is dead. Default is to use the OS level configuration -(unless overridden, Linux defaults to 9.)

    - -    		 -No -
    timeDuration -

    The time duration a connection needs to be idle before keep-alive -probes start being sent. Default is to use the OS level configuration -(unless overridden, Linux defaults to 7200s (ie 2 hours.)

    - -    		 -No -
    intervalDuration -

    The time duration between keep-alive probes. -Default is to use the OS level configuration -(unless overridden, Linux defaults to 75s.)

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting.Distribute

    -
    -

    Describes how traffic originating in the ‘from’ zone or sub-zone is -distributed over a set of ’to’ zones. Syntax for specifying a zone is -{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any -segment of the specification. Examples:

    -

    * - matches all localities

    -

    us-west/* - all zones and sub-zones within the us-west region

    -

    us-west/zone-1/* - all sub-zones within us-west/zone-1

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromstring -

    Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

    - -    		 -No -
    tomap<string, uint32> -

    Map of upstream localities to traffic distribution weights. The sum of -all weights should be 100. Any locality not present will -receive no traffic.

    - -    		 -No -
    -
    -

    LocalityLoadBalancerSetting.Failover

    -
    -

    Specify the traffic failover policy across regions. Since zone and sub-zone -failover is supported by default this only needs to be specified for -regions when the operator needs to constrain traffic failover so that -the default behavior of failing over to any endpoint globally does not -apply. This is useful when failing over traffic across regions would not -improve service health or may need to be restricted for other reasons -like regulatory controls.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromstring -

    Originating region.

    - -    		 -No -
    tostring -

    Destination region the traffic will fail over to when endpoints in -the ‘from’ region becomes unhealthy.

    - -    		 -No -
    -
    -

    google.protobuf.UInt32Value

    -
    -

    Wrapper message for uint32.

    -

    The JSON representation for UInt32Value is JSON number.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valueuint32 -

    The uint32 value.

    - -    		 -No -
    -
    -

    TrafficPolicy.ProxyProtocol.VERSION

    -
    - - - - - - - - - - - - - - - - - -
    NameDescription
    V1 -

    ⁣PROXY protocol version 1. Human readable format.

    - -
    V2 -

    ⁣PROXY protocol version 2. Binary format.

    - -
    -
    -

    LoadBalancerSettings.SimpleLB

    +

    SimpleLB

    Standard load balancing algorithms that require no tuning.

    @@ -2004,7 +869,327 @@ LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.

    -

    ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy

    +

    WarmupConfiguration

    +
    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    duration
    +
    Duration
    +
    Required
    +
    		 +

    Duration of warmup mode

    + +
    minimumPercent
    +
    DoubleValue
    +
    		 +

    Configures the minimum percentage of origin weight +If unspecified, defaults to 10

    + +
    aggression
    +
    DoubleValue
    +
    		 +

    This parameter controls the speed of traffic increase over the warmup duration. Defaults to 1.0, so that endpoints would +get linearly increasing amount of traffic. When increasing the value for this parameter, +the speed of traffic ramp-up increases non-linearly.

    + +
    +
    +

    ConnectionPoolSettings

    +
    +

    Connection pool settings for an upstream host. The settings apply to +each individual host in the upstream service. See Envoy’s circuit +breaker +for more details. Connection pool settings can be applied at the TCP +level as well as at HTTP level.

    +

    For example, the following rule sets a limit of 100 connections to redis +service called myredissrv with a connect timeout of 30ms

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: bookinfo-redis
+spec:
+  host: myredissrv.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+        connectTimeout: 30ms
+        tcpKeepalive:
+          time: 7200s
+          interval: 75s
+
    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    tcp
    +
    TCPSettings
    +
    		 +

    Settings common to both HTTP and TCP upstream connections.

    + +
    http
    +
    HTTPSettings
    +
    		 +

    HTTP connection pool settings.

    + +
    +
    +

    TCPSettings

    +
    +

    Settings common to both HTTP and TCP upstream connections.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    maxConnections
    +
    int32
    +
    		 +

    Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.

    + +
    connectTimeout
    +
    Duration
    +
    		 +

    TCP connection timeout. format: +1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    + +
    tcpKeepalive
    +
    TcpKeepalive
    +
    		 +

    If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.

    + +
    maxConnectionDuration
    +
    Duration
    +
    		 +

    The maximum duration of a connection. The duration is defined as the period since a connection +was established. If not set, there is no max duration. When maxConnectionDuration +is reached the connection will be closed. Duration must be at least 1ms.

    + +
    idleTimeout
    +
    Duration
    +
    		 +

    The idle timeout for TCP connections. +The idle timeout is defined as the period in which there are no bytes sent or received on either +the upstream or downstream connection. +If not set, the default idle timeout is 1 hour. If set to 0s, the timeout will be disabled. +Idle timeout is not configured per each cluster individually when weighted destinations are used, +because idleTimeout is a property of a listener, not a cluster. In that case, idleTimeout +specified in a destination rule for the first weighted route is configured in the listener, +which means also for all weighted routes.

    + +
    +
    +

    TcpKeepalive

    +
    +

    TCP keepalive.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    probes
    +
    uint32
    +
    		 +

    Maximum number of keepalive probes to send without response before +deciding the connection is dead. Default is to use the OS level configuration +(unless overridden, Linux defaults to 9.)

    + +
    time
    +
    Duration
    +
    		 +

    The time duration a connection needs to be idle before keep-alive +probes start being sent. Default is to use the OS level configuration +(unless overridden, Linux defaults to 7200s (ie 2 hours.)

    + +
    interval
    +
    Duration
    +
    		 +

    The time duration between keep-alive probes. +Default is to use the OS level configuration +(unless overridden, Linux defaults to 75s.)

    + +
    +
    +

    HTTPSettings

    +
    +

    Settings applicable to HTTP1.1/HTTP2/GRPC connections.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    http1MaxPendingRequests
    +
    int32
    +
    		 +

    Maximum number of requests that will be queued while waiting for +a ready connection pool connection. Default 2^32-1. +Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking +under which conditions a new connection is created for HTTP2. +Please note that this is applicable to both HTTP/1.1 and HTTP2.

    + +
    http2MaxRequests
    +
    int32
    +
    		 +

    Maximum number of active requests to a destination. Default 2^32-1. +Please note that this is applicable to both HTTP/1.1 and HTTP2.

    + +
    maxRequestsPerConnection
    +
    int32
    +
    		 +

    Maximum number of requests per connection to a backend. Setting this +parameter to 1 disables keep alive. Default 0, meaning “unlimited”, +up to 2^29.

    + +
    maxRetries
    +
    int32
    +
    		 +

    Maximum number of retries that can be outstanding to all hosts in a +cluster at a given time. Defaults to 2^32-1.

    + +
    idleTimeout
    +
    Duration
    +
    		 +

    The idle timeout for upstream connection pool connections. The idle timeout +is defined as the period in which there are no active requests. +If not set, the default is 1 hour. When the idle timeout is reached, +the connection will be closed. If the connection is an HTTP/2 +connection a drain sequence will occur prior to closing the connection. +Note that request based timeouts mean that HTTP/2 PINGs will not +keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

    + +
    h2UpgradePolicy
    +
    H2UpgradePolicy
    +
    		 +

    Specify if http1.1 connection should be upgraded to http2 for the associated destination.

    + +
    useClientProtocol
    +
    bool
    +
    		 +

    If set to true, client protocol will be preserved while initiating connection to backend. +Note that when this is set to true, h2UpgradePolicy will be ineffective i.e. the client +connections will not be upgraded to http2.

    + +
    maxConcurrentStreams
    +
    int32
    +
    		 +

    The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. +Defaults to 2^31-1.

    + +
    +
    +

    H2UpgradePolicy

    Policy for upgrading http1.1 connections to http2.

    @@ -2042,7 +1227,345 @@ This opt-in option overrides the default.

    -

    ClientTLSSettings.TLSmode

    +

    OutlierDetection

    +
    +

    A Circuit breaker implementation that tracks the status of each +individual host in the upstream service. Applicable to both HTTP and +TCP services. For HTTP services, hosts that continually return 5xx +errors for API calls are ejected from the pool for a pre-defined period +of time. For TCP services, connection timeouts or connection +failures to a given host counts as an error when measuring the +consecutive errors metric. See Envoy’s outlier +detection +for more details.

    +

    The following rule sets a connection pool size of 100 HTTP1 connections +with no more than 10 req/connection to the “reviews” service. In addition, +it sets a limit of 1000 concurrent HTTP2 requests and configures upstream +hosts to be scanned every 5 mins so that any host that fails 7 consecutive +times with a 502, 503, or 504 error code will be ejected for 15 minutes.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: reviews-cb-policy
+spec:
+  host: reviews.prod.svc.cluster.local
+  trafficPolicy:
+    connectionPool:
+      tcp:
+        maxConnections: 100
+      http:
+        http2MaxRequests: 1000
+        maxRequestsPerConnection: 10
+    outlierDetection:
+      consecutive5xxErrors: 7
+      interval: 5m
+      baseEjectionTime: 15m
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    splitExternalLocalOriginErrors
    +
    bool
    +
    		 +

    Determines whether to distinguish local origin failures from external errors. If set to true +consecutiveLocalOriginFailures is taken into account for outlier detection calculations. +This should be used when you want to derive the outlier detection status based on the errors +seen locally such as failure to connect, timeout while connecting etc. rather than the status code +returned by upstream service. This is especially useful when the upstream service explicitly returns +a 5xx for some requests and you want to ignore those responses from upstream service while determining +the outlier detection status of a host. +Defaults to false.

    + +
    consecutiveLocalOriginFailures
    +
    UInt32Value
    +
    		 +

    The number of consecutive locally originated failures before ejection +occurs. Defaults to 5. Parameter takes effect only when splitExternalLocalOriginErrors +is set to true.

    + +
    consecutiveGatewayErrors
    +
    UInt32Value
    +
    		 +

    Number of gateway errors before a host is ejected from the connection pool. +When the upstream host is accessed over HTTP, a 502, 503, or 504 return +code qualifies as a gateway error. When the upstream host is accessed over +an opaque TCP connection, connect timeouts and connection error/failure +events qualify as a gateway error. +This feature is disabled by default or when set to the value 0.

    +

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be +used separately or together. Because the errors counted by +consecutiveGatewayErrors are also included in consecutive5xxErrors, +if the value of consecutiveGatewayErrors is greater than or equal to +the value of consecutive5xxErrors, consecutiveGatewayErrors will have +no effect.

    + +
    consecutive5xxErrors
    +
    UInt32Value
    +
    		 +

    Number of 5xx errors before a host is ejected from the connection pool. +When the upstream host is accessed over an opaque TCP connection, connect +timeouts, connection error/failure and request failure events qualify as a +5xx error. +This feature defaults to 5 but can be disabled by setting the value to 0.

    +

    Note that consecutiveGatewayErrors and consecutive5xxErrors can be +used separately or together. Because the errors counted by +consecutiveGatewayErrors are also included in consecutive5xxErrors, +if the value of consecutiveGatewayErrors is greater than or equal to +the value of consecutive5xxErrors, consecutiveGatewayErrors will have +no effect.

    + +
    interval
    +
    Duration
    +
    		 +

    Time interval between ejection sweep analysis. format: +1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.

    + +
    baseEjectionTime
    +
    Duration
    +
    		 +

    Minimum ejection duration. A host will remain ejected for a period +equal to the product of minimum ejection duration and the number of +times the host has been ejected. This technique allows the system to +automatically increase the ejection period for unhealthy upstream +servers. format: 1h/1m/1s/1ms. MUST be >=1ms. Default is 30s.

    + +
    maxEjectionPercent
    +
    int32
    +
    		 +

    Maximum % of hosts in the load balancing pool for the upstream +service that can be ejected. Defaults to 10%.

    + +
    minHealthPercent
    +
    int32
    +
    		 +

    Outlier detection will be enabled as long as the associated load balancing +pool has at least minHealthPercent hosts in healthy mode. When the +percentage of healthy hosts in the load balancing pool drops below this +threshold, outlier detection will be disabled and the proxy will load balance +across all hosts in the pool (healthy and unhealthy). The threshold can be +disabled by setting it to 0%. The default is 0% as it’s not typically +applicable in k8s environments with few pods per service.

    + +
    +
    +

    ClientTLSSettings

    +
    +

    SSL/TLS related settings for upstream connections. See Envoy’s TLS +context +for more details. These settings are common to both HTTP and TCP upstreams.

    +

    For example, the following rule configures a client to use mutual TLS +for connections to upstream database cluster.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: db-mtls
+spec:
+  host: mydbserver.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: MUTUAL
+      clientCertificate: /etc/certs/myclientcert.pem
+      privateKey: /etc/certs/client_private_key.pem
+      caCertificates: /etc/certs/rootcacerts.pem
+
    +

    The following rule configures a client to use TLS when talking to a +foreign service whose domain matches *.foo.com.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: tls-foo
+spec:
+  host: "*.foo.com"
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+
    +

    The following rule configures a client to use Istio mutual TLS when talking +to rating services.

    +
    apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls
+spec:
+  host: ratings.prod.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    TLSmode
    +
    		 +

    Indicates whether connections to this port should be secured +using TLS. The value of this field determines how TLS is enforced.

    + +
    clientCertificate
    +
    string
    +
    		 +

    REQUIRED if mode is MUTUAL. The path to the file holding the +client-side TLS certificate to use. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    privateKey
    +
    string
    +
    		 +

    REQUIRED if mode is MUTUAL. The path to the file holding the +client’s private key. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    caCertificates
    +
    string
    +
    		 +

    OPTIONAL: The path to the file containing certificate authority +certificates to use in verifying a presented server certificate. If +omitted, the proxy will verify the server’s certificate using +the OS CA certificates. +Should be empty if mode is ISTIO_MUTUAL.

    + +
    credentialName
    +
    string
    +
    		 +

    The name of the secret that holds the TLS certs for the +client including the CA certificates. This secret must exist in +the namespace of the proxy using the certificates. +An Opaque secret should contain the following keys and values: +key: <privateKey>, cert: <clientCert>, cacert: <CACertificate>, +crl: <certificateRevocationList> +Here CACertificate is used to verify the server certificate. +For mutual TLS, cacert: <CACertificate> can be provided in the +same secret or a separate secret named <secret>-cacert. +A TLS secret for client certificates with an additional +ca.crt key for CA certificates and ca.crl key for +certificate revocation list(CRL) is also supported. +Only one of client certificates and CA certificate +or credentialName can be specified.

    +

    NOTE: This field is applicable at sidecars only if +DestinationRule has a workloadSelector specified. +Otherwise the field will be applicable only at gateways, and +sidecars will continue to use the certificate paths.

    + +
    subjectAltNames
    +
    string[]
    +
    		 +

    A list of alternate names to verify the subject identity in the +certificate. If specified, the proxy will verify that the server +certificate’s subject alt name matches one of the specified values. +If specified, this list overrides the value of subjectAltNames +from the ServiceEntry. If unspecified, automatic validation of upstream +presented certificate for new upstream connections will be done based on the +downstream HTTP host/authority header.

    + +
    sni
    +
    string
    +
    		 +

    SNI string to present to the server during TLS handshake. +If unspecified, SNI will be automatically set based on downstream HTTP +host/authority header for SIMPLE and MUTUAL TLS modes.

    + +
    insecureSkipVerify
    +
    BoolValue
    +
    		 +

    insecureSkipVerify specifies whether the proxy should skip verifying the +CA signature and SAN for the server certificate corresponding to the host. +The default value of this field is false.

    + +
    caCrl
    +
    string
    +
    		 +

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) +to use in verifying a presented server certificate. CRL is a list of certificates +that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. +If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. +If omitted, the proxy will not verify the certificate against the crl. Note that if credentialName is set, +CRL cannot be specified using caCrl, rather it has to be specified inside the credential.

    + +
    +
    +

    TLSmode

    TLS connection mode

    @@ -2090,3 +1613,266 @@ used, all other fields in ClientTLSSettings should be empty.

    +

    LocalityLoadBalancerSetting

    +
    +

    Locality-weighted load balancing allows administrators to control the +distribution of traffic to endpoints based on the localities of where the +traffic originates and where it will terminate. These localities are +specified using arbitrary labels that designate a hierarchy of localities in +{region}/{zone}/{sub-zone} form. For additional detail refer to +Locality Weight +The following example shows how to setup locality weights mesh-wide.

    +

    Given a mesh with workloads and their service deployed to “us-west/zone1/*” +and “us-west/zone2/*”. This example specifies that when traffic accessing a +service originates from workloads in “us-west/zone1/*”, 80% of the traffic +will be sent to endpoints in “us-west/zone1/*”, i.e the same zone, and the +remaining 20% will go to endpoints in “us-west/zone2/*”. This setup is +intended to favor routing traffic to endpoints in the same locality. +A similar setting is specified for traffic originating in “us-west/zone2/*”.

