diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html
index 5a95782e67..0845c9a873 100644
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
@@ -6740,12 +6740,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
| The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
K_REVISION |
String |
|
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index 6c0e654eb5..c4a1929dc5 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -221,11 +221,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -245,7 +245,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -633,12 +633,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
K_REVISION |
String |
|
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index e1fe798a5f..24d65a45ca 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -77,11 +77,11 @@ See each sub-command's help for details on how to use the generated script.
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -101,7 +101,7 @@ See each sub-command's help for details on how to use the generated script.
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -142,11 +142,11 @@ If it is not installed already, you can install it via your OS's package man
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -166,7 +166,7 @@ If it is not installed already, you can install it via your OS's package man
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -206,11 +206,11 @@ If it is not installed already, you can install it via your OS's package man
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -230,7 +230,7 @@ If it is not installed already, you can install it via your OS's package man
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -269,11 +269,11 @@ to your powershell profile.
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -293,7 +293,7 @@ to your powershell profile.
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -339,11 +339,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -363,7 +363,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -420,12 +420,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -450,7 +450,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -610,12 +610,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -640,7 +640,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -720,11 +720,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -744,7 +744,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -814,11 +814,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -838,7 +838,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -871,12 +871,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -901,7 +901,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -943,11 +943,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -967,7 +967,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -1498,12 +1498,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
KUBERNETES_SERVICE_HOST |
String |
|
@@ -1996,12 +1990,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
Whether to generate PKCS#8 private keys |
-PLATFORM |
-String |
- |
-Platform where Istio is deployed. Possible values are "openshift" and "gcp" |
-
-
POD_NAME |
String |
|
@@ -2231,7 +2219,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
auto_registration_unregister_total | Sum | Total number of unregistrations. |
auto_registration_updates_total | Sum | Total number of auto registration updates. |
cert_expiry_seconds | LastValue | The time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired. |
-controller_sync_errors_total | Sum | Total number of errorMetric syncing controllers. |
dns_requests_total | Sum | Total number of DNS requests. |
dns_upstream_failures_total | Sum | Total number of DNS failures. |
dns_upstream_request_duration_seconds | Distribution | Total time in seconds Istio takes to get DNS response from upstream. |
@@ -2241,7 +2228,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
istio_build | LastValue | Istio component build info |
istiod_connection_failures | Sum | The total number of connection failures to Istiod |
istiod_connection_terminations | Sum | The total number of connection errors to Istiod |
-istiod_managed_clusters | LastValue | Number of clusters managed by istiod |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_file_secret_failures_total | Sum | Number of times secret generation failed for files |
num_file_watcher_failures_total | Sum | Number of times file watcher failed to add watchers |
@@ -2260,10 +2246,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
pilot_inbound_updates | Sum | Total number of updates received by pilot. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
-pilot_k8s_cfg_events | Sum | Events from k8s config. |
-pilot_k8s_endpoints_pending_pod | LastValue | Number of endpoints that do not currently have any corresponding pods. |
-pilot_k8s_endpoints_with_no_pods | Sum | Endpoints that does not have any corresponding pods. |
-pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
@@ -2292,23 +2274,14 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
pilot_xds_send_time | Distribution | Total time in seconds Pilot takes to send generated configuration. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
provider_lookup_cluster_failures | Sum | Number of times a cluster lookup failed |
-remote_cluster_sync_timeouts_total | Sum | Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
-sidecar_injection_failure_total | Sum | Total number of failed sidecar injection requests. |
-sidecar_injection_requests_total | Sum | Total number of sidecar injection requests. |
-sidecar_injection_skip_total | Sum | Total number of skipped sidecar injection requests. |
-sidecar_injection_success_total | Sum | Total number of successful sidecar injection requests. |
-sidecar_injection_time_seconds | Distribution | Total time taken for injection in seconds. |
startup_duration_seconds | LastValue | The time from the process starting to being marked ready. |
wasm_cache_entries | LastValue | number of Wasm remote fetch cache entries. |
wasm_cache_lookup_count | Sum | number of Wasm remote fetch cache lookups. |
wasm_config_conversion_count | Sum | number of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint. |
wasm_config_conversion_duration | Distribution | Total time in milliseconds istio-agent spends on converting remote load in Wasm config. |
wasm_remote_fetch_count | Sum | number of Wasm remote fetches and results, including success, download failure, and checksum mismatch. |
-webhook_patch_attempts_total | Sum | Webhook patching attempts |
-webhook_patch_failures_total | Sum | Webhook patching total failures |
-webhook_patch_retries_total | Sum | Webhook patching retries |
xds_cache_dependent_config_size | LastValue | Current size of dependent configs |
xds_cache_evictions | Sum | Total number of xds cache evictions. |
xds_cache_reads | Sum | Total number of xds cache xdsCacheReads. |
diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html
index e82be7f1b3..4822b90cd3 100644
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@@ -11,315 +11,1053 @@ weight: 60
This page presents the various resource annotations that
Istio supports to control its behavior.
