Istio configuration command line utility for service operators to debug and diagnose their Istio mesh. @@ -36,7 +36,7 @@ debug and diagnose their Istio mesh.
--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--meshConfigFile <string>--color--context <string>--log_output_level <string>--namespace <string>-k--verbose-v--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>istioctl experimental describe pod productpage-v1-c7765c886-7zzd4
Analyzes service, pods, DestinationRules, and VirtualServices and reports +the configuration objects that affect that service.
+THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE. +
+istioctl experimental describe service <svc> [flags]
+istioctl experimental describe svc <svc> [flags]
+| Flags | +Shorthand | +Description | +
|---|---|---|
--context <string> |
++ | The name of the kubeconfig context to use (default ``) | +
--ignoreUnmeshed |
++ | Suppress warnings for unmeshed pods | +
--istioNamespace <string> |
+-i |
+Istio system namespace (default `istio-system`) | +
--kubeconfig <string> |
+-c |
+Kubernetes configuration file (default ``) | +
--log_output_level <string> |
++ | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`) | +
--namespace <string> |
+-n |
+Config namespace (default ``) | +
istioctl experimental describe service productpage
+kube-uninject is used to prevent Istio from adding a sidecar and @@ -1426,7 +1490,7 @@ also provides the inverse of "istioctl kube-inject -f".
--log_output_level <string>--namespace <string>The manifest subcommand generates, applies, diffs or migrates Istio manifests.
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
The apply subcommand generates an Istio install manifest and applies it to a cluster.
-istioctl experimental manifest apply [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--filename <string> |
--f |
-Path to file containing IstioControlPlane CustomResource (default ``) | -
--force |
-- | Proceed even with validation errors | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--readiness-timeout <duration> |
-- | Maximum seconds to wait for all Istio resources to be ready. The --wait flag must be set for this flag to apply (default `5m0s`) | -
--set <stringSlice> |
--s |
-Set a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true. -Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR -customization file (default `[]`) | -
--verbose |
-- | Verbose output. | -
--wait |
--w |
-Wait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds | -
--yes |
--y |
-Do not ask for confirmation | -
The diff subcommand compares manifests from two files or directories.
-istioctl experimental manifest diff <file|dir> <file|dir> [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--directory |
--r |
-compare directory | -
--dry-run |
-- | Console/log output only, make no changes. | -
--ignore <string> |
-- | ignoreResources ignores all listed items during comparison. It uses the same list format as selectResources (default ``) | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--rename <string> |
-- | renameResources identifies renamed resources before comparison. -The format of each renaming pair is A->B, all renaming pairs are comma separated. -e.g. Service:*:istio-pilot->Service:*:istio-control - rename istio-pilot service into istio-control (default ``) | -
--select <string> |
-- | selectResources constrains the list of resources to compare to only the ones in this list, ignoring all others. -The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection. -e.g. - Deployment:istio-system:* - compare all deployments in istio-system namespace - Service:*:istio-pilot - compare Services called "istio-pilot" in all namespaces (default `::`) | -
--verbose |
-- | Verbose output. | -
The generate subcommand generates an Istio install manifest and outputs to the console by default.
-istioctl experimental manifest generate [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--filename <string> |
--f |
-Path to file containing IstioControlPlane CustomResource (default ``) | -
--force |
-- | Proceed even with validation errors | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--output <string> |
--o |
-Manifest output directory path (default ``) | -
--set <stringSlice> |
--s |
-Set a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true. -Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR -customization file (default `[]`) | -
--verbose |
-- | Verbose output. | -
The migrate subcommand migrates a configuration from Helm values format to IstioControlPlane format.
-istioctl experimental manifest migrate [<filepath>] [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
List the versions of Istio recommended for use or supported for upgrade by this version of the operator binary.
-istioctl experimental manifest versions [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
--versionsURI <string> |
--u |
-URI for operator versions to Istio versions map (default `https://raw.githubusercontent.com/istio/operator/master/data/versions.yaml`) | -
Prints the metrics for the specified service(s) when running in Kubernetes.
@@ -1910,7 +1561,7 @@ calculated over a time interval of 1 minute.--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>--log_output_level <string>--namespace <string>The profile subcommand lists, dumps or diffs Istio configuration profiles.
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
The diff subcommand displays the differences between two Istio configuration profiles.
-istioctl experimental profile diff <file1.yaml> <file2.yaml> [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
The dump subcommand dumps the values in an Istio configuration profile.
-istioctl experimental profile dump [<profile>] [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--config-path <string> |
--p |
-The path the root of the configuration subtree to dump e.g. trafficManagement.components.pilot. By default, dump whole tree (default ``) | -
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--filename <string> |
--f |
-Path to file containing IstioControlPlane CustomResource (default ``) | -
--helm-values |
-- | If set, dumps the Helm values that IstioControlPlaceSpec is translated to before manifests are rendered | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
The list subcommand lists the available Istio configuration profiles.