    +
      distribute:
+    - from: us-west/zone1/*
+      to:
+        "us-west/zone1/*": 80
+        "us-west/zone2/*": 20
+    - from: us-west/zone2/*
+      to:
+        "us-west/zone1/*": 20
+        "us-west/zone2/*": 80
+
    +

    If the goal of the operator is not to distribute load across zones and +regions but rather to restrict the regionality of failover to meet other +operational requirements an operator can set a ‘failover’ policy instead of +a ‘distribute’ policy.

    +

    The following example sets up a locality failover policy for regions. +Assume a service resides in zones within us-east, us-west & eu-west +this example specifies that when endpoints within us-east become unhealthy +traffic should failover to endpoints in any zone or sub-zone within eu-west +and similarly us-west should failover to us-east.

    +
     failover:
+   - from: us-east
+     to: eu-west
+   - from: us-west
+     to: us-east
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    distribute
    +
    Distribute[]
    +
    		 +

    only one of distribute, failover or failoverPriority can be set. +Explicitly specify loadbalancing weight across different zones and geographical locations. +Refer to Locality weighted load balancing +If empty, the locality weight is set according to the endpoints number within it.

    + +
    failover
    +
    Failover[]
    +
    		 +

    only one of distribute, failover or failoverPriority can be set. +Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. +Should be used together with OutlierDetection to detect unhealthy endpoints. +Note: if no OutlierDetection specified, this will not take effect.

    + +
    failoverPriority
    +
    string[]
    +
    		 +

    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. +This is to support traffic failover across different groups of endpoints. +Two kinds of labels can be specified:

    +
      +
    • +

      Specify only label keys [key1, key2, key3], istio would compare the label values of client with endpoints. +Suppose there are total N label keys [key1, key2, key3, ...keyN] specified:

      +
        +
      1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
        2. +
      2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
        3. +
      3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
        4. +
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. +
      +
      • +
    • +

      Specify labels with key and value [key1=value1, key2=value2, key3=value3], istio would compare the labels with endpoints. +Suppose there are total N labels [key1=value1, key2=value2, key3=value3, ...keyN=valueN] specified:

      +
        +
      1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
        2. +
      2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
        3. +
      3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
        4. +
      4. All the other endpoints have priority P(N) i.e. lowest priority.
        5. +
      +
      • +
    +

    Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

    +

    It can be any label specified on both client and server workloads. +The following labels which have special semantic meaning are also supported:

    +
      +
    • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
      • +
    • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
      • +
    • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
      • +
    • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
      • +
    • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
      • +
    • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
      • +
    +

    The below topology config indicates the following priority levels:

    +
    failoverPriority:
+- "topology.istio.io/network"
+- "topology.kubernetes.io/region"
+- "topology.kubernetes.io/zone"
+- "topology.istio.io/subzone"
+
    +
      +
    1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
      2. +
    2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
      3. +
    3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
      4. +
    4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
      5. +
    5. all the other endpoints have the same lowest priority.
      6. +
    +

    Suppose a service associated endpoints reside in multi clusters, the below example represents:

    +
      +
    1. endpoints in clusterA and has version=v1 label have P(0) priority.
      2. +
    2. endpoints not in clusterA but has version=v1 label have P(1) priority.
      3. +
    3. all the other endpoints have P(2) priority.
      4. +
    +
    failoverPriority:
+- "version=v1"
+- "topology.istio.io/cluster=clusterA"
+
    +

    only one of distribute, failover or failoverPriority can be set. +And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

    + +
    enabled
    +
    BoolValue
    +
    		 +

    Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. +e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.

    + +
    +
    +

    Distribute

    +
    +

    Describes how traffic originating in the ‘from’ zone or sub-zone is +distributed over a set of ’to’ zones. Syntax for specifying a zone is +{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any +segment of the specification. Examples:

    +

    * - matches all localities

    +

    us-west/* - all zones and sub-zones within the us-west region

    +

    us-west/zone-1/* - all sub-zones within us-west/zone-1

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    string
    +
    		 +

    Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

    + +
    to
    +
    map<string, uint32>
    +
    		 +

    Map of upstream localities to traffic distribution weights. The sum of +all weights should be 100. Any locality not present will +receive no traffic.

    + +
    +
    +

    Failover

    +
    +

    Specify the traffic failover policy across regions. Since zone and sub-zone +failover is supported by default this only needs to be specified for +regions when the operator needs to constrain traffic failover so that +the default behavior of failing over to any endpoint globally does not +apply. This is useful when failing over traffic across regions would not +improve service health or may need to be restricted for other reasons +like regulatory controls.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    string
    +
    		 +

    Originating region.

    + +
    to
    +
    string
    +
    		 +

    Destination region the traffic will fail over to when endpoints in +the ‘from’ region becomes unhealthy.

    + +
    +
    +

    UInt32Value

    +
    +

    Wrapper message for uint32.

    +

    The JSON representation for UInt32Value is JSON number.

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    uint32
    +
    		 +

    The uint32 value.

    + +
    +
    diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html index b58b9e626a..d1dddf4807 100644 --- a/content/zh/docs/reference/config/networking/envoy-filter/index.html +++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html @@ -363,15 +363,14 @@ generated by istiod.

    Field -Type Description -Required -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this patch configuration should be applied. If omitted, the set @@ -380,16 +379,14 @@ instances in the same namespace. If the EnvoyFilter is present in the config root namespace, it will be applied to all applicable workloads in any namespace.

    - - -No -targetRefs -PolicyTargetReference[] +
    targetRefs
    +
    PolicyTargetReference[]
    +
    -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -405,25 +402,21 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    - - -No -configPatches -EnvoyConfigObjectPatch[] +
    configPatches
    +
    EnvoyConfigObjectPatch[]
    +

    One or more patches with match conditions.

    - - -No -priority -int32 +
    priority
    +
    int32
    +

    Priority defines the order in which patch sets are applied within a context. When one patch depends on another patch, the order of patch application @@ -439,15 +432,12 @@ to leave room for further insertion.

    Patch sets are sorted in the following ascending key order: priority, creation time, fully qualified resource name.

    - - -No -

    EnvoyFilter.ProxyMatch

    +

    ProxyMatch

    One or more properties of the proxy to match on.

    @@ -455,15 +445,14 @@ No Field -Type Description -Required -proxyVersion -string +
    proxyVersion
    +
    string
    +

    A regular expression in golang regex format (RE2) that can be used to select proxies using a specific version of istio @@ -474,14 +463,12 @@ variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker image. Custom proxy implementations should provide this metadata variable to take advantage of the Istio version check option.

    - - -No -metadata -map<string, string> +
    metadata
    +
    map<string, string>
    +

    Match on the node metadata supplied by a proxy when connecting to istiod. Note that while Envoy’s node metadata is of @@ -490,15 +477,12 @@ istiod. All keys specified in the metadata must match with exact values. The match will fail if any of the specified keys are absent or the values fail to match.

    - - -No
    -

    EnvoyFilter.ClusterMatch

    +

    ClusterMatch

    Conditions specified in ClusterMatch must be met for the patch to be applied to a cluster.

    @@ -507,28 +491,25 @@ to be applied to a cluster.

    Field -Type Description -Required -portNumber -uint32 +
    portNumber
    +
    uint32
    +

    The service port for which this cluster was generated. If omitted, applies to clusters for any port. Note: for inbound cluster, it is the service target port.

    - - -No -service -string +
    service
    +
    string
    +

    The fully qualified service name for this cluster. If omitted, applies to clusters for any service. For services defined @@ -536,41 +517,34 @@ through service entries, the service name is same as the hosts defined in the service entry. Note: for inbound cluster, this is ignored.

    - - -No -subset -string +
    subset
    +
    string
    +

    The subset associated with the service. If omitted, applies to clusters for any subset of a service.

    - - -No -name -string +
    name
    +
    string
    +

    The exact name of the cluster to match. To match a specific cluster by name, such as the internally generated Passthrough cluster, leave all fields in clusterMatch empty, except the name.

    - - -No
    -

    EnvoyFilter.RouteConfigurationMatch

    +

    RouteConfigurationMatch

    Conditions specified in RouteConfigurationMatch must be met for the patch to be applied to a route configuration object or a @@ -580,40 +554,35 @@ specific virtual host within the route configuration.

    Field -Type Description -Required -portNumber -uint32 +
    portNumber
    +
    uint32
    +

    The service port number or gateway server port number for which this route configuration was generated. If omitted, applies to route configurations for all ports.

    - - -No -portName -string +
    portName
    +
    string
    +

    Applicable only for GATEWAY context. The gateway server port name for which this route configuration was generated.

    - - -No -gateway -string +
    gateway
    +
    string
    +

    The Istio gateway config’s namespace/name for which this route configuration was generated. Applies only if the context is @@ -622,295 +591,33 @@ in conjunction with the portNumber and portName to acc select the Envoy route configuration for a specific HTTPS server within a gateway config object.

    - - -No -vhost -VirtualHostMatch +
    vhost
    +
    VirtualHostMatch
    +

    Match a specific virtual host in a route configuration and apply the patch to the virtual host.

    - - -No -name -string +
    name
    +
    string
    +

    Route configuration name to match on. Can be used to match a specific route configuration by name, such as the internally generated http_proxy route configuration for all sidecars.

    - - -No
    -

    EnvoyFilter.ListenerMatch

    -
    -

    Conditions specified in a listener match must be met for the -patch to be applied to a specific listener across all filter -chains, or a specific filter chain inside the listener.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    portNumberuint32 -

    The service port/gateway port to which traffic is being -sent/received. If not specified, matches all listeners. Even though -inbound listeners are generated for the instance/pod ports, only -service ports should be used to match listeners.

    - -    		 -No -
    filterChainFilterChainMatch -

    Match a specific filter chain in a listener. If specified, the -patch will be applied to the filter chain (and a specific -filter if specified) and not to other filter chains in the -listener.

    - -    		 -No -
    listenerFilterstring -

    Match a specific listener filter. If specified, the -patch will be applied to the listener filter.

    - -    		 -No -
    namestring -

    Match a specific listener by its name. The listeners generated -by istiod are typically named as IP:Port.

    - -    		 -No -
    -
    -

    EnvoyFilter.Patch

    -
    -

    Patch specifies how the selected object should be modified.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Determines how the patch should be applied.

    - -    		 -No -
    valueStruct -

    The JSON config of the object being patched. This will be merged using -proto merge semantics with the existing proto in the path.

    - -    		 -No -
    filterClassFilterClass -

    Determines the filter insertion order.

    - -    		 -No -
    -
    -

    EnvoyFilter.EnvoyConfigObjectMatch

    -
    -

    One or more match conditions to be met before a patch is applied -to the generated configuration for a given proxy.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    contextPatchContext -

    The specific config generation context to match on. istiod -generates envoy configuration in the context of a gateway, -inbound traffic to sidecar and outbound traffic from sidecar.

    - -    		 -No -
    proxyProxyMatch -

    Match on properties associated with a proxy.

    - -    		 -No -
    listenerListenerMatch (oneof) -

    Match on envoy listener attributes.

    - -    		 -No -
    routeConfigurationRouteConfigurationMatch (oneof) -

    Match on envoy HTTP route configuration attributes.

    - -    		 -No -
    clusterClusterMatch (oneof) -

    Match on envoy cluster attributes.

    - -    		 -No -
    -
    -

    EnvoyFilter.EnvoyConfigObjectPatch

    -
    -

    Changes to be made to various envoy config objects.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    applyToApplyTo -

    Specifies where in the Envoy configuration, the patch should be -applied. The match is expected to select the appropriate -object based on applyTo. For example, an applyTo with -HTTP_FILTER is expected to have a match condition on the -listeners, with a network filter selection on -envoy.filters.network.http_connection_manager and a sub filter selection on the -HTTP filter relative to which the insertion should be -performed. Similarly, an applyTo on CLUSTER should have a match -(if provided) on the cluster and not on a listener.

    - -    		 -No -
    matchEnvoyConfigObjectMatch -

    Match on listener/route configuration/cluster.

    - -    		 -No -
    patchPatch -

    The patch to apply along with the operation.

    - -    		 -No -
    -
    -

    EnvoyFilter.RouteConfigurationMatch.RouteMatch

    +

    RouteMatch

    Match a specific route inside a virtual host in a route configuration.

    @@ -918,262 +625,35 @@ No Field -Type Description -Required -name -string +
    name
    +
    string
    +

    The Route objects generated by default are named as default. Route objects generated using a virtual service will carry the name used in the virtual service’s HTTP routes.

    - - -No -action -Action +
    action
    +
    Action
    +

    Match a route with specific action type.

    - - -No
    -

    EnvoyFilter.RouteConfigurationMatch.VirtualHostMatch

    -
    -

    Match a specific virtual host inside a route configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The VirtualHosts objects generated by Istio are named as -host:port, where the host typically corresponds to the -VirtualService’s host field or the hostname of a service in the -registry.

    - -    		 -No -
    routeRouteMatch -

    Match a specific route within the virtual host.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.FilterChainMatch

    -
    -

    For listeners with multiple filter chains (e.g., inbound -listeners on sidecars with permissive mTLS, gateway listeners -with multiple SNI matches), the filter chain match can be used -to select a specific filter chain to patch.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The name assigned to the filter chain.

    - -    		 -No -
    snistring -

    The SNI value used by a filter chain’s match condition. This -condition will evaluate to false if the filter chain has no -sni match.

    - -    		 -No -
    transportProtocolstring -

    Applies only to SIDECAR_INBOUND context. If non-empty, a -transport protocol to consider when determining a filter -chain match. This value will be compared against the -transport protocol of a new connection, when it’s detected by -the tls_inspector listener filter.

    -

    Accepted values include:

    -
      -
    • raw_buffer - default, used when no transport protocol is detected.
      • -
    • tls - set when TLS protocol is detected by the TLS inspector.
      • -
    - -    		 -No -
    applicationProtocolsstring -

    Applies only to sidecars. If non-empty, a comma separated set -of application protocols to consider when determining a -filter chain match. This value will be compared against the -application protocols of a new connection, when it’s detected -by one of the listener filters such as the http_inspector.

    -

    Accepted values include: h2, http/1.1, http/1.0

    - -    		 -No -
    filterFilterMatch -

    The name of a specific filter to apply the patch to. Set this -to envoy.filters.network.http_connection_manager to add a filter or apply a -patch to the HTTP connection manager.

    - -    		 -No -
    destinationPortuint32 -

    The destination_port value used by a filter chain’s match condition. -This condition will evaluate to false if the filter chain has no destination_port match.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.FilterMatch

    -
    -

    Conditions to match a specific filter within a filter chain.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The filter name to match on. -For standard Envoy filters, canonical filter -names should be used.

    - -    		 -No -
    subFilterSubFilterMatch -

    The next level filter within this filter to match -upon. Typically used for HTTP Connection Manager filters and -Thrift filters.

    - -    		 -No -
    -
    -

    EnvoyFilter.ListenerMatch.SubFilterMatch

    -
    -

    Conditions to match a specific filter within another -filter. This field is typically useful to match a HTTP filter -inside the envoy.filters.network.http_connection_manager network filter. -This could also be applicable for thrift filters.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    The filter name to match on.

    - -    		 -No -
    -
    -

    EnvoyFilter.RouteConfigurationMatch.RouteMatch.Action

    +
    Action

    Action refers to the route action taken by Envoy when a http route matches.

    @@ -1216,7 +696,302 @@ No
    -

    EnvoyFilter.Patch.Operation

    +

    VirtualHostMatch

    +
    +

    Match a specific virtual host inside a route configuration.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The VirtualHosts objects generated by Istio are named as +host:port, where the host typically corresponds to the +VirtualService’s host field or the hostname of a service in the +registry.

    + +
    route
    +
    RouteMatch
    +
    		 +

    Match a specific route within the virtual host.

    + +
    +
    +

    ListenerMatch

    +
    +

    Conditions specified in a listener match must be met for the +patch to be applied to a specific listener across all filter +chains, or a specific filter chain inside the listener.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    portNumber
    +
    uint32
    +
    		 +

    The service port/gateway port to which traffic is being +sent/received. If not specified, matches all listeners. Even though +inbound listeners are generated for the instance/pod ports, only +service ports should be used to match listeners.

    + +
    filterChain
    +
    FilterChainMatch
    +
    		 +

    Match a specific filter chain in a listener. If specified, the +patch will be applied to the filter chain (and a specific +filter if specified) and not to other filter chains in the +listener.

    + +
    listenerFilter
    +
    string
    +
    		 +

    Match a specific listener filter. If specified, the +patch will be applied to the listener filter.

    + +
    name
    +
    string
    +
    		 +

    Match a specific listener by its name. The listeners generated +by istiod are typically named as IP:Port.

    + +
    +
    +

    FilterChainMatch

    +
    +

    For listeners with multiple filter chains (e.g., inbound +listeners on sidecars with permissive mTLS, gateway listeners +with multiple SNI matches), the filter chain match can be used +to select a specific filter chain to patch.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The name assigned to the filter chain.

    + +
    sni
    +
    string
    +
    		 +

    The SNI value used by a filter chain’s match condition. This +condition will evaluate to false if the filter chain has no +sni match.