-
+galley.istio.io/analyze-suppress
-
-
- | Annotation Name |
- Feature Status |
- Resource Types |
- Description |
-
-
+ | Name |
galley.istio.io/analyze-suppress |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed. |
+
+
+inject.istio.io/templates
+
+
+ | Name |
inject.istio.io/templates |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information. |
+
+
+install.operator.istio.io/chart-owner
+
+
+ | Name |
install.operator.istio.io/chart-owner |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the name of the chart used to create this resource. |
+
+
+install.operator.istio.io/owner-generation
+
+
+ | Name |
install.operator.istio.io/owner-generation |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the generation to which the resource was last reconciled. |
+
+
+install.operator.istio.io/version
+
+
+ | Name |
install.operator.istio.io/version |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the Istio version associated with the resource |
+
+
+istio.io/dry-run
+
+
+ | Name |
istio.io/dry-run |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[AuthorizationPolicy] |
+
+
+ | Description |
Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information. |
+
+
+istio.io/rev
+
+
+ | Name |
istio.io/rev |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision. |
+
+
+kubernetes.io/ingress.class
+
+
+ | Name |
kubernetes.io/ingress.class |
+
+
+ | Feature Status |
Stable |
+
+
+ | Resource Types |
[Ingress] |
+
+
+ | Description |
Annotation on an Ingress resources denoting the class of controllers responsible for it. |
+
+
+networking.istio.io/exportTo
+
+
+ | Name |
networking.istio.io/exportTo |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. |
+
+
+prometheus.istio.io/merge-metrics
+
+
+ | Name |
prometheus.istio.io/merge-metrics |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies if application Prometheus metric will be merged with Envoy metrics for this workload. |
+
+
+proxy.istio.io/config
+
+
+ | Name |
proxy.istio.io/config |
+
+
+ | Feature Status |
Beta |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig. |
+
+
+readiness.status.sidecar.istio.io/applicationPorts
+
+
+ | Name |
readiness.status.sidecar.istio.io/applicationPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. |
+
+
+readiness.status.sidecar.istio.io/failureThreshold
+
+
+ | Name |
readiness.status.sidecar.istio.io/failureThreshold |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the failure threshold for the Envoy sidecar readiness probe. |
+
+
+readiness.status.sidecar.istio.io/initialDelaySeconds
+
+
+ | Name |
readiness.status.sidecar.istio.io/initialDelaySeconds |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. |
+
+
+readiness.status.sidecar.istio.io/periodSeconds
+
+
+ | Name |
readiness.status.sidecar.istio.io/periodSeconds |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the period (in seconds) for the Envoy sidecar readiness probe. |
+
+
+sidecar.istio.io/agentLogLevel
+
+
+ | Name |
sidecar.istio.io/agentLogLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the log output level for pilot-agent. |
+
+
+sidecar.istio.io/bootstrapOverride
+
+
+ | Name |
sidecar.istio.io/bootstrapOverride |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies an alternative Envoy bootstrap configuration file. |
+
+
+sidecar.istio.io/componentLogLevel
+
+
+ | Name |
sidecar.istio.io/componentLogLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the component log level for Envoy. |
+
+
+sidecar.istio.io/controlPlaneAuthPolicy
+
+
+ | Name |
sidecar.istio.io/controlPlaneAuthPolicy |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections. |
+
+
+sidecar.istio.io/discoveryAddress
+
+
+ | Name |
sidecar.istio.io/discoveryAddress |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the XDS discovery address to be used by the Envoy sidecar. |
+
+
+sidecar.istio.io/enableCoreDump
+
+
+ | Name |
sidecar.istio.io/enableCoreDump |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should enable core dump. |
+
+
+
+
+
+ | Name |
sidecar.istio.io/extraStatTags |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list. |
+
+
+sidecar.istio.io/inject
+
+
+ | Name |
sidecar.istio.io/inject |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label. |
+
+
+sidecar.istio.io/interceptionMode
+
+
+ | Name |
sidecar.istio.io/interceptionMode |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
+
+
+sidecar.istio.io/logLevel
+
+
+ | Name |
sidecar.istio.io/logLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the log level for Envoy. |
+
+
+sidecar.istio.io/proxyCPU
+
+
+ | Name |
sidecar.istio.io/proxyCPU |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the requested CPU setting for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyCPULimit
+
+
+ | Name |