-istioctl experimental profile list [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--dry-run |
-- | Console/log output only, make no changes. | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--log_output_level <string> |
-- | Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`) | -
--logtostderr |
-- | Send logs to stderr. | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--verbose |
-- | Verbose output. | -
Remove workloads from Istio service mesh
istioctl experimental remove-from-mesh [flags]
@@ -2738,7 +2156,7 @@ istioctl experimental post-install webhook status --validation --validation-conf
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--logtostderrConfig namespace (default ``)
+--skipConfirmation-yIf skipConfirmation is set, skips the prompting confirmation for value changes in this upgrade
+
+
--verboseVerbose output.
@@ -2912,11 +2335,6 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of 10m0s
-
---yes-yIf yes, skips the prompting confirmation for value changes in this upgrade
-
Examples
@@ -2924,7 +2342,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
Waits for the specified condition to be true of an Istio resource. For example:
-istioctl experimental wait --for-distribution virtual-service/default/bookinfo
+istioctl experimental wait --for=distribution virtual-service bookinfo.default
will block until the bookinfo virtual service has been distributed to all proxies in the mesh.
istioctl experimental wait [flags] <type> <name>[.<namespace>]
@@ -2961,7 +2379,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--threshold <float32>the ratio of distribution required for success (default 1.0) (default `1`)
+the ratio of distribution required for success (default `1`)
--timeout <duration>the duration to wait before failing (default 30s) (default `30s`)
+the duration to wait before failing (default `30s`)
@@ -3044,7 +2462,7 @@ kube-inject on deployments to get the most up-to-date changes.
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--meshConfigFile <string>istioctl manifest
+The manifest subcommand generates, applies, diffs or migrates Istio manifests.
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
+istioctl manifest apply
+The apply subcommand generates an Istio install manifest and applies it to a cluster.
+istioctl manifest apply [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <string>-fPath to file containing IstioControlPlane CustomResource (default ``)
+
+
+--forceProceed even with validation errors
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--readiness-timeout <duration>Maximum seconds to wait for all Istio resources to be ready. The --wait flag must be set for this flag to apply (default `5m0s`)
+
+
+--set <stringSlice>-sSet a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true.
+Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR
+customization file (default `[]`)
+
+
+--skip-confirmationskipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases.
+
+
+--verboseVerbose output.
+
+
+--wait-wWait, if set will wait until all Pods, Services, and minimum number of Pods of a Deployment are in a ready state before the command exits. It will wait for a maximum duration of --readiness-timeout seconds
+
+
+
+istioctl manifest diff
+The diff subcommand compares manifests from two files or directories.
+istioctl manifest diff <file|dir> <file|dir> [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--directory-rcompare directory
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--ignore <string>ignoreResources ignores all listed items during comparison. It uses the same list format as selectResources (default ``)
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--rename <string>renameResources identifies renamed resources before comparison.
+The format of each renaming pair is A->B, all renaming pairs are comma separated.
+e.g. Service:*:istio-pilot->Service:*:istio-control - rename istio-pilot service into istio-control (default ``)
+
+
+--select <string>selectResources constrains the list of resources to compare to only the ones in this list, ignoring all others.
+The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection.
+e.g.
+ Deployment:istio-system:* - compare all deployments in istio-system namespace
+ Service:*:istio-pilot - compare Services called "istio-pilot" in all namespaces (default `::`)
+
+
+--verboseVerbose output.
+
+
+
+istioctl manifest generate
+The generate subcommand generates an Istio install manifest and outputs to the console by default.
+istioctl manifest generate [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <string>-fPath to file containing IstioControlPlane CustomResource (default ``)
+
+
+--forceProceed even with validation errors
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--output <string>-oManifest output directory path (default ``)
+
+
+--set <stringSlice>-sSet a value in IstioControlPlane CustomResource. e.g. --set policy.enabled=true.
+Overrides the corresponding path value in the selected profile or passed through IstioControlPlane CR
+customization file (default `[]`)
+
+
+--verboseVerbose output.
+
+
+
+istioctl manifest migrate
+The migrate subcommand migrates a configuration from Helm values format to IstioControlPlane format.
+istioctl manifest migrate [<filepath>] [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
+istioctl manifest versions
+List the versions of Istio recommended for use or supported for upgrade by this version of the operator binary.
+istioctl manifest versions [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+--versionsURI <string>-uURI for operator versions to Istio versions map (default `https://raw.githubusercontent.com/istio/operator/master/data/versions.yaml`)
+
+
+
+istioctl profile
+The profile subcommand lists, dumps or diffs Istio configuration profiles.
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
+istioctl profile diff
+The diff subcommand displays the differences between two Istio configuration profiles.
+istioctl profile diff <file1.yaml> <file2.yaml> [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
+istioctl profile dump
+The dump subcommand dumps the values in an Istio configuration profile.
+istioctl profile dump [<profile>] [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--config-path <string>-pThe path the root of the configuration subtree to dump e.g. trafficManagement.components.pilot. By default, dump whole tree (default ``)
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--filename <string>-fPath to file containing IstioControlPlane CustomResource (default ``)
+
+
+--helm-valuesIf set, dumps the Helm values that IstioControlPlaceSpec is translated to before manifests are rendered
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
+istioctl profile list
+The list subcommand lists the available Istio configuration profiles.