    + +
    transportProtocol
    +
    string
    +
    		 +

    Applies only to SIDECAR_INBOUND context. If non-empty, a +transport protocol to consider when determining a filter +chain match. This value will be compared against the +transport protocol of a new connection, when it’s detected by +the tls_inspector listener filter.

    +

    Accepted values include:

    +
      +
    • raw_buffer - default, used when no transport protocol is detected.
      • +
    • tls - set when TLS protocol is detected by the TLS inspector.
      • +
    + +
    applicationProtocols
    +
    string
    +
    		 +

    Applies only to sidecars. If non-empty, a comma separated set +of application protocols to consider when determining a +filter chain match. This value will be compared against the +application protocols of a new connection, when it’s detected +by one of the listener filters such as the http_inspector.

    +

    Accepted values include: h2, http/1.1, http/1.0

    + +
    filter
    +
    FilterMatch
    +
    		 +

    The name of a specific filter to apply the patch to. Set this +to envoy.filters.network.http_connection_manager to add a filter or apply a +patch to the HTTP connection manager.

    + +
    destinationPort
    +
    uint32
    +
    		 +

    The destination_port value used by a filter chain’s match condition. +This condition will evaluate to false if the filter chain has no destination_port match.

    + +
    +
    +

    FilterMatch

    +
    +

    Conditions to match a specific filter within a filter chain.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The filter name to match on. +For standard Envoy filters, canonical filter +names should be used.

    + +
    subFilter
    +
    SubFilterMatch
    +
    		 +

    The next level filter within this filter to match +upon. Typically used for HTTP Connection Manager filters and +Thrift filters.

    + +
    +
    +

    SubFilterMatch

    +
    +

    Conditions to match a specific filter within another +filter. This field is typically useful to match a HTTP filter +inside the envoy.filters.network.http_connection_manager network filter. +This could also be applicable for thrift filters.

    + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    		 +

    The filter name to match on.

    + +
    +
    +

    Patch

    +
    +

    Patch specifies how the selected object should be modified.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Determines how the patch should be applied.

    + +
    value
    +
    Struct
    +
    		 +

    The JSON config of the object being patched. This will be merged using +proto merge semantics with the existing proto in the path.

    + +
    filterClass
    +
    FilterClass
    +
    		 +

    Determines the filter insertion order.

    + +
    +
    +

    Operation

    Operation denotes how the patch should be applied to the selected configuration.

    @@ -1322,7 +1097,7 @@ has no effect.

    -

    EnvoyFilter.Patch.FilterClass

    +

    FilterClass

    FilterClass determines the filter insertion point in the filter chain relative to the filters implicitly inserted by the control plane. @@ -1374,7 +1149,120 @@ Do not specify FilterClass if the filter is independent of others.<

    -

    EnvoyFilter.ApplyTo

    +

    EnvoyConfigObjectMatch

    +
    +

    One or more match conditions to be met before a patch is applied +to the generated configuration for a given proxy.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    context
    +
    PatchContext
    +
    		 +

    The specific config generation context to match on. istiod +generates envoy configuration in the context of a gateway, +inbound traffic to sidecar and outbound traffic from sidecar.

    + +
    proxy
    +
    ProxyMatch
    +
    		 +

    Match on properties associated with a proxy.

    + +
    listener
    +
    ListenerMatch (oneof)
    +
    		 +

    Match on envoy listener attributes.

    + +
    routeConfiguration
    +
    RouteConfigurationMatch (oneof)
    +
    		 +

    Match on envoy HTTP route configuration attributes.

    + +
    cluster
    +
    ClusterMatch (oneof)
    +
    		 +

    Match on envoy cluster attributes.

    + +
    +
    +

    EnvoyConfigObjectPatch

    +
    +

    Changes to be made to various envoy config objects.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    applyTo
    +
    ApplyTo
    +
    		 +

    Specifies where in the Envoy configuration, the patch should be +applied. The match is expected to select the appropriate +object based on applyTo. For example, an applyTo with +HTTP_FILTER is expected to have a match condition on the +listeners, with a network filter selection on +envoy.filters.network.http_connection_manager and a sub filter selection on the +HTTP filter relative to which the insertion should be +performed. Similarly, an applyTo on CLUSTER should have a match +(if provided) on the cluster and not on a listener.

    + +
    match
    +
    EnvoyConfigObjectMatch
    +
    		 +

    Match on listener/route configuration/cluster.

    + +
    patch
    +
    Patch
    +
    		 +

    The patch to apply along with the operation.

    + +
    +
    +

    ApplyTo

    ApplyTo specifies where in the Envoy configuration, the given patch should be applied.

    @@ -1479,7 +1367,7 @@ is only supported by HTTP filters.

    -

    EnvoyFilter.PatchContext

    +

    PatchContext

    PatchContext selects a class of configurations based on the traffic flow direction and workload type.

    diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html index 7ec56a866e..b0925e0fa0 100644 --- a/content/zh/docs/reference/config/networking/gateway/index.html +++ b/content/zh/docs/reference/config/networking/gateway/index.html @@ -175,26 +175,23 @@ receiving incoming or outgoing HTTP/TCP connections.

    Field -Type Description -Required -servers -Server[] +
    servers
    +
    Server[]
    +

    A list of server specifications.

    - - -No -selector -map<string, string> +
    selector
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. @@ -209,9 +206,6 @@ resource must reside in the same namespace as the gateway workload instance. If selector is nil, the Gateway will be applied to all workloads.

    - - -No @@ -276,27 +270,25 @@ spec: Field -Type Description -Required -port -Port +
    port
    +
    Port
    +
    Required
    +

    The Port on which the proxy should listen for incoming connections.

    - - -Yes -bind -string +
    bind
    +
    string
    +

    The ip or the Unix domain socket to which the listener should be bound to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar @@ -307,14 +299,13 @@ This is typically used when a gateway needs to communicate to another mesh servi e.g. publishing metrics. In such case, the server created with the specified bind will not be available to external gateway clients.

    - - -No -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    One or more hosts exposed by this gateway. While typically applicable to @@ -343,35 +334,28 @@ Private configurations (e.g., exportTo set to .) will available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

    - - -Yes -tls -ServerTLSSettings +
    tls
    +
    ServerTLSSettings
    +

    Set of TLS related options that govern the server’s behavior. Use these options to control if all http requests should be redirected to https, and the TLS modes to use.

    - - -No -name -string +
    name
    +
    string
    +

    An optional name of the server, when set must be unique across all servers. This will be used for variety of purposes like prefixing stats generated with this name etc.

    - - -No @@ -385,46 +369,41 @@ No Field -Type Description -Required -number -uint32 +
    number
    +
    uint32
    +
    Required
    +

    A valid non-negative integer port number.

    - - -Yes -protocol -string +
    protocol
    +
    string
    +
    Required
    +

    The protocol exposed on the port. MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS. TLS can be either used to terminate non-HTTP based connections on a specific port or to route traffic based on SNI header to the destination without terminating the TLS connection.

    - - -Yes -name -string +
    name
    +
    string
    +
    Required
    +

    Label assigned to the port.

    - - -Yes @@ -436,77 +415,66 @@ Yes Field -Type Description -Required -httpsRedirect -bool +
    httpsRedirect
    +
    bool
    +

    If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.

    - - -No -mode -TLSmode +
    mode
    +
    TLSmode
    +
    -

    Optional: Indicates whether connections to this port should be +

    Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

    - - -No -serverCertificate -string +
    serverCertificate
    +
    string
    +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server-side TLS certificate to use.

    - - -No -privateKey -string +
    privateKey
    +
    string
    +

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server’s private key.

    - - -No -caCertificates -string +
    caCertificates
    +
    string
    +

    REQUIRED if mode is MUTUAL or OPTIONAL_MUTUAL. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.

    - - -No -caCrl -string +
    caCrl
    +
    string
    +

    OPTIONAL: The path to the file containing the certificate revocation list (CRL) to use in verifying a presented client side certificate. CRL is a list of certificates @@ -514,14 +482,12 @@ that have been revoked by the CA (Certificate Authority) before their scheduled If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. If omitted, the proxy will not verify the certificate against the crl.

    - - -No -credentialName -string +
    credentialName
    +
    string
    +

    For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable @@ -536,27 +502,23 @@ and ca.crl for certificate revocation list is also supported. Only one of server certificates and CA certificate or credentialName can be specified.

    - - -No -subjectAltNames -string[] +
    subjectAltNames
    +
    string[]
    +

    A list of alternate names to verify the subject identity in the certificate presented by the client. Requires TLS mode to be set to MUTUAL.

    - - -No -verifyCertificateSpki -string[] +
    verifyCertificateSpki
    +
    string[]
    +

    An optional list of base64-encoded SHA-256 hashes of the SPKIs of authorized client certificates. @@ -564,14 +526,12 @@ Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

    - - -No -verifyCertificateHash -string[] +
    verifyCertificateHash
    +
    string[]
    +

    An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated @@ -580,41 +540,35 @@ Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.

    - - -No -minProtocolVersion -TLSProtocol +
    minProtocolVersion
    +
    TLSProtocol
    +
    -

    Optional: Minimum TLS protocol version. By default, it is TLSV1_2. +

    Minimum TLS protocol version. By default, it is TLSV1_2. TLS protocol versions below TLSV1_2 require setting compatible ciphers with the cipherSuites setting as they no longer include compatible ciphers.

    Note: Using TLS protocol versions below TLSV1_2 has serious security risks.

    - - -No -maxProtocolVersion -TLSProtocol +
    maxProtocolVersion
    +
    TLSProtocol
    +
    -

    Optional: Maximum TLS protocol version.

    +

    Maximum TLS protocol version.

    - - -No -cipherSuites -string[] +
    cipherSuites
    +
    string[]
    +
    -

    Optional: If specified, only support the specified cipher list. +

    If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy as specified here. The supported list of ciphers are:

    @@ -636,15 +590,12 @@ The supported list of ciphers are:

  • DES-CBC3-SHA
    • - - -No
    -

    ServerTLSSettings.TLSmode

    +

    TLSmode

    TLS modes enforced by the proxy

    @@ -727,7 +678,7 @@ be specified for validating client certificates.

    -

    ServerTLSSettings.TLSProtocol

    +

    TLSProtocol

    TLS protocol versions.

    diff --git a/content/zh/docs/reference/config/networking/proxy-config/index.html b/content/zh/docs/reference/config/networking/proxy-config/index.html index c4f765260d..95f0206684 100644 --- a/content/zh/docs/reference/config/networking/proxy-config/index.html +++ b/content/zh/docs/reference/config/networking/proxy-config/index.html @@ -65,58 +65,48 @@ with the CR taking precedence over the annotation for overlapping fields. Simila Field -Type Description -Required -selector -WorkloadSelector +
    selector
    +
    WorkloadSelector
    +
    -

    Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied. +

    Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied. If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.

    - - -No -concurrency -Int32Value +
    concurrency
    +
    Int32Value
    +

    The number of worker threads to run. If unset, this will be automatically determined based on CPU limits. If set to 0, all cores on the machine will be used.

    - - -No -environmentVariables -map<string, string> +
    environmentVariables
    +
    map<string, string>
    +

    Additional environment variables for the proxy. Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.

    - - -No -image -ProxyImage +
    image
    +
    ProxyImage
    +

    Specifies the details of the proxy image.

    - - -No @@ -133,24 +123,20 @@ This information was previously part of the Values API.

    Field -Type Description -Required -imageType -string +
    imageType
    +
    string
    +

    The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.

    - - -No diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html index 7964b1b28c..0abc0d5ab9 100644 --- a/content/zh/docs/reference/config/networking/service-entry/index.html +++ b/content/zh/docs/reference/config/networking/service-entry/index.html @@ -351,15 +351,15 @@ service registry.

    Field -Type Description -Required -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    The hosts associated with the ServiceEntry. Could be a DNS name with wildcard prefix.

    @@ -385,14 +385,12 @@ service accounts associated with the pods of the service, the SANs specified here will also be verified. - - -Yes -addresses -string[] +
    addresses
    +
    string[]
    +

    The virtual IP addresses associated with the service. Could be CIDR prefix. For HTTP traffic, generated route configurations will include http route @@ -409,65 +407,55 @@ simple TCP proxy, forwarding incoming traffic on a specified port to the specified destination endpoint IP/host. Unix domain socket addresses are not supported in this field.

    - - -No -ports -ServicePort[] +
    ports
    +
    ServicePort[]
    +

    The ports associated with the external service. If the Endpoints are Unix domain socket addresses, there must be exactly one port.

    - - -No -location -Location +
    location
    +
    Location
    +

    Specify whether the service should be considered external to the mesh or part of the mesh.

    - - -No -resolution -Resolution +
    resolution
    +
    Resolution
    +

    Service resolution mode for the hosts. Care must be taken when setting the resolution mode to NONE for a TCP port without accompanying IP addresses. In such cases, traffic to any IP on said port will be allowed (i.e. 0.0.0.0:<port>).

    - - -No -endpoints -WorkloadEntry[] +
    endpoints
    +
    WorkloadEntry[]
    +

    One or more endpoints associated with the service. Only one of endpoints or workloadSelector can be specified.

    - - -No -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Applicable only for MESH_INTERNAL services. Only one of endpoints or workloadSelector can be specified. Selects one @@ -476,14 +464,12 @@ or more Kubernetes pods or VM workloads (specified using representing the VMs should be defined in the same namespace as the ServiceEntry.

    - - -No -exportTo -string[] +
    exportTo
    +
    string[]
    +

    A list of namespaces to which this service is exported. Exporting a service allows it to be used by sidecars, gateways and virtual services defined in @@ -499,14 +485,12 @@ defines an export to all namespaces.

    the annotation “networking.istio.io/exportTo” to a comma-separated list of namespace names.

    - - -No -subjectAltNames -string[] +
    subjectAltNames
    +
    string[]
    +

    If specified, the proxy will verify that the server certificate’s subject alternate name matches one of the specified values.

    @@ -515,181 +499,12 @@ service account specified in the workloadEntry will also be used to derive the additional subject alternate names that should be verified.

    - - -No
    -

    ServicePort

    -
    -

    ServicePort describes the properties of a specific port of a service.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    A valid non-negative integer port number.

    - -    		 -Yes -
    protocolstring -

    The protocol exposed on the port. -MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. -TLS implies the connection will be routed based on the SNI header to -the destination without terminating the TLS connection.

    - -    		 -No -
    namestring -

    Label assigned to the port.

    - -    		 -Yes -
    targetPortuint32 -

    The port number on the endpoint where the traffic will be -received. If unset, default to number.

    - -    		 -No -
    -
    -

    ServiceEntryStatus

    -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    conditionsIstioCondition[] -

    Current service state of ServiceEntry. -More info: https://istio.io/docs/reference/config/config-status/

    - -    		 -No -
    validationMessagesAnalysisMessageBase[] -

    Includes any errors or warnings detected by Istio’s analyzers.

    - -    		 -No -
    observedGenerationint64 -

    Resource Generation to which the Reconciled Condition refers. -When this value is not equal to the object’s metadata generation, reconciled condition calculation for the current -generation is still in progress. See https://istio.io/latest/docs/reference/config/config-status/ for more info.

    - -    		 -No -
    addressesServiceEntryAddress[] -

    List of addresses which were assigned to this ServiceEntry.

    - -    		 -No -
    -
    -

    ServiceEntryAddress

    -
    -

    A minor abstraction to allow for adding hostnames if relevant.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuestring -

    The address (e.g. 192.168.0.2)

    - -    		 -No -
    hoststring -

    The host name associated with this address

    - -    		 -No -
    -
    -

    ServiceEntry.Location

    +

    Location

    Location specifies whether the service is part of Istio mesh or outside the mesh. Location determines the behavior of several @@ -725,7 +540,7 @@ Kubernetes based service mesh).

    -

    ServiceEntry.Resolution

    +

    Resolution

    Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can @@ -797,3 +612,145 @@ cannot be used with Unix domain socket endpoints.

    +

    ServicePort

    +
    +

    ServicePort describes the properties of a specific port of a service.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    number
    +
    uint32
    +
    Required
    +
    		 +

    A valid non-negative integer port number.

    + +
    protocol
    +
    string
    +
    		 +

    The protocol exposed on the port. +MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. +TLS implies the connection will be routed based on the SNI header to +the destination without terminating the TLS connection.

    + +
    name
    +
    string
    +
    Required
    +
    		 +

    Label assigned to the port.

    + +
    targetPort
    +
    uint32
    +
    		 +

    The port number on the endpoint where the traffic will be +received. If unset, default to number.

    + +
    +
    +

    ServiceEntryStatus

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    conditions
    +
    IstioCondition[]
    +
    		 +

    Current service state of ServiceEntry. +More info: https://istio.io/docs/reference/config/config-status/

    + +
    validationMessages
    +
    AnalysisMessageBase[]
    +
    		 +

    Includes any errors or warnings detected by Istio’s analyzers.