sidecar.istio.io/proxyCPULimit |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the CPU limit for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyImage
+
+
+ | Name |
sidecar.istio.io/proxyImage |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the Docker image to be used by the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyImageType
+
+
+ | Name |
sidecar.istio.io/proxyImageType |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag. |
+
+
+sidecar.istio.io/proxyMemory
+
+
+ | Name |
sidecar.istio.io/proxyMemory |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the requested memory setting for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyMemoryLimit
+
+
+ | Name |
sidecar.istio.io/proxyMemoryLimit |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the memory limit for the Envoy sidecar. |
+
+
+sidecar.istio.io/rewriteAppHTTPProbers
+
+
+ | Name |
sidecar.istio.io/rewriteAppHTTPProbers |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. |
+
+
+sidecar.istio.io/statsHistogramBuckets
+
+
+ | Name |
sidecar.istio.io/statsHistogramBuckets |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`. |
+
+
+sidecar.istio.io/statsInclusionPrefixes
+
+
+ | Name |
sidecar.istio.io/statsInclusionPrefixes |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
+
+
+sidecar.istio.io/statsInclusionRegexps
+
+
+ | Name |
sidecar.istio.io/statsInclusionRegexps |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
+
+
+sidecar.istio.io/statsInclusionSuffixes
+
+
+ | Name |
sidecar.istio.io/statsInclusionSuffixes |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
+
+
+sidecar.istio.io/status
+
+
+ | Name |
sidecar.istio.io/status |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
+
+
+sidecar.istio.io/userVolume
+
+
+ | Name |
sidecar.istio.io/userVolume |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. |
+
+
+sidecar.istio.io/userVolumeMount
+
+
+ | Name |
sidecar.istio.io/userVolumeMount |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. |
+
+
+status.sidecar.istio.io/port
+
+
+ | Name |
status.sidecar.istio.io/port |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. |
+
+
+topology.istio.io/controlPlaneClusters
+
+
+ | Name |
topology.istio.io/controlPlaneClusters |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Namespace] |
+
+
+ | Description |
A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters. |
+
+
+traffic.istio.io/nodeSelector
+
+
+ | Name |
traffic.istio.io/nodeSelector |
+
+
+ | Feature Status |
Stable |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication. |
+
+
+traffic.sidecar.istio.io/excludeInboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/excludeInboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. |
+
+
+traffic.sidecar.istio.io/excludeInterfaces
+
+
+ | Name |
traffic.sidecar.istio.io/excludeInterfaces |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of interfaces to be excluded from Istio traffic capture |
+
+
+traffic.sidecar.istio.io/excludeOutboundIPRanges
+
+
+ | Name |
traffic.sidecar.istio.io/excludeOutboundIPRanges |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. |
+
+
+traffic.sidecar.istio.io/excludeOutboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/excludeOutboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of outbound ports to be excluded from redirection to Envoy. |
+
+
+traffic.sidecar.istio.io/includeInboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/includeInboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
+
+
+traffic.sidecar.istio.io/includeOutboundIPRanges
+
+
+ | Name |
traffic.sidecar.istio.io/includeOutboundIPRanges |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
+
+
+traffic.sidecar.istio.io/includeOutboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/includeOutboundPorts |
- Alpha |
- [Pod] |
- A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. |
- traffic.sidecar.istio.io/kubevirtInterfaces |
+ Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
- A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |
-
+
+
+ | Description |
+ A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. |
+
+
+traffic.sidecar.istio.io/kubevirtInterfaces
+
+
+
+ | Name |
+ traffic.sidecar.istio.io/kubevirtInterfaces |
+
+
+ | Feature Status |
+ Alpha |
+
+
+ | Resource Types |
+ [Pod] |
+
+
+ | Description |
+ A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |
+
+
+
\ No newline at end of file
diff --git a/content/en/docs/reference/config/labels/index.html b/content/en/docs/reference/config/labels/index.html
index b0898a84fb..d492883f2b 100644
--- a/content/en/docs/reference/config/labels/index.html
+++ b/content/en/docs/reference/config/labels/index.html
@@ -11,63 +11,171 @@ weight: 60
This page presents the various resource labels that
Istio supports to control its behavior.