+istioctl profile list [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--dry-runConsole/log output only, make no changes.
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
+
+
+--logtostderrSend logs to stderr.
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--verboseVerbose output.
+
+
+
istioctl proxy-config
A group of commands used to retrieve information about proxy configuration from the Envoy config dump
@@ -3125,7 +3190,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--name <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn`)
--namespace <string>istioctl com
+TERMString
+Specifies terminal type. Use 'dumb' to suppress color output
+
+
TERMINATION_DRAIN_DURATION_SECONDSInteger
5pilot-agent
+ISTIO_AUTO_MTLS_ENABLEDBoolean
+falseIf true, auto mTLS is enabled, sidecar checks key/cert if SDS is not enabled.
+
+
ISTIO_BOOTSTRAPString
constraintsAccessRule.Constraint[]Constraint[]
Optional. Extra constraints in the ServiceRole specification.
@@ -227,7 +227,7 @@ spec:
modeRbacConfig.ModeMode
Istio RBAC mode.
@@ -238,7 +238,7 @@ No
inclusionRbacConfig.TargetTarget
A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ONWITHINCLUSION and will be ignored for any other modes.
@@ -250,7 +250,7 @@ No
exclusionRbacConfig.TargetTarget
A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ONWITHEXCLUSION and will be ignored for any other modes.
diff --git a/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html b/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
index d962b95d15..08d1f3b2cf 100644
--- a/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
@@ -180,7 +180,7 @@ No
triggerRulesJwt.TriggerRule[]TriggerRule[]
List of trigger rules to decide if this JWT should be used to validate the
request. The JWT validation happens if any one of the rules matched.
@@ -271,7 +271,7 @@ No
modeMutualTls.ModeMode
Defines the mode of mTLS authentication.
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 5b3dc9ed09..36b2d7968f 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -136,7 +136,7 @@ No
tlsSettingsistio.networking.v1alpha3.TLSSettingsTLSSettings
Use the tlssettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
@@ -222,7 +222,7 @@ and similarly us-west should failover to us-east.
distributeLocalityLoadBalancerSetting.Distribute[]Distribute[]
Optional: only one of distribute or failover can be set.
Explicitly specify loadbalancing weight across different zones and geographical locations.
@@ -236,7 +236,7 @@ No
failoverLocalityLoadBalancerSetting.Failover[]Failover[]
Optional: only failover or distribute can be set.
Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
@@ -458,7 +458,7 @@ No
connectTimeoutgoogle.protobuf.DurationDuration
Connection timeout used by Envoy. (MUST BE >=1ms)
@@ -469,7 +469,7 @@ No
protocolDetectionTimeoutgoogle.protobuf.DurationDuration
Automatic protocol detection uses a set of heuristics to
determine whether the connection is using TLS or not (on the
@@ -488,7 +488,7 @@ No
tcpKeepaliveistio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveTcpKeepalive
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
@@ -523,7 +523,7 @@ No
ingressControllerModeMeshConfig.IngressControllerModeIngressControllerMode
Defines whether to use Istio ingress controller for annotated or all ingress resources.
@@ -570,7 +570,7 @@ No
accessLogEncodingMeshConfig.AccessLogEncodingAccessLogEncoding
Encoding for the proxy access log (text or json).
Default value is text.
@@ -610,7 +610,7 @@ No
outboundTrafficPolicyMeshConfig.OutboundTrafficPolicyOutboundTrafficPolicy
Set the default behavior of the sidecar for handling outbound traffic
from the application. If your application uses one or more external
@@ -664,7 +664,7 @@ No
enableAutoMtlsgoogle.protobuf.BoolValueBoolValue
This flag is used to enable mutual TLS automatically for service to service communication
within the mesh, default false.
@@ -811,7 +811,7 @@ No
dnsRefreshRategoogle.protobuf.DurationDuration
Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
@@ -847,7 +847,7 @@ No
reportBatchMaxTimegoogle.protobuf.DurationDuration
When disablereportbatch is false, this value specifies the maximum elapsed
time a batched report will be sent after a user request is processed. If left
@@ -861,7 +861,7 @@ No
h2UpgradePolicyMeshConfig.H2UpgradePolicyH2UpgradePolicy
Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
@@ -1042,7 +1042,7 @@ cloud-provided ingress controller).
modeMeshConfig.OutboundTrafficPolicy.ModeMode
@@ -1148,7 +1148,7 @@ registry.
endpointsNetwork.NetworkEndpoints[]NetworkEndpoints[]
The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
@@ -1161,7 +1161,7 @@ Yes
gatewaysNetwork.IstioNetworkGateway[]IstioNetworkGateway[]
Set of gateways associated with the network.
@@ -1368,7 +1368,7 @@ No
drainDurationgoogle.protobuf.DurationDuration
The time in seconds that Envoy will drain connections during a hot
restart. MUST be >=1s (e.g., 1s/1m/1h)
@@ -1380,7 +1380,7 @@ No
parentShutdownDurationgoogle.protobuf.DurationDuration
The time in seconds that Envoy will wait before shutting down the
parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
@@ -1404,7 +1404,7 @@ No
connectTimeoutgoogle.protobuf.DurationDuration
Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)
@@ -1498,7 +1498,7 @@ No
interceptionModeProxyConfig.InboundInterceptionModeInboundInterceptionMode
The mode used to redirect inbound traffic to Envoy.