    + +
    observedGeneration
    +
    int64
    +
    		 +

    Resource Generation to which the Reconciled Condition refers. +When this value is not equal to the object’s metadata generation, reconciled condition calculation for the current +generation is still in progress. See https://istio.io/latest/docs/reference/config/config-status/ for more info.

    + +
    addresses
    +
    ServiceEntryAddress[]
    +
    		 +

    List of addresses which were assigned to this ServiceEntry.

    + +
    +
    +

    ServiceEntryAddress

    +
    +

    A minor abstraction to allow for adding hostnames if relevant.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    string
    +
    		 +

    The address (e.g. 192.168.0.2)

    + +
    host
    +
    string
    +
    		 +

    The host name associated with this address

    + +
    +
    diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html index fde5cd9a99..75b18da0b2 100644 --- a/content/zh/docs/reference/config/networking/sidecar/index.html +++ b/content/zh/docs/reference/config/networking/sidecar/index.html @@ -316,28 +316,25 @@ attached.

    Field -Type Description -Required -workloadSelector -WorkloadSelector +
    workloadSelector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this Sidecar configuration should be applied. If omitted, the Sidecar configuration will be applied to all workload instances in the same namespace.

    - - -No -ingress -IstioIngressListener[] +
    ingress
    +
    IstioIngressListener[]
    +

    Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will @@ -346,28 +343,24 @@ obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.

    - - -No -egress -IstioEgressListener[] +
    egress
    +
    IstioEgressListener[]
    +

    Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. If not specified, inherits the system detected defaults from the namespace-wide or the global default Sidecar.

    - - -No -inboundConnectionPool -ConnectionPoolSettings +
    inboundConnectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections Envoy will accept from the network. This default will apply for all inbound listeners and can be overridden per-port @@ -393,22 +386,17 @@ following precedence, highest to lowest:

    In every case, the connection pool settings are overridden, not merged.

    - - -No -outboundTrafficPolicy -OutboundTrafficPolicy +
    outboundTrafficPolicy
    +
    OutboundTrafficPolicy
    +

    Set the default behavior of the sidecar for handling outbound traffic from the application.

    Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

    - - -No @@ -423,26 +411,24 @@ traffic listener on the sidecar proxy attached to a workload instance.

    Field -Type Description -Required -port -SidecarPort +
    port
    +
    SidecarPort
    +
    Required
    +

    The port associated with the listener.

    - - -Yes -bind -string +
    bind
    +
    string
    +

    The IP(IPv4 or IPv6) to which the listener should be bound. Unix domain socket addresses are not allowed in @@ -451,26 +437,22 @@ automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to.

    - - -No -captureMode -CaptureMode +
    captureMode
    +
    CaptureMode
    +

    The captureMode option dictates how traffic to the listener is expected to be captured (or not).

    - - -No -defaultEndpoint -string +
    defaultEndpoint
    +
    string
    +

    The IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to @@ -481,27 +463,23 @@ connections. Arbitrary IPs are not supported. Format should be one of 0.0.0.0:PORT, [::]:PORT (forward to the instance IP), or unix:///path/to/socket (forward to Unix domain socket).

    - - -No -tls -ServerTLSSettings +
    tls
    +
    ServerTLSSettings
    +

    Set of TLS related options that will enable TLS termination on the sidecar for requests originating from outside the mesh. Currently supports only SIMPLE and MUTUAL TLS modes.

    - - -No -connectionPool -ConnectionPoolSettings +
    connectionPool
    +
    ConnectionPoolSettings
    +

    Settings controlling the volume of connections Envoy will accept from the network. This setting overrides the top-level default inboundConnectionPool to configure @@ -511,9 +489,6 @@ This port level connection pool has the highest precedence in configuration, overriding both the Sidecar’s top level InboundConnectionPool as well as any connection pooling settings from the DestinationRule.

    - - -No @@ -528,15 +503,14 @@ listener on the sidecar proxy attached to a workload instance.

    Field -Type Description -Required -port -SidecarPort +
    port
    +
    SidecarPort
    +

    The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if @@ -548,14 +522,12 @@ specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.

    - - -No -bind -string +
    bind
    +
    string
    +

    The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or @@ -565,27 +537,24 @@ services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is NONE, bind will default to 127.0.0.1.

    - - -No -captureMode -CaptureMode +
    captureMode
    +
    CaptureMode
    +

    When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or NONE for Unix domain socket binds.

    - - -No -hosts -string[] +
    hosts
    +
    string[]
    +
    Required
    +

    One or more service hosts exposed by the listener in namespace/dnsName format. Services in the specified namespace @@ -612,9 +581,6 @@ Private configurations (e.g., exportTo set to .) will not be available. Refer to the exportTo setting in VirtualService, DestinationRule, and ServiceEntry configurations for details.

    - - -Yes @@ -636,24 +602,20 @@ label based selection mechanism is supported.

    Field -Type Description -Required -labels -map<string, string> +
    labels
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. The scope of label search is restricted to the configuration namespace in which the the resource is present.

    - - -No @@ -668,78 +630,21 @@ handling unknown outbound traffic from the application.

    Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +
    - -No - -

    SidecarPort

    -
    -

    Port describes the properties of a specific port of a service.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    A valid non-negative integer port number.

    - -    		 -No -
    protocolstring -

    The protocol exposed on the port. -MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. -TLS can be either used to terminate non-HTTP based connections on a specific port -or to route traffic based on SNI header to the destination without terminating the TLS connection.

    - -    		 -No -
    namestring -

    Label assigned to the port.

    - -    		 -No -
    -
    -

    OutboundTrafficPolicy.Mode

    +

    Mode

    @@ -768,6 +673,51 @@ Unknown destination traffic will have limited functionality, however, such as re This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect to arbitrary destinations.

    + + + +
    +
    +

    SidecarPort

    +
    +

    Port describes the properties of a specific port of a service.

    + + + + + + + + + + + + + + + + + + + + diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html index 0a96227dc6..d9fc83111a 100644 --- a/content/zh/docs/reference/config/networking/virtual-service/index.html +++ b/content/zh/docs/reference/config/networking/virtual-service/index.html @@ -95,15 +95,14 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - @@ -350,15 +336,15 @@ spec: - - - - + - - - + - - - + - @@ -417,85 +396,74 @@ gRPC traffic. See VirtualService for usage examples.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -699,33 +646,27 @@ spec: - - - - + - - - + - @@ -771,34 +712,71 @@ spec: - - - - + - - - + + + +
    FieldDescription
    number
    +
    uint32
    +
    		 +

    A valid non-negative integer port number.

    + +
    protocol
    +
    string
    +
    		 +

    The protocol exposed on the port. +MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. +TLS can be either used to terminate non-HTTP based connections on a specific port +or to route traffic based on SNI header to the destination without terminating the TLS connection.

    + +
    name
    +
    string
    +
    		 +

    Label assigned to the port.

    +
    FieldType DescriptionRequired
    hostsstring[]
    hosts
    +
    string[]
    +

    The destination hosts to which traffic is being sent. Could be a DNS name with wildcard prefix or an IP address. Depending on the @@ -131,14 +130,12 @@ referred to using their alphanumeric names. IP addresses are allowed only for services defined via the Gateway.

    Note: It must be empty for a delegate VirtualService.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    The names of gateways and sidecars that should apply these routes. Gateways in other namespaces may be referred to by @@ -154,14 +151,12 @@ sidecars in the mesh. If a list of gateway names is provided, the rules will apply only to the gateways. To apply the rules to both gateways and sidecars, specify mesh as one of the gateway names.

    -    		 -No
    httpHTTPRoute[]
    http
    +
    HTTPRoute[]
    +

    An ordered list of route rules for HTTP traffic. HTTP routes will be applied to platform service ports using HTTP/HTTP2/GRPC protocols, gateway @@ -169,14 +164,12 @@ ports with protocol HTTP/HTTP2/GRPC/TLS-terminated-HTTPS and service entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching an incoming request is used.

    -    		 -No
    tlsTLSRoute[]
    tls
    +
    TLSRoute[]
    +

    An ordered list of route rule for non-terminated TLS & HTTPS traffic. Routing is typically performed using the SNI value presented @@ -188,27 +181,23 @@ incoming request is used. NOTE: Traffic ‘https-’ or ’tls- without associated virtual service will be treated as opaque TCP traffic.

    -    		 -No
    tcpTCPRoute[]
    tcp
    +
    TCPRoute[]
    +

    An ordered list of route rules for opaque TCP traffic. TCP routes will be applied to any port that is not a HTTP or TLS port. The first rule matching an incoming request is used.

    -    		 -No
    exportTostring[]
    exportTo
    +
    string[]
    +

    A list of namespaces to which this virtual service is exported. Exporting a virtual service allows it to be used by sidecars and gateways defined in @@ -221,9 +210,6 @@ namespaces by default.

    the virtual service is declared in. Similarly the value “*” is reserved and defines an export to all namespaces.

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +
    Required
    +

    The name of a service from the service registry. Service names are looked up from the platform’s service registry (e.g., @@ -374,35 +360,28 @@ the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names.

    -    		 -Yes
    subsetstring
    subset
    +
    string
    +

    The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.

    -    		 -No
    portPortSelector
    port
    +
    PortSelector
    +

    Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The name assigned to the route for debugging purposes. The route’s name will be concatenated with the match’s name and will be logged in the access logs for requests matching this route/match.

    -    		 -No
    matchHTTPMatchRequest[]
    match
    +
    HTTPMatchRequest[]
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -No
    routeHTTPRouteDestination[]
    route
    +
    HTTPRouteDestination[]
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. The forwarding target can be one of several versions of a service (see glossary in beginning of document). Weights associated with the service version determine the proportion of traffic it receives.

    -    		 -No
    redirectHTTPRedirect
    redirect
    +
    HTTPRedirect
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. If traffic passthrough option is specified in the rule, route/redirect will be ignored. The redirect primitive can be used to send a HTTP 301 redirect to a different URI or Authority.

    -    		 -No
    directResponseHTTPDirectResponse
    directResponse
    +
    HTTPDirectResponse
    +

    A HTTP rule can either return a direct_response, redirect or forward (default) traffic. Direct Response is used to specify a fixed response that should be sent to clients.

    It can be set only when Route and Redirect are empty.

    -    		 -No
    delegateDelegate
    delegate
    +
    Delegate
    +

    Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute.

    @@ -509,37 +477,31 @@ current one.

    otherwise there is a conflict and the HTTPRoute will not take effect. -    		 -No
    rewriteHTTPRewrite
    rewrite
    +
    HTTPRewrite
    +

    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with Redirect primitive. Rewrite will be performed before forwarding.

    -    		 -No
    timeoutDuration
    timeout
    +
    Duration
    +

    Timeout for HTTP requests, default is disabled.

    -    		 -No
    retriesHTTPRetry
    retries
    +
    HTTPRetry
    +

    Retry policy for HTTP requests.

    Note: the default cluster-wide retry policy, if not specified, is:

    @@ -548,27 +510,23 @@ retryOn: "connect-failure,refused-stream,unavailable,cancelled,503"

    This can be customized in Mesh Config defaultHttpRetryPolicy.

    -    		 -No
    faultHTTPFaultInjection
    fault
    +
    HTTPFaultInjection
    +

    Fault injection policy to apply on HTTP traffic at the client side. Note that timeouts or retries will not be enabled when faults are enabled on the client side.

    -    		 -No
    mirrorDestination
    mirror
    +
    Destination
    +

    Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. Mirrored traffic is on a @@ -577,14 +535,12 @@ mirrored cluster to respond before returning the response from the original destination. Statistics will be generated for the mirrored destination.

    -    		 -No
    mirrorsHTTPMirrorPolicy[]
    mirrors
    +
    HTTPMirrorPolicy[]
    +

    Specifies the destinations to mirror HTTP traffic in addition to the original destination. Mirrored traffic is on a @@ -593,46 +549,37 @@ mirrored destinations to respond before returning the response from the original destination. Statistics will be generated for the mirrored destination.

    -    		 -No
    mirrorPercentagePercent
    mirrorPercentage
    +
    Percent
    +

    Percentage of the traffic to be mirrored by the mirror field. If this field is absent, all the traffic (100%) will be mirrored. Max value is 100.

    -    		 -No
    corsPolicyCorsPolicy
    corsPolicy
    +
    CorsPolicy
    +

    Cross-Origin Resource Sharing policy (CORS). Refer to CORS for further details about cross origin resource sharing.

    -    		 -No
    headersHeaders
    headers
    +
    Headers
    +

    Header manipulation rules

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    Name specifies the name of the delegate VirtualService.

    -    		 -No
    namespacestring
    namespace
    +
    string
    +

    Namespace specifies the namespace where the delegate VirtualService resides. By default, it is same to the root’s.

    -    		 -No
    FieldType DescriptionRequired
    requestHeaderOperations
    request
    +
    HeaderOperations
    +

    Header manipulation rules to apply before forwarding a request to the destination service

    -    		 -No
    responseHeaderOperations
    response
    +
    HeaderOperations
    +

    Header manipulation rules to apply before returning a response to the caller

    +
    +

    HeaderOperations

    +
    +

    HeaderOperations Describes the header manipulations to apply

    + + + + + + + + + + + + + + + + + + + @@ -840,35 +818,30 @@ spec: - - - - + - - - + - @@ -900,35 +873,29 @@ spec: - - - - + - - - + - @@ -971,28 +938,25 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -1308,46 +1245,39 @@ spec: - - - - + - - - + - - - + - @@ -1361,35 +1291,30 @@ No - - - - + - - - + - @@ -1404,75 +1329,63 @@ is incomplete.

    - - - - + - - - + - - - + - - - + - - - + - @@ -1486,90 +1399,77 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - @@ -1603,51 +1503,44 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldDescription
    set
    +
    map<string, string>
    +
    		 -No +

    Overwrite the headers specified by key with the given values

    + +
    add
    +
    map<string, string>
    +
    		 +

    Append the given values to the headers specified by keys +(will create a comma-separated list of values)

    + +
    remove
    +
    string[]
    +
    		 +

    Remove the specified headers

    +
    FieldType DescriptionRequired
    matchTLSMatchAttributes[]
    match
    +
    TLSMatchAttributes[]
    +
    Required
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -Yes
    routeRouteDestination[]
    route
    +
    RouteDestination[]
    +

    The destination to which the connection should be forwarded to.

    -    		 -No
    FieldType DescriptionRequired
    matchL4MatchAttributes[]
    match
    +
    L4MatchAttributes[]
    +

    Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.

    -    		 -No
    routeRouteDestination[]
    route
    +
    RouteDestination[]
    +

    The destination to which the connection should be forwarded to.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The name assigned to a match. The match’s name will be concatenated with the parent route’s name and will be logged in the access logs for requests matching this route.

    -    		 -No
    uriStringMatch
    uri
    +
    StringMatch
    +

    URI to match values are case-sensitive and formatted as follows:

    @@ -1010,14 +974,12 @@ values are case-sensitive and formatted as follows:

    Note: Case-insensitive matching could be enabled via the ignoreUriCase flag.

    -    		 -No
    schemeStringMatch
    scheme
    +
    StringMatch
    +

    URI Scheme values are case-sensitive and formatted as follows:

    @@ -1033,14 +995,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    methodStringMatch
    method
    +
    StringMatch
    +

    HTTP Method values are case-sensitive and formatted as follows:

    @@ -1056,14 +1016,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    authorityStringMatch
    authority
    +
    StringMatch
    +

    HTTP Authority values are case-sensitive and formatted as follows:

    @@ -1079,14 +1037,12 @@ values are case-sensitive and formatted as follows:

    -    		 -No
    headersmap<string, StringMatch>
    headers
    +
    map<string, StringMatch>
    +

    The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id.

    @@ -1110,54 +1066,46 @@ To provide an empty value, use {}, for example:

    Note: The keys uri, scheme, method, and authority will be ignored.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to source (client) workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    queryParamsmap<string, StringMatch>
    queryParams
    +
    map<string, StringMatch>
    +

    Query parameters for matching.

    Ex:

    @@ -1181,52 +1129,44 @@ configuration will only match values like “123” but not “a123& -    		 -No
    ignoreUriCasebool
    ignoreUriCase
    +
    bool
    +

    Flag to specify whether the URI matching should be case-insensitive.

    Note: The case will be ignored only in the case of exact and prefix URI matches.

    -    		 -No
    withoutHeadersmap<string, StringMatch>
    withoutHeaders
    +
    map<string, StringMatch>
    +

    withoutHeader has the same syntax with the header, but has opposite meaning. If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    statPrefixstring
    statPrefix
    +
    string
    +

    The human readable prefix to use when emitting statistics for this route. The statistics are generated with prefix route.<stat_prefix>. @@ -1235,9 +1175,6 @@ This prefix is only for proxy-level statistics (envoy_) and not service-leve Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix for statistics that are generated when this is configured.

    -    		 -No
    FieldType DescriptionRequired
    destinationDestination
    destination
    +
    Destination
    +
    Required
    +

    Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.

    -    		 -Yes
    weightint32
    weight
    +
    int32
    +

    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests. If there is only one destination in a rule, it will receive all traffic. Otherwise, if weight is 0, the destination will not receive any traffic.