-
+istio.io/rev
-
-
- | Label Name |
- Feature Status |
- Resource Types |
- Description |
-
-
+ | Name |
istio.io/rev |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Namespace] |
+
+
+ | Description |
Istio control plane revision associated with the resource; e.g. `canary` |
+
+
+networking.istio.io/gatewayPort
+
+
+ | Name |
networking.istio.io/gatewayPort |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway's port |
+
+
+service.istio.io/canonical-name
+
+
+ | Name |
service.istio.io/canonical-name |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of the canonical service a workload belongs to |
+
+
+service.istio.io/canonical-revision
+
+
+ | Name |
service.istio.io/canonical-revision |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of a revision within a canonical service that the workload belongs to |
+
+
+sidecar.istio.io/inject
+
+
+ | Name |
sidecar.istio.io/inject |
+
+
+ | Feature Status |
Beta |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. |
+
+
+topology.istio.io/cluster
+
+
+ | Name |
topology.istio.io/cluster |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via `values.global.multiCluster.clusterName`. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently. |
+
+
+topology.istio.io/network
+
+
+ | Name |
topology.istio.io/network |
- Beta |
- [Namespace Pod Service] |
- A label used to identify the network for one or more pods. This is used
internally by Istio to group pods resident in the same L3 domain/network.
Istio assumes that pods in the same network are directly reachable from
one another. When pods are in different networks, an Istio Gateway
(e.g. east-west gateway) is typically used to establish connectivity
(with AUTO_PASSTHROUGH mode). This label can be applied to the following
resources to help automate Istio's multi-network configuration.
* Istio System Namespace: Applying this label to the system namespace
establishes a default network for pods managed by the control plane.
This is typically configured during control plane installation using an
admin-specified value.
* Pod: Applying this label to a pod allows overriding the default network
on a per-pod basis. This is typically applied to the pod via webhook
injection, but can also be manually specified on the pod by the service
owner. The Istio installation in each cluster configures webhook injection
using an admin-specified value.
* Gateway Service: Applying this label to the Service for an Istio Gateway,
indicates that Istio should use this service as the gateway for the
network, when configuring cross-network traffic. Istio will configure
pods residing outside of the network to access the Gateway service
via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
of a NodePort service, the Node's address. The label is configured when
installing the gateway (e.g. east-west gateway) and should match either
the default network for the control plane (as specified by the Istio System
Namespace label) or the network of the targeted pods. |
- topology.istio.io/subzone |
+ Feature Status |
Beta |
- [Node] |
- User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones. |
-
+
+
+ | Resource Types |
+ [Namespace Pod Service] |
+
+
+ | Description |
+ A label used to identify the network for one or more pods. This is used
internally by Istio to group pods resident in the same L3 domain/network.
Istio assumes that pods in the same network are directly reachable from
one another. When pods are in different networks, an Istio Gateway
(e.g. east-west gateway) is typically used to establish connectivity
(with AUTO_PASSTHROUGH mode). This label can be applied to the following
resources to help automate Istio's multi-network configuration.
* Istio System Namespace: Applying this label to the system namespace
establishes a default network for pods managed by the control plane.
This is typically configured during control plane installation using an
admin-specified value.
* Pod: Applying this label to a pod allows overriding the default network
on a per-pod basis. This is typically applied to the pod via webhook
injection, but can also be manually specified on the pod by the service
owner. The Istio installation in each cluster configures webhook injection
using an admin-specified value.