@@ -1633,7 +1633,7 @@ No
tlsSettingsistio.networking.v1alpha3.TLSSettingsTLSSettings
Use the tls_settings to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
@@ -1646,7 +1646,7 @@ No
tcpKeepaliveistio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepaliveTcpKeepalive
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
@@ -1739,7 +1739,7 @@ No
zipkinTracing.Zipkin (oneof)Zipkin (oneof)
Use a Zipkin tracer.
@@ -1750,7 +1750,7 @@ Yes
lightstepTracing.Lightstep (oneof)Lightstep (oneof)
Use a LightStep tracer.
@@ -1761,7 +1761,7 @@ Yes
datadogTracing.Datadog (oneof)Datadog (oneof)
Use a Datadog tracer.
@@ -1772,7 +1772,7 @@ Yes
stackdriverTracing.Stackdriver (oneof)Stackdriver (oneof)
Use a Stackdriver tracer.
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
index 76c85a1fec..c049fd0286 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
@@ -6,7 +6,7 @@ description: Configuration for Istio control plane installation through the Oper
location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html
layout: protoc-gen-docs
generator: protoc-gen-docs
-number_of_entries: 55
+number_of_entries: 56
---
IstioControlPlane is a schema for both defining and customizing Istio control plane installations.
Running the operator with an empty user defined InstallSpec results in an control plane with default values, using the
@@ -47,95 +47,94 @@ customization at the lowest level and eliminates the need to create ad-hoc templ
Default Istio install
-spec:
-
-
+spec:
+
Default minimal profile install
spec:
-profile: minimal
+ profile: minimal
Default install with telemetry disabled
spec:
-telemetry:
-enabled: false
+ telemetry:
+ enabled: false
Default install with each feature installed to different namespace and security components in separate namespaces
spec:
-traffic_management:
-components:
- namespace: istio-traffic-management
-policy:
-components:
- namespace: istio-policy
-telemetry:
-components:
- namespace: istio-telemetry
-config_management:
-components:
- namespace: istio-config-management
-security:
-components:
- citadel:
- namespace: istio-citadel
- cert_manager:
- namespace: istio-cert-manager
- node_agent:
- namespace: istio-node-agent
+ traffic_management:
+ components:
+ namespace: istio-traffic-management
+ policy:
+ components:
+ namespace: istio-policy
+ telemetry:
+ components:
+ namespace: istio-telemetry
+ config_management:
+ components:
+ namespace: istio-config-management
+ security:
+ components:
+ citadel:
+ namespace: istio-citadel
+ cert_manager:
+ namespace: istio-cert-manager
+ node_agent:
+ namespace: istio-node-agent
Default install with specialized k8s settings for pilot
spec:
-traffic_management:
-components:
- pilot:
- k8s:
- resources:
- limits:
- cpu: 444m
- memory: 333Mi
- requests:
- cpu: 222m
- memory: 111Mi
- readinessProbe:
- failureThreshold: 44
- initialDelaySeconds: 11
- periodSeconds: 22
- successThreshold: 33
+ traffic_management:
+ components:
+ pilot:
+ k8s:
+ resources:
+ limits:
+ cpu: 444m
+ memory: 333Mi
+ requests:
+ cpu: 222m
+ memory: 111Mi
+ readinessProbe:
+ failureThreshold: 44
+ initialDelaySeconds: 11
+ periodSeconds: 22
+ successThreshold: 33
Default install with values.yaml customizations for proxy
spec:
-traffic_management:
-components:
- proxy:
- values:
- - global.proxy.enableCoreDump: true
- - global.proxy.dnsRefreshRate: 10s
+ traffic_management:
+ components:
+ proxy:
+ values:
+ - global.proxy.enableCoreDump: true
+ - global.proxy.dnsRefreshRate: 10s
Default install with modification to container flag in galley
spec:
-configuration_management:
-components:
- galley:
- k8s:
- overlays:
- - apiVersion: extensions/v1beta1
- kind: Deployment
- name: istio-galley
- patches:
- - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval]
- value: --livenessProbeInterval=123s
+ configuration_management:
+ components:
+ galley:
+ k8s:
+ overlays:
+ - apiVersion: extensions/v1beta1
+ kind: Deployment
+ name: istio-galley
+ patches:
+ - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval]
+ value: --livenessProbeInterval=123s
AutoInjectionFeatureSpec
@@ -154,7 +153,7 @@ components:
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether auto injection feature is installed. Must be set for any sub-component to be installed.
@@ -165,7 +164,7 @@ No
componentsAutoInjectionFeatureSpec.ComponentsComponents
@@ -226,7 +225,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -270,7 +269,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether gateway feature is installed. Must be set for any sub-component to be installed.