    -    		 -No
    headersHeaders
    headers
    +
    Headers
    +

    Header manipulation rules

    -    		 -No
    FieldType DescriptionRequired
    destinationDestination
    destination
    +
    Destination
    +
    Required
    +

    Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.

    -    		 -Yes
    weightint32
    weight
    +
    int32
    +

    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests. If there is only one destination in a rule, it will receive all traffic. Otherwise, if weight is 0, the destination will not receive any traffic.

    -    		 -No
    FieldType DescriptionRequired
    destinationSubnetsstring[]
    destinationSubnets
    +
    string[]
    +

    IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it should include the reserved gateway mesh in order for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    FieldType DescriptionRequired
    sniHostsstring[]
    sniHosts
    +
    string[]
    +
    Required
    +

    SNI (server name indicator) to match on. Wildcard prefixes can be used in the SNI value, e.g., *.com will match foo.example.com as well as example.com. An SNI value must be a subset (i.e., fall within the domain) of the corresponding virtual service’s hosts.

    -    		 -Yes
    destinationSubnetsstring[]
    destinationSubnets
    +
    string[]
    +

    IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.

    -    		 -No
    portuint32
    port
    +
    uint32
    +

    Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.

    -    		 -No
    sourceLabelsmap<string, string>
    sourceLabels
    +
    map<string, string>
    +

    One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level gateways field, it should include the reserved gateway mesh in order for this field to be applicable.

    -    		 -No
    gatewaysstring[]
    gateways
    +
    string[]
    +

    Names of gateways where the rule should be applied. Gateway names in the top-level gateways field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.

    -    		 -No
    sourceNamespacestring
    sourceNamespace
    +
    string
    +

    Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level gateways field, it must include the reserved gateway mesh for this field to be applicable.

    -    		 -No
    FieldType DescriptionRequired
    uristring
    uri
    +
    string
    +

    On a redirect, overwrite the Path portion of the URL with this value. Note that the entire path will be replaced, irrespective of the request URI being matched as an exact path or prefix.

    -    		 -No
    authoritystring
    authority
    +
    string
    +

    On a redirect, overwrite the Authority/Host portion of the URL with this value.

    -    		 -No
    portuint32 (oneof)
    port
    +
    uint32 (oneof)
    +

    On a redirect, overwrite the port portion of the URL with this value.

    -    		 -No
    derivePortRedirectPortSelection (oneof)
    derivePort
    +
    RedirectPortSelection (oneof)
    +

    On a redirect, dynamically set the port:

      @@ -1655,35 +1548,51 @@ No
    • FROM_REQUEST_PORT: automatically use the port of the request.
    -    		 -No
    schemestring
    scheme
    +
    string
    +

    On a redirect, overwrite the scheme portion of the URL with this value. For example, http or https. If unset, the original scheme will be used. If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well

    -    		 -No
    redirectCodeuint32
    redirectCode
    +
    uint32
    +

    On a redirect, Specifies the HTTP status code to use in the redirect response. The default response code is MOVED_PERMANENTLY (301).

    +
    +

    RedirectPortSelection

    +
    + + + + + + + + + + + + + + @@ -1759,33 +1668,28 @@ spec: - - - - + - - - + - @@ -1797,32 +1701,26 @@ No - - - - + - - - + - @@ -1858,45 +1756,37 @@ spec: - - - - + - - - + - - - + - @@ -1908,26 +1798,23 @@ No - - - - + - - - + - @@ -1956,44 +1840,36 @@ case-sensitive. regex matching supports case-insensitive matches. - - - - + - - - + - - - + - @@ -2028,15 +1904,14 @@ spec: - - - - + - - - + - - - + - - - + - @@ -2135,513 +2001,87 @@ spec: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + -
    NameDescription
    FROM_PROTOCOL_DEFAULT +
    FROM_REQUEST_PORT -No
    FieldType DescriptionRequired
    statusuint32
    status
    +
    uint32
    +
    Required
    +

    Specifies the HTTP response status to be returned.

    -    		 -Yes
    bodyHTTPBody
    body
    +
    HTTPBody
    +

    Specifies the content of the response body. If this setting is omitted, no body is included in the generated response.

    -    		 -No
    FieldType DescriptionRequired
    stringstring (oneof)
    string
    +
    string (oneof)
    +

    response body as a string

    -    		 -No
    bytesbytes (oneof)
    bytes
    +
    bytes (oneof)
    +

    response body as base64 encoded bytes.

    -    		 -No
    FieldType DescriptionRequired
    uristring
    uri
    +
    string
    +

    rewrite the path (or the prefix) portion of the URI with this value. If the original URI was matched based on prefix, the value provided in this field will replace the corresponding matched prefix.

    -    		 -No
    authoritystring
    authority
    +
    string
    +

    rewrite the Authority/Host header with this value.

    -    		 -No
    uriRegexRewriteRegexRewrite
    uriRegexRewrite
    +
    RegexRewrite
    +

    rewrite the path portion of the URI with the specified regex.

    -    		 -No
    FieldType DescriptionRequired
    matchstring
    match
    +
    string
    +

    RE2 style regex-based match.

    -    		 -No
    rewritestring
    rewrite
    +
    string
    +

    The string that should replace into matching portions of original URI. Capture groups in the pattern can be referenced in the new URI. @@ -1939,9 +1826,6 @@ rewrite string of “/customprefix/\2/\1” would transform into “ Path pattern “/aaa/XxX/bbb” with match “(?i)/xxx/” and a rewrite string of /yyy/ would do a case-insensitive match and transform the path to “/aaa/yyy/bbb”.

    -    		 -No
    FieldType DescriptionRequired
    exactstring (oneof)
    exact
    +
    string (oneof)
    +

    exact string match

    -    		 -No
    prefixstring (oneof)
    prefix
    +
    string (oneof)
    +

    prefix-based match

    -    		 -No
    regexstring (oneof)
    regex
    +
    string (oneof)
    +

    RE2 style regex-based match.

    Example: (?i)^aaa$ can be used to case-insensitive match a string consisting of three a’s.

    -    		 -No
    FieldType DescriptionRequired
    attemptsint32
    attempts
    +
    int32
    +

    Number of retries to be allowed for a given request. The interval between retries will be determined automatically (25ms+). When request @@ -2045,28 +1920,24 @@ or per_try_timeout is configured, the actual number of retries atte the specified request timeout and per_try_timeout values. MUST be >= 0. If 0, retries will be disabled. The maximum possible number of requests made will be 1 + attempts.

    -    		 -No
    perTryTimeoutDuration
    perTryTimeout
    +
    Duration
    +

    Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. Default is same value as request timeout of the HTTP route, which means no timeout.

    -    		 -No
    retryOnstring
    retryOn
    +
    string
    +

    Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. @@ -2078,21 +1949,16 @@ For example, if a connection is reset, Istio will translate this to 503 for it&r However, the destination did not return a 503 error, so this would not match "503" (it would, however, match "reset").

    If not specified, this defaults to connect-failure,refused-stream,unavailable,cancelled,503.

    -    		 -No
    retryRemoteLocalitiesBoolValue
    retryRemoteLocalities
    +
    BoolValue
    +

    Flag to specify whether the retries should retry to other localities. See the retry plugin configuration for more details.

    -    		 -No
    FieldType DescriptionRequired
    allowOriginsStringMatch[]
    allowOrigins
    +
    StringMatch[]
    +

    String patterns that match allowed origins. An origin is allowed if any of the string matchers match. If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.

    -    		 -No
    allowMethodsstring[]
    allowMethods
    +
    string[]
    +

    List of HTTP methods allowed to access the resource. The content will be serialized into the Access-Control-Allow-Methods header.

    -    		 -No
    allowHeadersstring[]
    allowHeaders
    +
    string[]
    +

    List of HTTP headers that can be used when requesting the resource. Serialized to Access-Control-Allow-Headers header.

    -    		 -No
    exposeHeadersstring[]
    exposeHeaders
    +
    string[]
    +

    A list of HTTP headers that the browsers are allowed to access. Serialized into Access-Control-Expose-Headers header.

    -    		 -No
    maxAgeDuration
    maxAge
    +
    Duration
    +

    Specifies how long the results of a preflight request can be cached. Translates to the Access-Control-Max-Age header.

    -    		 -No
    allowCredentialsBoolValue
    allowCredentials
    +
    BoolValue
    +

    Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to Access-Control-Allow-Credentials header.

    -    		 -No
    unmatchedPreflightsUnmatchedPreflights
    unmatchedPreflights
    +
    UnmatchedPreflights
    +

    Indicates whether preflight requests not matching the configured allowed origin shouldn’t be forwarded to the upstream. Default is forward to upstream.

    -    		 -No
    -

    HTTPFaultInjection

    -
    -

    HTTPFaultInjection can be used to specify one or more faults to inject -while forwarding HTTP requests to the destination specified in a route. -Fault specification is part of a VirtualService rule. Faults include -aborting the Http request from downstream service, and/or delaying -proxying of requests. A fault rule MUST HAVE delay or abort or both.

    -

    Note: Delay and abort faults are independent of one another, even if -both are specified simultaneously.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    delayDelay -

    Delay requests before forwarding, emulating various failures such as -network issues, overloaded upstream service, etc.

    - -    		 -No -
    abortAbort -

    Abort Http request attempts and return error codes back to downstream -service, giving the impression that the upstream service is faulty.

    - -    		 -No -
    -
    -

    HTTPMirrorPolicy

    -
    -

    HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition -to the original destination. Mirrored traffic is on a -best effort basis where the sidecar/gateway will not wait for the -mirrored destinations to respond before returning the response from the -original destination. Statistics will be generated for the mirrored -destination.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    destinationDestination -

    Destination specifies the target of the mirror operation.

    - -    		 -Yes -
    percentagePercent -

    Percentage of the traffic to be mirrored by the destination field. -If this field is absent, all the traffic (100%) will be mirrored. -Max value is 100.

    - -    		 -No -
    -
    -

    PortSelector

    -
    -

    PortSelector specifies the number of a port to be used for -matching or selection for final routing.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    numberuint32 -

    Valid port number

    - -    		 -No -
    -
    -

    Percent

    -
    -

    Percent specifies a percentage in the range of [0.0, 100.0].

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuedouble - -No -
    -
    -

    Headers.HeaderOperations

    -
    -

    HeaderOperations Describes the header manipulations to apply

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    setmap<string, string> -

    Overwrite the headers specified by key with the given values

    - -    		 -No -
    addmap<string, string> -

    Append the given values to the headers specified by keys -(will create a comma-separated list of values)

    - -    		 -No -
    removestring[] -

    Remove the specified headers

    - -    		 -No -
    -
    -

    HTTPFaultInjection.Delay

    -
    -

    Delay specification is used to inject latency into the request -forwarding path. The following example will introduce a 5 second delay -in 1 out of every 1000 requests to the “v1” version of the “reviews” -service from all pods with label env: prod

    -
    apiVersion: networking.istio.io/v1
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - match:
-    - sourceLabels:
-        env: prod
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
-
    -

    The fixedDelay field is used to indicate the amount of delay in seconds. -The optional percentage field can be used to only delay a certain -percentage of requests. If left unspecified, no request will be delayed.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fixedDelayDuration (oneof) -

    Add a fixed delay before forwarding the request. Format: -1h/1m/1s/1ms. MUST be >=1ms.

    - -    		 -No -
    percentagePercent -

    Percentage of requests on which the delay will be injected. -If left unspecified, no request will be delayed.

    - -    		 -No -
    percentint32 -

    Percentage of requests on which the delay will be injected (0-100). -Use of integer percent value is deprecated. Use the double percentage -field instead.

    - -    		 -No -
    -
    -

    HTTPFaultInjection.Abort

    -
    -

    Abort specification is used to prematurely abort a request with a -pre-specified error code. The following example will return an HTTP 400 -error code for 1 out of every 1000 requests to the “ratings” service “v1”.

    -
    apiVersion: networking.istio.io/v1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
-
    -

    The httpStatus field is used to indicate the HTTP status code to -return to the caller. The optional percentage field can be used to only -abort a certain percentage of requests. If not specified, no request will be -aborted.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    httpStatusint32 (oneof) -

    HTTP status code to use to abort the Http request.

    - -    		 -No -
    grpcStatusstring (oneof) -

    GRPC status code to use to abort the request. The supported -codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md -Note: If you want to return the status “Unavailable”, then you should -specify the code as UNAVAILABLE(all caps), but not 14.

    - -    		 -No -
    percentagePercent -

    Percentage of requests to be aborted with the error code provided. -If not specified, no request will be aborted.

    - -    		 -No -
    -
    -

    google.protobuf.UInt32Value

    -
    -

    Wrapper message for uint32.

    -

    The JSON representation for UInt32Value is JSON number.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valueuint32 -

    The uint32 value.

    - -    		 -No -
    -
    -

    HTTPRedirect.RedirectPortSelection

    -
    - - - - - - - - - - - - - - - - - -
    NameDescription
    FROM_PROTOCOL_DEFAULT -
    FROM_REQUEST_PORT -
    -
    -

    CorsPolicy.UnmatchedPreflights

    +

    UnmatchedPreflights

    @@ -2677,3 +2117,300 @@ will not be forwarded to the upstream.

    +

    HTTPFaultInjection

    +
    +

    HTTPFaultInjection can be used to specify one or more faults to inject +while forwarding HTTP requests to the destination specified in a route. +Fault specification is part of a VirtualService rule. Faults include +aborting the Http request from downstream service, and/or delaying +proxying of requests. A fault rule MUST HAVE delay or abort or both.

    +

    Note: Delay and abort faults are independent of one another, even if +both are specified simultaneously.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    delay
    +
    Delay
    +
    		 +

    Delay requests before forwarding, emulating various failures such as +network issues, overloaded upstream service, etc.

    + +
    abort
    +
    Abort
    +
    		 +

    Abort Http request attempts and return error codes back to downstream +service, giving the impression that the upstream service is faulty.

    + +
    +
    +

    Delay

    +
    +

    Delay specification is used to inject latency into the request +forwarding path. The following example will introduce a 5 second delay +in 1 out of every 1000 requests to the “v1” version of the “reviews” +service from all pods with label env: prod

    +
    apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - match:
+    - sourceLabels:
+        env: prod
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
+
    +

    The fixedDelay field is used to indicate the amount of delay in seconds. +The optional percentage field can be used to only delay a certain +percentage of requests. If left unspecified, no request will be delayed.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    fixedDelay
    +
    Duration (oneof)
    +
    		 +

    Add a fixed delay before forwarding the request. Format: +1h/1m/1s/1ms. MUST be >=1ms.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of requests on which the delay will be injected. +If left unspecified, no request will be delayed.

    + +
    percent
    +
    int32
    +
    		 +

    Percentage of requests on which the delay will be injected (0-100). +Use of integer percent value is deprecated. Use the double percentage +field instead.

    + +
    +
    +

    Abort

    +
    +

    Abort specification is used to prematurely abort a request with a +pre-specified error code. The following example will return an HTTP 400 +error code for 1 out of every 1000 requests to the “ratings” service “v1”.

    +
    apiVersion: networking.istio.io/v1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
+
    +

    The httpStatus field is used to indicate the HTTP status code to +return to the caller. The optional percentage field can be used to only +abort a certain percentage of requests. If not specified, no request will be +aborted.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    httpStatus
    +
    int32 (oneof)
    +
    		 +

    HTTP status code to use to abort the Http request.

    + +
    grpcStatus
    +
    string (oneof)
    +
    		 +

    GRPC status code to use to abort the request. The supported +codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md +Note: If you want to return the status “Unavailable”, then you should +specify the code as UNAVAILABLE(all caps), but not 14.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of requests to be aborted with the error code provided. +If not specified, no request will be aborted.

    + +
    +
    +

    HTTPMirrorPolicy

    +
    +

    HTTPMirrorPolicy can be used to specify the destinations to mirror HTTP traffic in addition +to the original destination. Mirrored traffic is on a +best effort basis where the sidecar/gateway will not wait for the +mirrored destinations to respond before returning the response from the +original destination. Statistics will be generated for the mirrored +destination.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    destination
    +
    Destination
    +
    Required
    +
    		 +

    Destination specifies the target of the mirror operation.

    + +
    percentage
    +
    Percent
    +
    		 +

    Percentage of the traffic to be mirrored by the destination field. +If this field is absent, all the traffic (100%) will be mirrored. +Max value is 100.

    + +
    +
    +

    PortSelector

    +
    +

    PortSelector specifies the number of a port to be used for +matching or selection for final routing.

    + + + + + + + + + + + + + + +
    FieldDescription
    number
    +
    uint32
    +
    		 +

    Valid port number

    + +
    +
    +

    Percent

    +
    +

    Percent specifies a percentage in the range of [0.0, 100.0].

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    double
    +
    		 +
    +
    +

    UInt32Value

    +
    +

    Wrapper message for uint32.

    +

    The JSON representation for UInt32Value is JSON number.

    + + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    uint32
    +
    		 +

    The uint32 value.

    + +
    +
    diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html index 7c80720bb3..4b0addf0e5 100644 --- a/content/zh/docs/reference/config/networking/workload-entry/index.html +++ b/content/zh/docs/reference/config/networking/workload-entry/index.html @@ -128,15 +128,14 @@ spec: Field -Type Description -Required -address -string +
    address
    +
    string
    +

    Address associated with the network endpoint without the port. Domain names can be used if and only if the resolution is set @@ -144,14 +143,12 @@ to DNS, and must be fully-qualified without wildcards. Use the form unix:///absolute/path/to/socket for Unix domain socket endpoints. If address is empty, network must be specified.

    - - -No -ports -map<string, uint32> +
    ports
    +
    map<string, uint32>
    +

    Set of ports associated with the endpoint. If the port map is specified, it must be a map of servicePortName to this endpoint’s @@ -166,25 +163,21 @@ the same port.

    NOTE 1: Do not use for unix:// addresses.

    NOTE 2: endpoint port map takes precedence over targetPort.

    - - -No -labels -map<string, string> +
    labels
    +
    map<string, string>
    +

    One or more labels associated with the endpoint.

    - - -No -network -string +
    network
    +
    string
    +

    Network enables Istio to group endpoints resident in the same L3 domain/network. All endpoints in the same network are assumed to be @@ -195,14 +188,12 @@ used to establish connectivity (usually using the an advanced configuration used typically for spanning an Istio mesh over multiple clusters. Required if address is not provided.

    - - -No -locality -string +
    locality
    +
    string
    +

    The locality associated with the endpoint. A locality corresponds to a failure domain (e.g., country/region/zone). Arbitrary failure @@ -222,35 +213,28 @@ locality. Endpoint e2 could be the IP associated with a gateway (that bridges networks n1 and n2), or the IP associated with a standard service endpoint.

    - - -No -weight -uint32 +
    weight
    +
    uint32
    +

    The load balancing weight associated with the endpoint. Endpoints with higher weights will receive proportionally higher traffic.

    - - -No -serviceAccount -string +
    serviceAccount
    +
    string
    +

    The service account associated with the workload if a sidecar is present in the workload. The service account must be present in the same namespace as the configuration ( WorkloadEntry or a ServiceEntry)

    - - -No diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html index 7ee800d682..bf7f78d5e9 100644 --- a/content/zh/docs/reference/config/networking/workload-group/index.html +++ b/content/zh/docs/reference/config/networking/workload-group/index.html @@ -65,27 +65,25 @@ and as such doesn’t configure host name for these workloads.

    Field -Type Description -Required -metadata -ObjectMeta +
    metadata
    +
    ObjectMeta
    +

    Metadata that will be used for all corresponding WorkloadEntries. User labels for a workload group should be set here in metadata rather than in template.

    - - -No -template -WorkloadEntry +
    template
    +
    WorkloadEntry
    +
    Required
    +

    Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup. Please note that address and labels fields should not be set in the template, and an empty serviceAccount @@ -93,21 +91,50 @@ should default to default. The workload identities (mTLS certificat specified service account’s token. Workload entries in this group will be in the same namespace as the workload group, and inherit the labels and annotations from the above metadata field.

    - - -Yes -probe -ReadinessProbe +
    probe
    +
    ReadinessProbe
    +

    ReadinessProbe describes the configuration the user must provide for healthchecking on their workload. This configuration mirrors K8S in both syntax and logic for the most part.

    + + + + +

    ObjectMeta

    +
    +

    ObjectMeta describes metadata that will be attached to a WorkloadEntry. +It is a subset of the supported Kubernetes metadata.

    + + + + + + + + + + + + + + + @@ -119,114 +146,94 @@ No - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -238,67 +245,56 @@ No - - - - + - - - + - - - + - - - + - - - + - @@ -310,32 +306,26 @@ No - - - - + - - - + - @@ -347,32 +337,26 @@ No - - - - + - - - + - @@ -384,32 +368,27 @@ No - - - - + - - - + - @@ -421,61 +400,18 @@ Yes - - - - + - - - -
    FieldDescription
    labels
    +
    map<string, string>
    +
    		 -No +

    Labels to attach

    + +
    annotations
    +
    map<string, string>
    +
    		 +

    Annotations to attach

    +
    FieldType DescriptionRequired
    initialDelaySecondsint32
    initialDelaySeconds
    +
    int32
    +

    Number of seconds after the container has started before readiness probes are initiated.

    -    		 -No
    timeoutSecondsint32
    timeoutSeconds
    +
    int32
    +

    Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.

    -    		 -No
    periodSecondsint32
    periodSeconds
    +
    int32
    +

    How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1 second.

    -    		 -No
    successThresholdint32
    successThreshold
    +
    int32
    +

    Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1 second.

    -    		 -No
    failureThresholdint32
    failureThreshold
    +
    int32
    +

    Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3 seconds.

    -    		 -No
    httpGetHTTPHealthCheckConfig (oneof)
    httpGet
    +
    HTTPHealthCheckConfig (oneof)
    +

    httpGet is performed to a given endpoint and the status/able to connect determines health.

    -    		 -No
    tcpSocketTCPHealthCheckConfig (oneof)
    tcpSocket
    +
    TCPHealthCheckConfig (oneof)
    +

    Health is determined by if the proxy is able to connect.

    -    		 -No
    execExecHealthCheckConfig (oneof)
    exec
    +
    ExecHealthCheckConfig (oneof)
    +

    Health is determined by how the command that is executed exited.

    -    		 -No
    grpcGrpcHealthCheckConfig (oneof)
    grpc
    +
    GrpcHealthCheckConfig (oneof)
    +

    GRPC call is made and response/error is used to determine health.

    -    		 -No
    FieldType DescriptionRequired
    pathstring
    path
    +
    string
    +

    Path to access on the HTTP server.

    -    		 -No
    portuint32
    port
    +
    uint32
    +
    Required
    +

    Port on which the endpoint lives.

    -    		 -Yes
    hoststring
    host
    +
    string
    +

    Host name to connect to, defaults to the pod IP. You probably want to set “Host” in httpHeaders instead.

    -    		 -No
    schemestring
    scheme
    +
    string
    +

    HTTP or HTTPS, defaults to HTTP

    -    		 -No
    httpHeadersHTTPHeader[]
    httpHeaders
    +
    HTTPHeader[]
    +

    Headers the proxy will pass on to make the request. Allows repeated headers.

    -    		 -No
    FieldType DescriptionRequired
    portuint32
    port
    +
    uint32
    +

    Port on which the endpoint lives.

    -    		 -No
    servicestring
    service
    +
    string
    +

    Service is the fully qualified name of the service to send the grpc health check request

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    The header field name

    -    		 -No
    valuestring
    value
    +
    string
    +

    The header field value

    -    		 -No
    FieldType DescriptionRequired
    hoststring
    host
    +
    string
    +

    Host to connect to, defaults to localhost

    -    		 -No
    portuint32
    port
    +
    uint32
    +
    Required
    +

    Port of host

    -    		 -Yes
    FieldType DescriptionRequired
    commandstring[]
    command
    +
    string[]
    +
    Required
    +

    Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

    -    		 -Yes -
    -
    -

    WorkloadGroup.ObjectMeta

    -
    -

    ObjectMeta describes metadata that will be attached to a WorkloadEntry. -It is a subset of the supported Kubernetes metadata.

    - - - - - - - - - - - - - - - - - - - - - - diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html index f78395384e..8fe874b572 100644 --- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html +++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html @@ -178,15 +178,14 @@ the Istio proxy through WebAssembly filters.

    - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldTypeDescriptionRequired
    labelsmap<string, string> -

    Labels to attach

    - -    		 -No -
    annotationsmap<string, string> -

    Annotations to attach

    - -    		 -No
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +

    Criteria used to select the specific set of pods/VMs on which this plugin configuration should be applied. If omitted, this @@ -196,16 +195,14 @@ namespace, it will be applied to all applicable workloads in any namespace.

    At most, only one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -221,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    urlstring
    url
    +
    string
    +
    Required
    +

    URL of a Wasm module or OCI container. If no scheme is present, defaults to oci://, referencing an OCI image. Other valid schemes @@ -236,14 +232,12 @@ are file:// for referencing .wasm module files present locally within the proxy container, and http[s]:// for .wasm module files hosted remotely.

    -    		 -Yes
    sha256string
    sha256
    +
    string
    +

    SHA256 checksum that will be used to verify Wasm module or OCI container. If the url field already references a SHA256 (using the @sha256: @@ -251,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is referenced by tag and this field is set, its checksum will be verified against the contents of this field after pulling.

    -    		 -No
    imagePullPolicyPullPolicy
    imagePullPolicy
    +
    PullPolicy
    +

    The pull behaviour to be applied when fetching Wasm module by either OCI image or http/https. Only relevant when referencing Wasm module without @@ -267,63 +259,53 @@ Defaults to IfNotPresent, except when an OCI image is referenced in and the latest tag is used, in which case Always is the default, mirroring Kubernetes behaviour.

    -    		 -No
    imagePullSecretstring
    imagePullSecret
    +
    string
    +

    Credentials to use for OCI image pulling. Name of a Kubernetes Secret in the same namespace as the WasmPlugin that contains a Docker pull secret which is to be used to authenticate against the registry when pulling the image.

    -    		 -No
    pluginConfigStruct
    pluginConfig
    +
    Struct
    +

    The configuration that will be passed on to the plugin.

    -    		 -No
    pluginNamestring
    pluginName
    +
    string
    +

    The plugin name to be used in the Envoy configuration (used to be called rootID). Some .wasm modules might require this value to select the Wasm plugin to execute.

    -    		 -No
    phasePluginPhase
    phase
    +
    PluginPhase
    +

    Determines where in the filter chain this WasmPlugin is to be injected.

    -    		 -No
    priorityInt32Value
    priority
    +
    Int32Value
    +

    Determines ordering of WasmPlugins in the same phase. When multiple WasmPlugins are applied to the same workload in the @@ -332,56 +314,90 @@ If priority is not set, or two WasmPlugins exist with value, the ordering will be deterministically derived from name and namespace of the WasmPlugins. Defaults to 0.

    -    		 -No
    failStrategyFailStrategy
    failStrategy
    +
    FailStrategy
    +

    Specifies the failure behavior for the plugin due to fatal errors.

    -    		 -No
    vmConfigVmConfig
    vmConfig
    +
    VmConfig
    +

    Configuration for a Wasm VM. More details can be found here.

    -    		 -No
    matchTrafficSelector[]
    match
    +
    TrafficSelector[]
    +

    Specifies the criteria to determine which traffic is passed to WasmPlugin. If a traffic satisfies any of TrafficSelectors, the traffic passes the WasmPlugin.

    -    		 -No
    typePluginType
    type
    +
    PluginType
    +

    Specifies the type of Wasm Extension to be used.

    +
    +

    TrafficSelector

    +
    +

    TrafficSelector provides a mechanism to select a specific traffic flow +for which this Wasm Plugin will be enabled. +When all the sub conditions in the TrafficSelector are satisfied, the +traffic will be selected.

    + + + + + + + + + + + + + + + @@ -396,22 +412,18 @@ more details can be found - - + - @@ -424,97 +436,39 @@ No - - - - + - - - + - - - + - - - -
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 -No +

    Criteria for selecting traffic by their direction. +Note that CLIENT and SERVER are analogous to OUTBOUND and INBOUND, +respectively. +For the gateway, the field should be CLIENT or CLIENT_AND_SERVER. +If not specified, the default value is CLIENT_AND_SERVER.

    + +
    ports
    +
    PortSelector[]
    +
    		 +

    Criteria for selecting traffic by their destination port. +More specifically, for the outbound traffic, the destination port would be +the port of the target service. On the other hand, for the inbound traffic, +the destination port is the port bound by the server process in the same Pod.

    +

    If one of the given ports is matched, this condition is evaluated to true. +If not specified, this condition is evaluated to true for any port.

    +
    envEnvVar[]
    env
    +
    EnvVar[]
    +

    Specifies environment variables to be injected to this VM. Note that if a key does not exist, it will be ignored.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    Name of the environment variable. Must be a C_IDENTIFIER.

    -    		 -Yes
    valueFromEnvValueSource
    valueFrom
    +
    EnvValueSource
    +

    Source for the environment variable’s value.

    -    		 -No
    valuestring
    value
    +
    string
    +

    Value for the environment variable. Only applicable if valueFrom is HOST. Defaults to “”.

    -    		 -No -
    -
    -

    WasmPlugin.TrafficSelector

    -
    -

    TrafficSelector provides a mechanism to select a specific traffic flow -for which this Wasm Plugin will be enabled. -When all the sub conditions in the TrafficSelector are satisfied, the -traffic will be selected.

    - - - - - - - - - - - - - - - - - - - - - - diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html index 3877cc5362..d159197ca7 100644 --- a/content/zh/docs/reference/config/security/authorization-policy/index.html +++ b/content/zh/docs/reference/config/security/authorization-policy/index.html @@ -204,32 +204,29 @@ spec: - - - - + - - - + - - - + - - - + - - - + -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    Criteria for selecting traffic by their direction. -Note that CLIENT and SERVER are analogous to OUTBOUND and INBOUND, -respectively. -For the gateway, the field should be CLIENT or CLIENT_AND_SERVER. -If not specified, the default value is CLIENT_AND_SERVER.

    - -    		 -No -
    portsPortSelector[] -

    Criteria for selecting traffic by their destination port. -More specifically, for the outbound traffic, the destination port would be -the port of the target service. On the other hand, for the inbound traffic, -the destination port is the port bound by the server process in the same Pod.

    -

    If one of the given ports is matched, this condition is evaluated to true. -If not specified, this condition is evaluated to true for any port.

    - -    		 -No
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the authorization policy. The selector will match with workloads +

    The selector decides where to apply the authorization policy. The selector will match with workloads in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector will additionally match with workloads in all namespaces.

    If the selector and the targetRef are not set, the selector will match all workloads.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -245,535 +242,64 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    rulesRule[]
    rules
    +
    Rule[]
    +
    		 -

    Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.

    +

    A list of rules to match the request. A match occurs when at least one rule matches the request.

    If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if the action is ALLOW.

    -    		 -No
    actionAction
    action
    +
    Action
    +
    		 -

    Optional. The action to take if the request is matched with the rules. Default is ALLOW if not specified.

    +

    The action to take if the request is matched with the rules. Default is ALLOW if not specified.

    -    		 -No
    providerExtensionProvider (oneof)
    provider
    +
    ExtensionProvider (oneof)
    +

    Specifies detailed configuration of the CUSTOM action. Must be used only with CUSTOM action.

    -    		 -No
    -

    Rule

    -
    -

    Rule matches requests from a list of sources that perform a list of operations subject to a -list of conditions. A match occurs when at least one source, one operation and all conditions -matches the request. An empty rule is always matched.

    -

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

    -
      -
    • Exact match: abc will match on value abc.
      • -
    • Prefix match: abc* will match on value abc and abcd.
      • -
    • Suffix match: *abc will match on value abc and xabc.
      • -
    • Presence match: * will match when value is not empty.
      • -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    fromFrom[] -

    Optional. from specifies the source of a request.

    -

    If not set, any source is allowed.

    - -    		 -No -
    toTo[] -

    Optional. to specifies the operation of a request.

    -

    If not set, any operation is allowed.

    - -    		 -No -
    whenCondition[] -

    Optional. when specifies a list of additional conditions of a request.

    -

    If not set, any condition is allowed.

    - -    		 -No -
    -
    -

    Source

    -
    -

    Source specifies the source identities of a request. Fields in the source are -ANDed together.

    -

    For example, the following source matches if the principal is admin or dev -and the namespace is prod or test and the ip is not 203.0.113.4.

    -
    principals: ["admin", "dev"]
-namespaces: ["prod", "test"]
-notIpBlocks: ["203.0.113.4"]
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    principalsstring[] -

    Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of -"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage". -This field requires mTLS enabled and is the same as the source.principal attribute.

    -

    If not set, any principal is allowed.

    - -    		 -No -
    notPrincipalsstring[] -

    Optional. A list of negative match of peer identities.

    - -    		 -No -
    requestPrincipalsstring[] -

    Optional. A list of request identities derived from the JWT. The request identity is in the format of -"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the -same as the request.auth.principal attribute.

    -

    If not set, any request principal is allowed.

    - -    		 -No -
    notRequestPrincipalsstring[] -

    Optional. A list of negative match of request identities.

    - -    		 -No -
    namespacesstring[] -

    Optional. A list of namespaces derived from the peer certificate. -This field requires mTLS enabled and is the same as the source.namespace attribute.

    -

    If not set, any namespace is allowed.

    - -    		 -No -
    notNamespacesstring[] -

    Optional. A list of negative match of namespaces.

    - -    		 -No -
    ipBlocksstring[] -

    Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. 203.0.113.4) and -CIDR (e.g. 203.0.113.0/24) are supported. This is the same as the source.ip attribute.

    -

    If not set, any IP is allowed.