* Gateway Service: Applying this label to the Service for an Istio Gateway,
indicates that Istio should use this service as the gateway for the
network, when configuring cross-network traffic. Istio will configure
pods residing outside of the network to access the Gateway service
via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
of a NodePort service, the Node's address. The label is configured when
installing the gateway (e.g. east-west gateway) and should match either
the default network for the control plane (as specified by the Istio System
Namespace label) or the network of the targeted pods. |
+
+
+topology.istio.io/subzone
+
+
+
+ | Name |
+ topology.istio.io/subzone |
+
+
+ | Feature Status |
+ Beta |
+
+
+ | Resource Types |
+ [Node] |
+
+
+ | Description |
+ User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones. |
+
+
+
\ No newline at end of file
diff --git a/content/zh/docs/reference/commands/istioctl/index.html b/content/zh/docs/reference/commands/istioctl/index.html
index 5a95782e67..0845c9a873 100644
--- a/content/zh/docs/reference/commands/istioctl/index.html
+++ b/content/zh/docs/reference/commands/istioctl/index.html
@@ -6740,12 +6740,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
K_REVISION |
String |
|
diff --git a/content/zh/docs/reference/commands/operator/index.html b/content/zh/docs/reference/commands/operator/index.html
index 6c0e654eb5..c4a1929dc5 100644
--- a/content/zh/docs/reference/commands/operator/index.html
+++ b/content/zh/docs/reference/commands/operator/index.html
@@ -221,11 +221,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -245,7 +245,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpcgen, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -633,12 +633,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
K_REVISION |
String |
|
diff --git a/content/zh/docs/reference/commands/pilot-agent/index.html b/content/zh/docs/reference/commands/pilot-agent/index.html
index e1fe798a5f..24d65a45ca 100644
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -77,11 +77,11 @@ See each sub-command's help for details on how to use the generated script.
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -101,7 +101,7 @@ See each sub-command's help for details on how to use the generated script.
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -142,11 +142,11 @@ If it is not installed already, you can install it via your OS's package man
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -166,7 +166,7 @@ If it is not installed already, you can install it via your OS's package man
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -206,11 +206,11 @@ If it is not installed already, you can install it via your OS's package man
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -230,7 +230,7 @@ If it is not installed already, you can install it via your OS's package man
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -269,11 +269,11 @@ to your powershell profile.
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -293,7 +293,7 @@ to your powershell profile.
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -339,11 +339,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -363,7 +363,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -420,12 +420,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -450,7 +450,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -610,12 +610,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -640,7 +640,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -720,11 +720,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -744,7 +744,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -814,11 +814,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -838,7 +838,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -871,12 +871,12 @@ to enable it. You can execute the following once:
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -901,7 +901,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -943,11 +943,11 @@ to enable it. You can execute the following once:
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -967,7 +967,7 @@ to enable it. You can execute the following once:
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, deltaadsc, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gcecred, googleca, googlecas, grpcgen, healthcheck, iptables, klog, mockcred, model, monitoring, retry, sds, security, serviceentry, spiffe, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -1498,12 +1498,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
The JWT validation policy. |
-K8S_INGRESS_NS |
-String |
-istio-system |
- |
-
-
KUBERNETES_SERVICE_HOST |
String |
|
@@ -1996,12 +1990,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
Whether to generate PKCS#8 private keys |
-PLATFORM |
-String |
- |
-Platform where Istio is deployed. Possible values are "openshift" and "gcp" |
-
-
POD_NAME |
String |
|
@@ -2231,7 +2219,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
auto_registration_unregister_total | Sum | Total number of unregistrations. |
auto_registration_updates_total | Sum | Total number of auto registration updates. |
cert_expiry_seconds | LastValue | The time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired. |
-controller_sync_errors_total | Sum | Total number of errorMetric syncing controllers. |
dns_requests_total | Sum | Total number of DNS requests. |
dns_upstream_failures_total | Sum | Total number of DNS failures. |
dns_upstream_request_duration_seconds | Distribution | Total time in seconds Istio takes to get DNS response from upstream. |