@@ -281,7 +280,7 @@ No
componentsCNIFeatureSpec.ComponentsComponents
@@ -342,7 +341,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -386,7 +385,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -430,7 +429,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether config management feature is installed. Must be set for any sub-component to be installed.
@@ -441,7 +440,7 @@ No
componentsConfigManagementFeatureSpec.ComponentsComponents
@@ -537,7 +536,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -607,7 +606,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -651,7 +650,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether gateway feature is installed. Must be set for any sub-component to be installed.
@@ -662,7 +661,7 @@ No
componentsGatewayFeatureSpec.ComponentsComponents
@@ -831,7 +830,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -875,7 +874,7 @@ No
statusmap<string, InstallStatus.VersionStatus>map<string, VersionStatus>
@@ -946,7 +945,16 @@ No
statusInstallStatus.StatusStatus
+
+
+No
+
+
+
+statusStringstring
@@ -1228,7 +1236,7 @@ No
affinityk8s.io.api.core.v1.AffinityAffinity
k8s affinity.
https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
@@ -1240,7 +1248,7 @@ No
envk8s.io.api.core.v1.EnvVar[]EnvVar[]
Deployment environment variables.
https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
@@ -1252,7 +1260,7 @@ No
hpaSpeck8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpecHorizontalPodAutoscalerSpec
k8s HorizontalPodAutoscaler settings.
https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
@@ -1361,7 +1369,7 @@ No
servicek8s.io.api.core.v1.ServiceSpecServiceSpec
k8s Service settings.
https://kubernetes.io/docs/concepts/services-networking/service/
@@ -1385,7 +1393,7 @@ No
tolerationsk8s.io.api.core.v1.Toleration[]Toleration[]
k8s toleration
https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
@@ -1425,7 +1433,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -1504,7 +1512,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -1557,7 +1565,7 @@ No
selectork8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorLabelSelector
@@ -1592,7 +1600,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -1636,7 +1644,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether policy is installed.
Must be enabled to enable any sub-component.
@@ -1648,7 +1656,7 @@ No
componentsPolicyFeatureSpec.ComponentsComponents
@@ -1711,7 +1719,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -1914,7 +1922,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether security feature is installed. Must be set for any sub-component to be installed.
@@ -1925,7 +1933,7 @@ No
componentsSecurityFeatureSpec.ComponentsComponents
@@ -2004,7 +2012,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -2083,7 +2091,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
@@ -2127,7 +2135,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether telemetry is installed.
Must be enabled to enable any sub-component.
@@ -2139,7 +2147,7 @@ No
componentsTelemetryFeatureSpec.ComponentsComponents
@@ -2202,7 +2210,7 @@ No
enabledgoogle.protobuf.BoolValueTypeBoolValueForPB
Selects whether traffic management is installed.
Must be enabled to enable any sub-component.
@@ -2214,7 +2222,7 @@ No
componentsTrafficManagementFeatureSpec.ComponentsComponents
@@ -2269,6 +2277,11 @@ No
+
+TypeBoolValueForPB
+
+GOTYPE: *BoolValueForPB
+
TypeIntOrStringForPB
@@ -2301,7 +2314,7 @@ No
scaleTargetRefk8s.io.api.autoscaling.v2beta1.CrossVersionObjectReferenceCrossVersionObjectReference
scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
should be collected, as well as to actually change the replica count.
@@ -2341,7 +2354,7 @@ No
metricsk8s.io.api.autoscaling.v2beta1.MetricSpec[]MetricSpec[]
metrics contains the specifications for which to use to calculate the
desired replica count (the maximum replica count across all metrics will
@@ -2376,7 +2389,7 @@ No
nodeAffinityk8s.io.api.core.v1.NodeAffinityNodeAffinity
Describes node affinity scheduling rules for the pod.
+optional
@@ -2388,7 +2401,7 @@ No
podAffinityk8s.io.api.core.v1.PodAffinityPodAffinity
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
+optional
@@ -2400,7 +2413,7 @@ No
podAntiAffinityk8s.io.api.core.v1.PodAntiAffinityPodAntiAffinity
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
+optional
@@ -2459,7 +2472,7 @@ No
valueFromk8s.io.api.core.v1.EnvVarSourceEnvVarSource
Source for the environment variable’s value. Cannot be used if value is not empty.
+optional
@@ -2488,7 +2501,7 @@ No
portsk8s.io.api.core.v1.ServicePort[]ServicePort[]
The list of ports that are exposed by this service.
More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
@@ -2695,7 +2708,7 @@ No
sessionAffinityConfigk8s.io.api.core.v1.SessionAffinityConfigSessionAffinityConfig
sessionAffinityConfig contains the configurations of session affinity.
+optional
@@ -2845,7 +2858,7 @@ No
matchExpressionsk8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement[]LabelSelectorRequirement[]
matchExpressions is a list of label selector requirements. The requirements are ANDed.
+optional
@@ -2908,7 +2921,7 @@ No
patchesk8sObjectOverlay.PathValue[]PathValue[]
List of patches to apply to resource.
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index fc3b167ac8..8d437b36a8 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -116,7 +116,7 @@ spec:
tcpConnectionPoolSettings.TCPSettingsTCPSettings
Settings common to both HTTP and TCP upstream connections.