    - -    		 -No -
    notIpBlocksstring[] -

    Optional. A list of negative match of IP blocks.

    - -    		 -No -
    remoteIpBlocksstring[] -

    Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. -To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig -when you install Istio or using an annotation on the ingress gateway. See the documentation here: -Configuring Gateway Network Topology. -Single IP (e.g. 203.0.113.4) and CIDR (e.g. 203.0.113.0/24) are supported. -This is the same as the remote.ip attribute.

    -

    If not set, any IP is allowed.

    - -    		 -No -
    notRemoteIpBlocksstring[] -

    Optional. A list of negative match of remote IP blocks.

    - -    		 -No -
    -
    -

    Operation

    -
    -

    Operation specifies the operations of a request. Fields in the operation are -ANDed together.

    -

    For example, the following operation matches if the host has suffix .example.com -and the method is GET or HEAD and the path doesn’t have prefix /admin.

    -
    hosts: ["*.example.com"]
-methods: ["GET", "HEAD"]
-notPaths: ["/admin*"]
-
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    hostsstring[] -

    Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive. -See the security best practices for -recommended usage of this field.

    -

    If not set, any host is allowed. Must be used only with HTTP.

    - -    		 -No -
    notHostsstring[] -

    Optional. A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.

    - -    		 -No -
    portsstring[] -

    Optional. A list of ports as specified in the connection.

    -

    If not set, any port is allowed.

    - -    		 -No -
    notPortsstring[] -

    Optional. A list of negative match of ports as specified in the connection.

    - -    		 -No -
    methodsstring[] -

    Optional. A list of methods as specified in the HTTP request. -For gRPC service, this will always be POST.

    -

    If not set, any method is allowed. Must be used only with HTTP.

    - -    		 -No -
    notMethodsstring[] -

    Optional. A list of negative match of methods as specified in the HTTP request.

    - -    		 -No -
    pathsstring[] -

    Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization -for details of the path normalization. -For gRPC service, this will be the fully-qualified name in the form of /package.service/method.

    -

    If a path in the list contains the {*} or {**} path template operator, it will be interpreted as an Envoy Uri Template. -To be a valid path template, the path must not contain *, {, or } outside of a supported operator. No other characters are allowed in the path segment with the path template operator.

    -
      -
    • {*} matches a single glob that cannot extend beyond a path segment.
      • -
    • {**} matches zero or more globs. If a path contains {**}, it must be the last operator.
      • -
    -

    Examples:

    -
      -
    • /foo/{*} matches /foo/bar but not /foo/bar/baz
      • -
    • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
      • -
    • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
      • -
    • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
      • -
    • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
      • -
    • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
      • -
    • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
      • -
    -

    If not set, any path is allowed. Must be used only with HTTP.

    - -    		 -No -
    notPathsstring[] -

    Optional. A list of negative match of paths.

    - -    		 -No -
    -
    -

    Condition

    -
    -

    Condition specifies additional required attributes.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    keystring -

    The name of an Istio attribute. -See the full list of supported attributes.

    - -    		 -Yes -
    valuesstring[] -

    Optional. A list of allowed values for the attribute. -Note: at least one of values or notValues must be set.

    - -    		 -No -
    notValuesstring[] -

    Optional. A list of negative match of values for the attribute. -Note: at least one of values or notValues must be set.

    - -    		 -No -
    -
    -

    AuthorizationPolicy.ExtensionProvider

    +

    ExtensionProvider

    - - - - + -
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +

    Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig. Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.

    -    		 -No
    -

    Rule.From

    -
    -

    From includes a list of sources.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    sourceSource -

    Source specifies the source of a request.

    - -    		 -No -
    -
    -

    Rule.To

    -
    -

    To includes a list of operations.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Operation specifies the operation of a request.

    - -    		 -No -
    -
    -

    AuthorizationPolicy.Action

    +

    Action

    Action specifies the operation to take.

    @@ -842,3 +368,398 @@ spec:
    +

    Rule

    +
    +

    Rule matches requests from a list of sources that perform a list of operations subject to a +list of conditions. A match occurs when at least one source, one operation and all conditions +matches the request. An empty rule is always matched.

    +

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

    +
      +
    • Exact match: abc will match on value abc.
      • +
    • Prefix match: abc* will match on value abc and abcd.
      • +
    • Suffix match: *abc will match on value abc and xabc.
      • +
    • Presence match: * will match when value is not empty.
      • +
    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    from
    +
    From[]
    +
    		 +

    from specifies the source of a request.

    +

    If not set, any source is allowed.

    + +
    to
    +
    To[]
    +
    		 +

    to specifies the operation of a request.

    +

    If not set, any operation is allowed.

    + +
    when
    +
    Condition[]
    +
    		 +

    when specifies a list of additional conditions of a request.

    +

    If not set, any condition is allowed.

    + +
    +
    +

    From

    +
    +

    From includes a list of sources.

    + + + + + + + + + + + + + + +
    FieldDescription
    source
    +
    Source
    +
    		 +

    Source specifies the source of a request.

    + +
    +
    +

    To

    +
    +

    To includes a list of operations.

    + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Operation specifies the operation of a request.

    + +
    +
    +

    Source

    +
    +

    Source specifies the source identities of a request. Fields in the source are +ANDed together.

    +

    For example, the following source matches if the principal is admin or dev +and the namespace is prod or test and the ip is not 203.0.113.4.

    +
    principals: ["admin", "dev"]
+namespaces: ["prod", "test"]
+notIpBlocks: ["203.0.113.4"]
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    principals
    +
    string[]
    +
    		 +

    A list of peer identities derived from the peer certificate. The peer identity is in the format of +"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage". +This field requires mTLS enabled and is the same as the source.principal attribute.

    +

    If not set, any principal is allowed.

    + +
    notPrincipals
    +
    string[]
    +
    		 +

    A list of negative match of peer identities.

    + +
    requestPrincipals
    +
    string[]
    +
    		 +

    A list of request identities derived from the JWT. The request identity is in the format of +"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the +same as the request.auth.principal attribute.

    +

    If not set, any request principal is allowed.

    + +
    notRequestPrincipals
    +
    string[]
    +
    		 +

    A list of negative match of request identities.

    + +
    namespaces
    +
    string[]
    +
    		 +

    A list of namespaces derived from the peer certificate. +This field requires mTLS enabled and is the same as the source.namespace attribute.

    +

    If not set, any namespace is allowed.

    + +
    notNamespaces
    +
    string[]
    +
    		 +

    A list of negative match of namespaces.

    + +
    ipBlocks
    +
    string[]
    +
    		 +

    A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. 203.0.113.4) and +CIDR (e.g. 203.0.113.0/24) are supported. This is the same as the source.ip attribute.

    +

    If not set, any IP is allowed.

    + +
    notIpBlocks
    +
    string[]
    +
    		 +

    A list of negative match of IP blocks.

    + +
    remoteIpBlocks
    +
    string[]
    +
    		 +

    A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. +To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig +when you install Istio or using an annotation on the ingress gateway. See the documentation here: +Configuring Gateway Network Topology. +Single IP (e.g. 203.0.113.4) and CIDR (e.g. 203.0.113.0/24) are supported. +This is the same as the remote.ip attribute.

    +

    If not set, any IP is allowed.

    + +
    notRemoteIpBlocks
    +
    string[]
    +
    		 +

    A list of negative match of remote IP blocks.

    + +
    +
    +

    Operation

    +
    +

    Operation specifies the operations of a request. Fields in the operation are +ANDed together.

    +

    For example, the following operation matches if the host has suffix .example.com +and the method is GET or HEAD and the path doesn’t have prefix /admin.

    +
    hosts: ["*.example.com"]
+methods: ["GET", "HEAD"]
+notPaths: ["/admin*"]
+
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    hosts
    +
    string[]
    +
    		 +

    A list of hosts as specified in the HTTP request. The match is case-insensitive. +See the security best practices for +recommended usage of this field.

    +

    If not set, any host is allowed. Must be used only with HTTP.

    + +
    notHosts
    +
    string[]
    +
    		 +

    A list of negative match of hosts as specified in the HTTP request. The match is case-insensitive.

    + +
    ports
    +
    string[]
    +
    		 +

    A list of ports as specified in the connection.

    +

    If not set, any port is allowed.

    + +
    notPorts
    +
    string[]
    +
    		 +

    A list of negative match of ports as specified in the connection.

    + +
    methods
    +
    string[]
    +
    		 +

    A list of methods as specified in the HTTP request. +For gRPC service, this will always be POST.

    +

    If not set, any method is allowed. Must be used only with HTTP.

    + +
    notMethods
    +
    string[]
    +
    		 +

    A list of negative match of methods as specified in the HTTP request.

    + +
    paths
    +
    string[]
    +
    		 +

    A list of paths as specified in the HTTP request. See the Authorization Policy Normalization +for details of the path normalization. +For gRPC service, this will be the fully-qualified name in the form of /package.service/method.

    +

    If a path in the list contains the {*} or {**} path template operator, it will be interpreted as an Envoy Uri Template. +To be a valid path template, the path must not contain *, {, or } outside of a supported operator. No other characters are allowed in the path segment with the path template operator.

    +
      +
    • {*} matches a single glob that cannot extend beyond a path segment.
      • +
    • {**} matches zero or more globs. If a path contains {**}, it must be the last operator.
      • +
    +

    Examples:

    +
      +
    • /foo/{*} matches /foo/bar but not /foo/bar/baz
      • +
    • /foo/{**}/ matches /foo/bar/, /foo/bar/baz.txt, and /foo// but not /foo/bar
      • +
    • /foo/{*}/bar/{**} matches /foo/buzz/bar/ and /foo/buzz/bar/baz
      • +
    • /*/baz/{*} is not a valid path template since it includes * outside of a supported operator
      • +
    • /**/baz/{*} is not a valid path template since it includes ** outside of a supported operator
      • +
    • /{**}/foo/{*} is not a valid path template since {**} is not the last operator
      • +
    • /foo/{*}.txt is invalid since there are characters other than {*} in the path segment
      • +
    +

    If not set, any path is allowed. Must be used only with HTTP.

    + +
    notPaths
    +
    string[]
    +
    		 +

    A list of negative match of paths.

    + +
    +
    +

    Condition

    +
    +

    Condition specifies additional required attributes.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    key
    +
    string
    +
    Required
    +
    		 +

    The name of an Istio attribute. +See the full list of supported attributes.

    + +
    values
    +
    string[]
    +
    		 +

    A list of allowed values for the attribute. +Note: at least one of values or notValues must be set.

    + +
    notValues
    +
    string[]
    +
    		 +

    A list of negative match of values for the attribute. +Note: at least one of values or notValues must be set.

    + +
    +
    diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html index 0d912238e4..63f3cfe407 100644 --- a/content/zh/docs/reference/config/security/peer_authentication/index.html +++ b/content/zh/docs/reference/config/security/peer_authentication/index.html @@ -95,54 +95,46 @@ spec: Field -Type Description -Required -    selector -WorkloadSelector +
    selector
    +
    WorkloadSelector
    +

    The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.

    If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied to all workloads in the mesh.

    - - -No -mtls -MutualTLS +
    mtls
    +
    MutualTLS
    +

    Mutual TLS settings for workload. If not defined, inherit from parent.

    - - -No -portLevelMtls -map<uint32, MutualTLS> +
    portLevelMtls
    +
    map<uint32, MutualTLS>
    +

    Port specific mutual TLS settings. These only apply when a workload selector is specified. The port refers to the port of the workload, not the port of the Kubernetes service.

    - - -No -

    PeerAuthentication.MutualTLS

    +

    MutualTLS

    Mutual TLS settings.

    @@ -150,27 +142,23 @@ No Field -Type Description -Required -mode -Mode +
    mode
    +
    Mode
    +

    Defines the mTLS mode used for peer authentication.

    - - -No
    -

    PeerAuthentication.MutualTLS.Mode

    +

    Mode

    diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html index 9d92faea1c..e2e1df880f 100644 --- a/content/zh/docs/reference/config/security/request_authentication/index.html +++ b/content/zh/docs/reference/config/security/request_authentication/index.html @@ -202,32 +202,29 @@ spec: - - - - + - - - + - - - + - @@ -296,15 +288,15 @@ fromHeaders: - - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - - - + - @@ -491,34 +460,29 @@ No - - - - + - - - + - @@ -532,33 +496,29 @@ No - - - - + - - - + - diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html index 2cdf6f43c4..47d6e1ec81 100644 --- a/content/zh/docs/reference/config/telemetry/index.html +++ b/content/zh/docs/reference/config/telemetry/index.html @@ -203,31 +203,28 @@ spec: - - - - + - - - + - - - + - - - + - - - + - @@ -302,41 +290,36 @@ fully replace any values provided by parent configuration.

    - - - - + - - - + - - - + - - - + - - - + - - - + + + +
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads +

    The selector decides where to apply the request authentication policy. The selector will match with workloads in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace, the selector will additionally match with workloads in all namespaces.

    If not set, the selector will match all workloads.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -243,14 +240,12 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    jwtRulesJWTRule[]
    jwtRules
    +
    JWTRule[]
    +

    Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token will be used to extract the authenticated identity. @@ -260,9 +255,6 @@ be rejected. Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    FieldType DescriptionRequired
    issuerstring
    issuer
    +
    string
    +
    Required
    +

    Identifies the issuer that issued the JWT. See issuer @@ -312,14 +304,12 @@ A JWT with different iss claim will be rejected.

    Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

    -    		 -Yes
    audiencesstring[]
    audiences
    +
    string[]
    +

    The list of JWT audiences @@ -332,14 +322,12 @@ audiences will be accepted.

    bookstore_web.apps.example.com -    		 -No
    jwksUristring
    jwksUri
    +
    string
    +

    URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

    @@ -351,27 +339,23 @@ Google service account).

    Example: https://www.googleapis.com/oauth2/v1/certs

    Note: Only one of jwksUri and jwks should be used.

    -    		 -No
    jwksstring
    jwks
    +
    string
    +

    JSON Web Key Set of public keys to validate signature of the JWT. See https://auth0.com/docs/jwks.

    Note: Only one of jwksUri and jwks should be used.

    -    		 -No
    fromHeadersJWTHeader[]
    fromHeaders
    +
    JWTHeader[]
    +

    List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in x-jwt-assertion header, and have Bearer prefix:

    @@ -382,14 +366,12 @@ if JWT is expected to be found in x-jwt-assertion header, and have

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    fromParamsstring[]
    fromParams
    +
    string[]
    +

    List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter my_token (e.g /path?my_token=<JWT>), the config is:

    @@ -399,27 +381,23 @@ parameter my_token (e.g /path?my_token=<JWT>), t

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    outputPayloadToHeaderstring
    outputPayloadToHeader
    +
    string
    +

    This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

    -    		 -No
    fromCookiesstring[]
    fromCookies
    +
    string[]
    +

    List of cookie names from which JWT is expected. // For example, if config is:

    @@ -430,25 +408,21 @@ For example, if config is:

    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

    -    		 -No
    forwardOriginalTokenbool
    forwardOriginalToken
    +
    bool
    +

    If set to true, the original token will be kept for the upstream request. Default is false.

    -    		 -No
    outputClaimToHeadersClaimToHeader[]
    outputClaimToHeaders
    +
    ClaimToHeader[]
    +

    This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. This differs from the output_payload_to_header by allowing outputting individual claims instead of the whole payload. @@ -463,21 +437,16 @@ The header specified in each operation in the list must be unique. Nested claims

    [Experimental] This feature is a experimental feature.

    -    		 -No
    timeoutDuration
    timeout
    +
    Duration
    +

    The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. Default is 5s.

    -    		 -No
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +

    The HTTP header name.

    -    		 -Yes
    prefixstring
    prefix
    +
    string
    +

    The prefix that should be stripped before decoding the token. For example, for Authorization: Bearer <token>, prefix=Bearer with a space at the end. If the header doesn’t have this exact prefix, it is considered invalid.

    -    		 -No
    FieldType DescriptionRequired
    headerstring
    header
    +
    string
    +
    Required
    +

    The name of the header to be created. The header will be overridden if it already exists in the request.

    -    		 -Yes
    claimstring
    claim
    +
    string
    +
    Required
    +

    The name of the claim to be copied from. Only claim of type string/int/bool is supported. The header will not be there if the claim does not exist or the type of the claim is not supported.

    -    		 -Yes
    FieldType DescriptionRequired
    selectorWorkloadSelector
    selector
    +
    WorkloadSelector
    +
    		 -

    Optional. The selector decides where to apply the policy. +

    The selector decides where to apply the policy. If not set, the policy will be applied to all workloads in the same namespace as the policy.

    At most one of selector or targetRefs can be set for a given policy.

    -    		 -No
    targetRefsPolicyTargetReference[]
    targetRefs
    +
    PolicyTargetReference[]
    +
    		 -

    Optional. The targetRefs specifies a list of resources the policy should be +

    The targetRefs specifies a list of resources the policy should be applied to. The targeted resources specified will determine which workloads the policy applies to.