@@ -127,7 +127,7 @@ No
httpConnectionPoolSettings.HTTPSettingsHTTPSettings
HTTP connection pool settings.
@@ -202,7 +202,7 @@ No
idleTimeoutgoogle.protobuf.DurationDuration
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests.
If not set, there is no idle timeout. When the idle timeout is reached the connection will be closed.
@@ -215,7 +215,7 @@ No
h2UpgradePolicyConnectionPoolSettings.HTTPSettings.H2UpgradePolicyH2UpgradePolicy
Specify if http1.1 connection should be upgraded to http2 for the associated destination.
@@ -292,7 +292,7 @@ No
connectTimeoutgoogle.protobuf.DurationDuration
TCP connection timeout.
@@ -303,7 +303,7 @@ No
tcpKeepaliveConnectionPoolSettings.TCPSettings.TcpKeepaliveTcpKeepalive
If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
@@ -344,7 +344,7 @@ No
timegoogle.protobuf.DurationDuration
The time duration a connection needs to be idle before keep-alive
probes start being sent. Default is to use the OS level configuration
@@ -357,7 +357,7 @@ No
intervalgoogle.protobuf.DurationDuration
The time duration between keep-alive probes.
Default is to use the OS level configuration
@@ -517,7 +517,7 @@ the User cookie as the hash key.
simpleLoadBalancerSettings.SimpleLB (oneof)SimpleLB (oneof)
@@ -526,7 +526,7 @@ Yes
consistentHashLoadBalancerSettings.ConsistentHashLB (oneof)ConsistentHashLB (oneof)
@@ -568,7 +568,7 @@ Yes
httpCookieLoadBalancerSettings.ConsistentHashLB.HTTPCookie (oneof)HTTPCookie (oneof)
Hash based on HTTP cookie.
@@ -646,7 +646,7 @@ No
ttlgoogle.protobuf.DurationDuration
Lifetime of the cookie.
@@ -721,11 +721,11 @@ consecutive errors metric. See Envoy’s apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
@@ -762,7 +762,7 @@ spec:
Number of errors before a host is ejected from the connection
pool. Defaults to 5. When the upstream host is accessed over HTTP, a
-502, 503 or 504 return code qualifies as an error. When the upstream host
+502, 503, or 504 return code qualifies as an error. When the upstream host
is accessed over an opaque TCP connection, connect timeouts and
connection error/failure events qualify as an error.
@@ -773,7 +773,7 @@ No
intervalgoogle.protobuf.DurationDuration
Time interval between ejection sweep analysis. format:
1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
@@ -785,7 +785,7 @@ No
baseEjectionTimegoogle.protobuf.DurationDuration
Minimum ejection duration. A host will remain ejected for a period
equal to the product of minimum ejection duration and the number of
@@ -982,7 +982,7 @@ spec:
modeTLSSettings.TLSmodeTLSmode
Indicates whether connections to this port should be secured
using TLS. The value of this field determines how TLS is enforced.
@@ -1170,7 +1170,7 @@ No
portLevelSettingsTrafficPolicy.PortTrafficPolicy[]PortTrafficPolicy[]
Traffic policies specific to individual ports. Note that port level
settings will override the destination-level settings. Traffic
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index 1d72dce49a..04e19eda50 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -217,7 +217,7 @@ No
configPatchesEnvoyFilter.EnvoyConfigObjectPatch[]EnvoyConfigObjectPatch[]
One or more patches with match conditions.
@@ -475,7 +475,7 @@ to the generated configuration for a given proxy.
contextEnvoyFilter.PatchContextPatchContext
The specific config generation context to match on. Istio Pilot
generates envoy configuration in the context of a gateway,
@@ -488,7 +488,7 @@ No
proxyEnvoyFilter.ProxyMatchProxyMatch
Match on properties associated with a proxy.
@@ -499,7 +499,7 @@ No
listenerEnvoyFilter.ListenerMatch (oneof)ListenerMatch (oneof)
Match on envoy listener attributes.
@@ -510,7 +510,7 @@ Yes
routeConfigurationEnvoyFilter.RouteConfigurationMatch (oneof)RouteConfigurationMatch (oneof)
Match on envoy HTTP route configuration attributes.
@@ -521,7 +521,7 @@ Yes
clusterEnvoyFilter.ClusterMatch (oneof)ClusterMatch (oneof)
Match on envoy cluster attributes.
@@ -549,7 +549,7 @@ Yes
applyToEnvoyFilter.ApplyToApplyTo
Specifies where in the Envoy configuration, the patch should be
applied. The match is expected to select the appropriate
@@ -568,7 +568,7 @@ No
matchEnvoyFilter.EnvoyConfigObjectMatchEnvoyConfigObjectMatch
Match on listener/route configuration/cluster.
@@ -579,7 +579,7 @@ No
patchEnvoyFilter.PatchPatch
The patch to apply along with the operation.