    Currently, the following resource attachment types are supported:

    @@ -243,45 +240,36 @@ This is to prevent proxies connected to older control planes (that don’t k from misinterpreting the policy as namespace-wide during the upgrade process.

    NOTE: Waypoint proxies are required to use this field for policies to apply; selector policies will be ignored.

    -    		 -No
    tracingTracing[]
    tracing
    +
    Tracing[]
    +
    		 -

    Optional. Tracing configures the tracing behavior for all +

    Tracing configures the tracing behavior for all selected workloads.

    -    		 -No
    metricsMetrics[]
    metrics
    +
    Metrics[]
    +
    		 -

    Optional. Metrics configures the metrics behavior for all +

    Metrics configures the metrics behavior for all selected workloads.

    -    		 -No
    accessLoggingAccessLogging[]
    accessLogging
    +
    AccessLogging[]
    +
    		 -

    Optional. Access logging configures the access logging behavior for all +

    Access logging configures the access logging behavior for all selected workloads.

    -    		 -No
    FieldType DescriptionRequired
    matchTracingSelector
    match
    +
    TracingSelector
    +

    Allows tailoring of behavior to specific conditions.

    -    		 -No
    providersProviderRef[]
    providers
    +
    ProviderRef[]
    +
    		 -

    Optional. Name of provider(s) to use for span reporting. If a provider is +

    Name of provider(s) to use for span reporting. If a provider is not specified, the default tracing provider will be used. NOTE: At the moment, only a single provider can be specified in a given Tracing rule.

    -    		 -No
    randomSamplingPercentageDoubleValue
    randomSamplingPercentage
    +
    DoubleValue
    +

    Controls the rate at which traffic will be selected for tracing if no prior sampling decision has been made. If a prior sampling decision has @@ -347,45 +330,199 @@ generation at the percentage specified.

    Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01% increments.

    -    		 -No
    disableSpanReportingBoolValue
    disableSpanReporting
    +
    BoolValue
    +

    Controls span reporting. If set to true, no spans will be reported for impacted workloads. This does NOT impact context propagation or trace sampling behavior.

    -    		 -No
    customTagsmap<string, CustomTag>
    customTags
    +
    map<string, CustomTag>
    +
    		 -

    Optional. Configures additional custom tags to the generated trace spans.

    +

    Configures additional custom tags to the generated trace spans.

    -    		 -No
    enableIstioTagsBoolValue
    enableIstioTags
    +
    BoolValue
    +

    Determines whether or not trace spans generated by Envoy will include Istio specific tags. By default Istio specific tags are included in the trace spans.

    +
    +

    TracingSelector

    +
    +

    TracingSelector provides a coarse-grained ability to configure tracing +behavior based on certain traffic metadata (such as traffic direction).

    + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 -No +

    This determines whether or not to apply the tracing configuration +based on the direction of traffic relative to the proxied workload.

    + +
    +
    +

    CustomTag

    +
    +

    CustomTag defines a tag to be added to a trace span that is based on +an operator-supplied value. This value can either be a hard-coded value, +a value taken from an environment variable known to the sidecar proxy, or +from a request header.

    +

    NOTE: when specified, custom_tags will fully replace any values provided +by parent configuration.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    literal
    +
    Literal (oneof)
    +
    		 +

    Literal adds the same, hard-coded value to each span.

    + +
    environment
    +
    Environment (oneof)
    +
    		 +

    Environment adds the value of an environment variable to each span.

    + +
    header
    +
    RequestHeader (oneof)
    +
    		 +

    RequestHeader adds the value of an header from the request to each +span.

    + +
    +
    +

    Literal

    +
    + + + + + + + + + + + + + +
    FieldDescription
    value
    +
    string
    +
    Required
    +
    		 +

    The tag value to use.

    + +
    +
    +

    Environment

    +
    + + + + + + + + + + + + + + + + + +
    FieldDescription
    name
    +
    string
    +
    Required
    +
    		 +

    Name of the environment variable from which to extract the tag value.

    + +
    defaultValue
    +
    string
    +
    		 +

    If the environment variable is not found, this value will be +used instead.

    + +
    +
    +

    RequestHeader

    +
    + + + + + + + + + + + + + + + @@ -400,21 +537,18 @@ targeted customization.

    - - - - + - @@ -430,31 +564,28 @@ as to customize the dimensions of the generated metrics.

    - - - - + - - - + - - - + - @@ -498,488 +624,43 @@ behaviors.

    - - - - + - - - + - - - + -
    FieldDescription
    name
    +
    string
    +
    Required
    +
    		 +

    Name of the header from which to extract the tag value.

    + +
    defaultValue
    +
    string
    +
    		 +

    If the header is not found, this value will be +used instead.

    +
    FieldType DescriptionRequired
    namestring
    name
    +
    string
    +
    Required
    +
    		 -

    Required. Name of Telemetry provider in MeshConfig.

    +

    Name of Telemetry provider in MeshConfig.

    -    		 -Yes
    FieldType DescriptionRequired
    providersProviderRef[]
    providers
    +
    ProviderRef[]
    +
    		 -

    Optional. Name of providers to which this configuration should apply. +

    Name of providers to which this configuration should apply. If a provider is not specified, the default metrics provider will be used.

    -    		 -No
    overridesMetricsOverrides[]
    overrides
    +
    MetricsOverrides[]
    +
    		 -

    Optional. Ordered list of overrides to metrics generation behavior.

    +

    Ordered list of overrides to metrics generation behavior.

    Specified overrides will be applied in order. They will be applied on top of inherited overrides from other resources in the hierarchy in the following order:

    @@ -468,22 +599,17 @@ overrides from least specific to most specific matches. That is, it is a best practice to list any universal overrides first, with tailored overrides following them.

    -    		 -No
    reportingIntervalDuration
    reportingInterval
    +
    Duration
    +
    		 -

    Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting. +

    Reporting interval allows configuration of the time between calls out to for metrics reporting. This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future. The default duration is 5s.

    -    		 -No
    FieldType DescriptionRequired
    metricIstioMetric (oneof)
    metric
    +
    IstioMetric (oneof)
    +

    One of the well-known Istio Standard Metrics.

    -    		 -No
    customMetricstring (oneof)
    customMetric
    +
    string (oneof)
    +

    Allows free-form specification of a metric. No validation of custom metrics is provided.

    -    		 -No
    modeWorkloadMode
    mode
    +
    WorkloadMode
    +

    Controls which mode of metrics generation is selected: CLIENT, SERVER, or CLIENT_AND_SERVER.

    -    		 -No
    -

    MetricsOverrides

    -
    -

    MetricsOverrides defines custom metric generation behavior for an individual -metric or the set of all standard metrics.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchMetricSelector -

    Match allows providing the scope of the override. It can be used to select -individual metrics, as well as the workload modes (server, client, or both) -in which the metrics will be generated.

    -

    If match is not specified, the overrides will apply to all metrics for -both modes of operation (client and server).

    - -    		 -No -
    disabledBoolValue -

    Optional. Must explicitly set this to true to turn off metrics reporting -for the listed metrics. If disabled has been set to true in a parent -configuration, it must explicitly be set to false to turn metrics -reporting on in the workloads selected by the Telemetry resource.

    - -    		 -No -
    tagOverridesmap<string, TagOverride> -

    Optional. Collection of tag names and tag expressions to override in the -selected metric(s). -The key in the map is the name of the tag. -The value in the map is the operation to perform on the the tag. -WARNING: some providers may not support adding/removing tags. -See also: https://istio.io/latest/docs/reference/config/metrics/#labels

    - -    		 -No -
    -
    -

    AccessLogging

    -
    -

    Access logging defines the workload-level overrides for access log -generation. It can be used to select provider or enable/disable access log -generation for a workload.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    matchLogSelector -

    Allows tailoring of logging behavior to specific conditions.

    - -    		 -No -
    providersProviderRef[] -

    Optional. Name of providers to which this configuration should apply. -If a provider is not specified, the default logging -provider will be used.

    - -    		 -No -
    disabledBoolValue -

    Controls logging. If set to true, no access logs will be generated for -impacted workloads (for the specified providers). -NOTE: currently default behavior will be controlled by the provider(s) -selected above. Customization controls will be added to this API in -future releases.

    - -    		 -No -
    filterFilter -

    Optional. If specified, this filter will be used to select specific -requests/connections for logging.

    - -    		 -No -
    -
    -

    Tracing.TracingSelector

    -
    -

    TracingSelector provides a coarse-grained ability to configure tracing -behavior based on certain traffic metadata (such as traffic direction).

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    This determines whether or not to apply the tracing configuration -based on the direction of traffic relative to the proxied workload.

    - -    		 -No -
    -
    -

    Tracing.CustomTag

    -
    -

    CustomTag defines a tag to be added to a trace span that is based on -an operator-supplied value. This value can either be a hard-coded value, -a value taken from an environment variable known to the sidecar proxy, or -from a request header.

    -

    NOTE: when specified, custom_tags will fully replace any values provided -by parent configuration.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    literalLiteral (oneof) -

    Literal adds the same, hard-coded value to each span.

    - -    		 -No -
    environmentEnvironment (oneof) -

    Environment adds the value of an environment variable to each span.

    - -    		 -No -
    headerRequestHeader (oneof) -

    RequestHeader adds the value of an header from the request to each -span.

    - -    		 -No -
    -
    -

    Tracing.Literal

    -
    - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    valuestring -

    The tag value to use.

    - -    		 -Yes -
    -
    -

    Tracing.Environment

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    Name of the environment variable from which to extract the tag value.

    - -    		 -Yes -
    defaultValuestring -

    Optional. If the environment variable is not found, this value will be -used instead.

    - -    		 -No -
    -
    -

    Tracing.RequestHeader

    -
    - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    namestring -

    Name of the header from which to extract the tag value.

    - -    		 -Yes -
    defaultValuestring -

    Optional. If the header is not found, this value will be -used instead.

    - -    		 -No -
    -
    -

    MetricsOverrides.TagOverride

    -
    -

    TagOverride specifies an operation to perform on a metric dimension (also -known as a label). Tags may be added, removed, or have their default -values overridden.

    - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    operationOperation -

    Operation controls whether or not to update/add a tag, or to remove it.

    - -    		 -No -
    valuestring -

    Value is only considered if the operation is UPSERT. -Values are CEL expressions over -attributes. Examples include: string(destination.port) and -request.host. Istio exposes all standard Envoy -attributes. -Additionally, Istio exposes node metadata as attributes. -More information is provided in the customization -docs.

    - -    		 -No -
    -
    -

    AccessLogging.LogSelector

    -
    -

    LogSelector provides a coarse-grained ability to configure logging behavior -based on certain traffic metadata (such as traffic direction). LogSelector -applies to traffic metadata which is not represented in the attribute set -currently supported by filters. -It allows control planes to limit the configuration sent to individual workloads. -Finer-grained logging behavior can be further configured via filter.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    modeWorkloadMode -

    This determines whether or not to apply the access logging configuration -based on the direction of traffic relative to the proxied workload.

    - -    		 -No -
    -
    -

    AccessLogging.Filter

    -
    -

    Allows specification of an access log filter.

    - - - - - - - - - - - - - - - - - - -
    FieldTypeDescriptionRequired
    expressionstring -

    CEL expression for selecting when requests/connections should be logged.

    -

    Examples:

    -
      -
    • response.code >= 400
      • -
    • connection.mtls && request.url_path.contains('v1beta3')
      • -
    • !has(request.useragent) || !(request.useragent.startsWith("Amazon-Route53-Health-Check-Service"))
      • -
    - -    		 -No -
    -
    -

    MetricSelector.IstioMetric

    +

    IstioMetric

    Curated list of known metric types that is supported by Istio metric providers. See also: @@ -1135,7 +816,104 @@ traffic.

    -

    MetricsOverrides.TagOverride.Operation

    +

    MetricsOverrides

    +
    +

    MetricsOverrides defines custom metric generation behavior for an individual +metric or the set of all standard metrics.

    + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    match
    +
    MetricSelector
    +
    		 +

    Match allows providing the scope of the override. It can be used to select +individual metrics, as well as the workload modes (server, client, or both) +in which the metrics will be generated.

    +

    If match is not specified, the overrides will apply to all metrics for +both modes of operation (client and server).

    + +
    disabled
    +
    BoolValue
    +
    		 +

    Must explicitly set this to true to turn off metrics reporting +for the listed metrics. If disabled has been set to true in a parent +configuration, it must explicitly be set to false to turn metrics +reporting on in the workloads selected by the Telemetry resource.

    + +
    tagOverrides
    +
    map<string, TagOverride>
    +
    		 +

    Collection of tag names and tag expressions to override in the +selected metric(s). +The key in the map is the name of the tag. +The value in the map is the operation to perform on the the tag. +WARNING: some providers may not support adding/removing tags. +See also: https://istio.io/latest/docs/reference/config/metrics/#labels

    + +
    +
    +

    TagOverride

    +
    +

    TagOverride specifies an operation to perform on a metric dimension (also +known as a label). Tags may be added, removed, or have their default +values overridden.

    + + + + + + + + + + + + + + + + + + +
    FieldDescription
    operation
    +
    Operation
    +
    		 +

    Operation controls whether or not to update/add a tag, or to remove it.

    + +
    value
    +
    string
    +
    		 +

    Value is only considered if the operation is UPSERT. +Values are CEL expressions over +attributes. Examples include: string(destination.port) and +request.host. Istio exposes all standard Envoy +attributes. +Additionally, Istio exposes node metadata as attributes. +More information is provided in the customization +docs.

    + +
    +
    +

    Operation

    @@ -1159,6 +937,126 @@ traffic.

    Specifies that the tag should not be included in the metric when generated.

    + + + +
    +
    +

    AccessLogging

    +
    +

    Access logging defines the workload-level overrides for access log +generation. It can be used to select provider or enable/disable access log +generation for a workload.

    + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    match
    +
    LogSelector
    +
    		 +

    Allows tailoring of logging behavior to specific conditions.

    + +
    providers
    +
    ProviderRef[]
    +
    		 +

    Name of providers to which this configuration should apply. +If a provider is not specified, the default logging +provider will be used.

    + +
    disabled
    +
    BoolValue
    +
    		 +

    Controls logging. If set to true, no access logs will be generated for +impacted workloads (for the specified providers). +NOTE: currently default behavior will be controlled by the provider(s) +selected above. Customization controls will be added to this API in +future releases.

    + +
    filter
    +
    Filter
    +
    		 +

    If specified, this filter will be used to select specific +requests/connections for logging.

    + +
    +
    +

    LogSelector

    +
    +

    LogSelector provides a coarse-grained ability to configure logging behavior +based on certain traffic metadata (such as traffic direction). LogSelector +applies to traffic metadata which is not represented in the attribute set +currently supported by filters. +It allows control planes to limit the configuration sent to individual workloads. +Finer-grained logging behavior can be further configured via filter.

    + + + + + + + + + + + + + + +
    FieldDescription
    mode
    +
    WorkloadMode
    +
    		 +

    This determines whether or not to apply the access logging configuration +based on the direction of traffic relative to the proxied workload.

    + +
    +
    +

    Filter

    +
    +

    Allows specification of an access log filter.

    + + + + + + + + + + + + diff --git a/content/zh/docs/reference/config/type/workload-selector/index.html b/content/zh/docs/reference/config/type/workload-selector/index.html index 182bfcda66..f0269af6b9 100644 --- a/content/zh/docs/reference/config/type/workload-selector/index.html +++ b/content/zh/docs/reference/config/type/workload-selector/index.html @@ -21,23 +21,19 @@ selected. Currently, only label based selection mechanism is supported.

    - - - - + - @@ -52,21 +48,18 @@ a listener having a specific port.

    - - - - + - @@ -107,55 +100,47 @@ spec: - - - - + - - - + - - - + - - - + -
    FieldDescription
    expression
    +
    string
    +
    		 +

    CEL expression for selecting when requests/connections should be logged.

    +

    Examples:

    +
      +
    • response.code >= 400
      • +
    • connection.mtls && request.url_path.contains('v1beta3')
      • +
    • !has(request.useragent) || !(request.useragent.startsWith("Amazon-Route53-Health-Check-Service"))
      • +
    +
    FieldType DescriptionRequired
    matchLabelsmap<string, string>
    matchLabels
    +
    map<string, string>
    +

    One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. The scope of label search is restricted to the configuration namespace in which the resource is present.

    -    		 -No
    FieldType DescriptionRequired
    numberuint32
    number
    +
    uint32
    +
    Required
    +

    Port number

    -    		 -Yes
    FieldType DescriptionRequired
    groupstring
    group
    +
    string
    +

    group is the group of the target resource.

    -    		 -No
    kindstring
    kind
    +
    string
    +
    Required
    +

    kind is kind of the target resource.

    -    		 -Yes
    namestring
    name
    +
    string
    +
    Required
    +

    name is the name of the target resource.

    -    		 -Yes
    namespacestring
    namespace
    +
    string
    +

    namespace is the namespace of the referent. When unspecified, the local namespace is inferred.

    -    		 -No