@@ -700,7 +700,7 @@ No
filterChainEnvoyFilter.ListenerMatch.FilterChainMatchFilterChainMatch
Match a specific filter chain in a listener. If specified, the
patch will be applied to the filter chain (and a specific
@@ -809,7 +809,7 @@ No
filterEnvoyFilter.ListenerMatch.FilterMatchFilterMatch
The name of a specific filter to apply the patch to. Set this
to envoy.httpconnectionmanager to add a filter or apply a
@@ -850,7 +850,7 @@ No
subFilterEnvoyFilter.ListenerMatch.SubFilterMatchSubFilterMatch
The next level filter within this filter to match
upon. Typically used for HTTP Connection Manager filters and
@@ -911,7 +911,7 @@ No
operationEnvoyFilter.Patch.OperationOperation
Determines how the patch should be applied.
@@ -922,7 +922,7 @@ No
valuegoogle.protobuf.StructStruct
The JSON config of the object being patched. This will be merged using
json merge semantics with the existing proto in the path.
@@ -1165,7 +1165,7 @@ No
vhostEnvoyFilter.RouteConfigurationMatch.VirtualHostMatchVirtualHostMatch
Match a specific virtual host in a route configuration and
apply the patch to the virtual host.
@@ -1221,7 +1221,7 @@ No
actionEnvoyFilter.RouteConfigurationMatch.RouteMatch.ActionAction
Match a route with specific action type.
@@ -1306,7 +1306,7 @@ No
routeEnvoyFilter.RouteConfigurationMatch.RouteMatchRouteMatch
Match a specific route within the virtual host.
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 304306a31a..a5e7e58c64 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -397,7 +397,7 @@ Yes
tlsServer.TLSOptionsTLSOptions
Set of TLS related options that govern the server’s behavior. Use
these options to control if all http requests should be redirected to
@@ -450,7 +450,7 @@ No
modeServer.TLSOptions.TLSmodeTLSmode
Optional: Indicates whether connections to this port should be
secured using TLS. The value of this field determines how TLS is
@@ -569,7 +569,7 @@ No
minProtocolVersionServer.TLSOptions.TLSProtocolTLSProtocol
Optional: Minimum TLS protocol version.
@@ -580,7 +580,7 @@ No
maxProtocolVersionServer.TLSOptions.TLSProtocolTLSProtocol
Optional: Maximum TLS protocol version.
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index 6d229ed75f..15071426ea 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -386,7 +386,7 @@ Yes
locationServiceEntry.LocationLocation
Specify whether the service should be considered external to the mesh
or part of the mesh.
@@ -398,7 +398,7 @@ No
resolutionServiceEntry.ResolutionResolution
Service discovery mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
@@ -412,7 +412,7 @@ Yes
endpointsServiceEntry.Endpoint[]Endpoint[]
One or more endpoints associated with the service.
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 601f120a89..55454554b0 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -14,38 +14,38 @@ inbound and outbound communication to the workload instance it is attached to. B
default, Istio will program all sidecar proxies in the mesh with the
necessary configuration required to reach every workload instance in the mesh, as
well as accept traffic on all the ports associated with the
-workload. The Sidecar resource provides a way to fine tune the set of
+workload. The Sidecar configuration provides a way to fine tune the set of
ports, protocols that the proxy will accept when forwarding traffic to
and from the workload. In addition, it is possible to restrict the set
of services that the proxy can reach when forwarding outbound traffic
from workload instances.
Services and configuration in a mesh are organized into one or more
-namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
-resource in a namespace will apply to one or more workload instances in the same
-namespace, selected using the workloadSelector. In the absence of a
-workloadSelector, it will apply to all workload instances in the same
-namespace. When determining the Sidecar resource to be applied to a
+namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
+configuration in a namespace will apply to one or more workload instances in the same
+namespace, selected using the workloadSelector field. In the absence of a
+workloadSelector, it will apply to all workload instances in the same
+namespace. When determining the Sidecar configuration to be applied to a
workload instance, preference will be given to the resource with a
-workloadSelector that selects this workload instance, over a Sidecar resource
-without any workloadSelector.
+workloadSelector that selects this workload instance, over a Sidecar configuration
+without any workloadSelector.
-NOTE 1: Each namespace can have only one Sidecar resource without any
-workload selector. The behavior of the system is undefined if more
-than one selector-less Sidecar resources exist in a given namespace. The
-behavior of the system is undefined if two or more Sidecar resources
-with a workload selector select the same workload instance.
+NOTE 1: Each namespace can have only one Sidecar configuration without any
+workloadSelector. The behavior of the system is undefined if more
+than one selector-less Sidecar configurations exist in a given namespace. The
+behavior of the system is undefined if two or more Sidecar configurations
+with a workloadSelector select the same workload instance.
-NOTE 2: A sidecar resource in the config root
-namespace
-will be applied by default to all namespaces without a sidecar
-resource.. This global default sidecar resource should not have
-any workload selector.
+NOTE 2: A Sidecar configuration in the MeshConfig
+root namespace
+will be applied by default to all namespaces without a Sidecar
+configuration. This global default Sidecar configuration should not have
+any workloadSelector.
-The example below declares a global default Sidecar resource in the
+
The example below declares a global default Sidecar configuration in the
root namespace called istio-config, that configures sidecars in
all namespaces to allow egress traffic only to other workloads in
-the same namespace, and to services in the istio-system namespace.
+the same namespace, and to services in the istio-system namespace.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
@@ -59,10 +59,10 @@ spec:
- "istio-system/*"
-The example below declares a Sidecar resource in the prod-us1
+
The example below declares a Sidecar configuration in the prod-us1
namespace that overrides the global default defined above, and
configures the sidecars in the namespace to allow egress traffic to
-public services in the prod-us1, prod-apis, and the istio-system
+public services in the prod-us1, prod-apis, and the istio-system
namespaces.
apiVersion: networking.istio.io/v1alpha3
@@ -78,12 +78,12 @@ spec:
- "istio-system/*"
-The example below declares a Sidecar resource in the prod-us1 namespace
+
The example below declares a Sidecar configuration in the prod-us1 namespace
that accepts inbound HTTP traffic on port 9080 and forwards
it to the attached workload instance listening on a Unix domain socket. In the
-egress direction, in addition to the istio-system namespace, the sidecar
+egress direction, in addition to the istio-system namespace, the sidecar
proxies only HTTP traffic bound for port 9080 for services in the
-prod-us1 namespace.
+prod-us1 namespace.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
@@ -108,18 +108,18 @@ spec:
- "istio-system/*"
-If the workload is deployed without IPTables based traffic capture, the
-Sidecar resource is the only way to configure the ports on the proxy
-attached to the workload instance. The following example declares a Sidecar
-resource in the prod-us1 namespace for all pods with labels “app:
-productpage” belonging to the productpage.prod-us1 service. Assuming
-that these pods are deployed without IPtable rules (i.e. the Istio init
-container) and the proxy metadata ISTIOMETAINTERCEPTION_MODE is set to
-NONE, the specification below allows such pods to receive HTTP traffic
+
If the workload is deployed without IPTables-based traffic capture, the
+Sidecar configuration is the only way to configure the ports on the proxy
+attached to the workload instance. The following example declares a Sidecar
+configuration in the prod-us1 namespace for all pods with labels
+app: productpage belonging to the productpage.prod-us1 service. Assuming
+that these pods are deployed without IPtable rules (i.e. the istio-init
+container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+NONE, the specification, below, allows such pods to receive HTTP traffic
on port 9080 and forward it to the application listening on
-127.0.0.1:8080. It also allows the application to communicate with a
-backing MySQL database on 127.0.0.1:3306, that then gets proxied to the
-externally hosted MySQL service at mysql.foo.com:3306.
+127.0.0.1:8080. It also allows the application to communicate with a
+backing MySQL database on 127.0.0.1:3306, that then gets proxied to the
+externally hosted MySQL service at mysql.foo.com:3306.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
@@ -148,7 +148,7 @@ spec:
- "*/mysql.foo.com"
-And the associated service entry for routing to mysql.foo.com:3306
+And the associated service entry for routing to mysql.foo.com:3306
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
@@ -168,14 +168,14 @@ spec:
It is also possible to mix and match traffic capture modes in a single
proxy. For example, consider a setup where internal services are on the
-192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
-outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
-additional network interface on 172.16.0.0/16 subnet for inbound
-traffic. The following Sidecar configuration allows the VM to expose a
-listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
-172.16.0.0/16 subnet. Note that in this scenario, the
-ISTIOMETAINTERCEPTION_MODE metadata on the proxy in the VM should
-contain “REDIRECT” or “TPROXY” as its value, implying that IP tables
+192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
+outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
+additional network interface on 172.16.0.0/16 subnet for inbound
+traffic. The following Sidecar configuration allows the VM to expose a
+listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
+172.16.0.0/16 subnet. Note that in this scenario, the
+ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
+contain REDIRECT or TPROXY as its value, implying that IP tables
based traffic capture is active.
apiVersion: networking.istio.io/v1alpha3
@@ -207,7 +207,7 @@ spec:
CaptureMode
-CaptureMode describes how traffic to a listener is expected to be
+
CaptureMode describes how traffic to a listener is expected to be
captured. Applicable only when the listener is bound to an IP.
@@ -221,23 +221,23 @@ captured. Applicable only when the listener is bound to an IP.
DEFAULT
-The default capture mode defined by the environment
+The default capture mode defined by the environment.
IPTABLES
-Capture traffic using IPtables redirection
+Capture traffic using IPtables redirection.
NONE
-No traffic capture. When used in egress listener, the application is
-expected to explicitly communicate with the listener port/unix
-domain socket. When used in ingress listener, care needs to be taken
+
No traffic capture. When used in an egress listener, the application is
+expected to explicitly communicate with the listener port or Unix
+domain socket. When used in an ingress listener, care needs to be taken
to ensure that the listener port is not in use by other processes on
the host.
@@ -248,7 +248,7 @@ the host.
IstioEgressListener
-IstioEgressListener specifies the properties of an outbound traffic
+
IstioEgressListener specifies the properties of an outbound traffic
listener on the sidecar proxy attached to a workload instance.