@@ -2241,7 +2228,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
istio_build | LastValue | Istio component build info |
istiod_connection_failures | Sum | The total number of connection failures to Istiod |
istiod_connection_terminations | Sum | The total number of connection errors to Istiod |
-istiod_managed_clusters | LastValue | Number of clusters managed by istiod |
num_failed_outgoing_requests | Sum | Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.) |
num_file_secret_failures_total | Sum | Number of times secret generation failed for files |
num_file_watcher_failures_total | Sum | Number of times file watcher failed to add watchers |
@@ -2260,10 +2246,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
pilot_inbound_updates | Sum | Total number of updates received by pilot. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
-pilot_k8s_cfg_events | Sum | Events from k8s config. |
-pilot_k8s_endpoints_pending_pod | LastValue | Number of endpoints that do not currently have any corresponding pods. |
-pilot_k8s_endpoints_with_no_pods | Sum | Endpoints that does not have any corresponding pods. |
-pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
@@ -2292,23 +2274,14 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
pilot_xds_send_time | Distribution | Total time in seconds Pilot takes to send generated configuration. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
provider_lookup_cluster_failures | Sum | Number of times a cluster lookup failed |
-remote_cluster_sync_timeouts_total | Sum | Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters. |
scrape_failures_total | Sum | The total number of failed scrapes. |
scrapes_total | Sum | The total number of scrapes. |
-sidecar_injection_failure_total | Sum | Total number of failed sidecar injection requests. |
-sidecar_injection_requests_total | Sum | Total number of sidecar injection requests. |
-sidecar_injection_skip_total | Sum | Total number of skipped sidecar injection requests. |
-sidecar_injection_success_total | Sum | Total number of successful sidecar injection requests. |
-sidecar_injection_time_seconds | Distribution | Total time taken for injection in seconds. |
startup_duration_seconds | LastValue | The time from the process starting to being marked ready. |
wasm_cache_entries | LastValue | number of Wasm remote fetch cache entries. |
wasm_cache_lookup_count | Sum | number of Wasm remote fetch cache lookups. |
wasm_config_conversion_count | Sum | number of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint. |
wasm_config_conversion_duration | Distribution | Total time in milliseconds istio-agent spends on converting remote load in Wasm config. |
wasm_remote_fetch_count | Sum | number of Wasm remote fetches and results, including success, download failure, and checksum mismatch. |
-webhook_patch_attempts_total | Sum | Webhook patching attempts |
-webhook_patch_failures_total | Sum | Webhook patching total failures |
-webhook_patch_retries_total | Sum | Webhook patching retries |
xds_cache_dependent_config_size | LastValue | Current size of dependent configs |
xds_cache_evictions | Sum | Total number of xds cache evictions. |
xds_cache_reads | Sum | Total number of xds cache xdsCacheReads. |
diff --git a/content/zh/docs/reference/config/annotations/index.html b/content/zh/docs/reference/config/annotations/index.html
index e82be7f1b3..4822b90cd3 100644
--- a/content/zh/docs/reference/config/annotations/index.html
+++ b/content/zh/docs/reference/config/annotations/index.html
@@ -11,315 +11,1053 @@ weight: 60
This page presents the various resource annotations that
Istio supports to control its behavior.
-
+galley.istio.io/analyze-suppress
-
-
- | Annotation Name |
- Feature Status |
- Resource Types |
- Description |
-
-
+ | Name |
galley.istio.io/analyze-suppress |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed. |
+
+
+inject.istio.io/templates
+
+
+ | Name |
inject.istio.io/templates |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information. |
+
+
+install.operator.istio.io/chart-owner
+
+
+ | Name |
install.operator.istio.io/chart-owner |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the name of the chart used to create this resource. |
+
+
+install.operator.istio.io/owner-generation
+
+
+ | Name |
install.operator.istio.io/owner-generation |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the generation to which the resource was last reconciled. |
+
+
+install.operator.istio.io/version
+
+
+ | Name |
install.operator.istio.io/version |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Any] |
+
+
+ | Description |
Represents the Istio version associated with the resource |
+
+
+istio.io/dry-run
+
+
+ | Name |
istio.io/dry-run |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[AuthorizationPolicy] |
+
+
+ | Description |
Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information. |
+
+
+istio.io/rev
+
+
+ | Name |
istio.io/rev |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision. |
+
+
+kubernetes.io/ingress.class
+
+
+ | Name |
kubernetes.io/ingress.class |
+
+
+ | Feature Status |
Stable |
+
+
+ | Resource Types |
[Ingress] |
+
+
+ | Description |
Annotation on an Ingress resources denoting the class of controllers responsible for it. |
+
+
+networking.istio.io/exportTo
+
+
+ | Name |
networking.istio.io/exportTo |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. |
+
+
+prometheus.istio.io/merge-metrics
+
+
+ | Name |
prometheus.istio.io/merge-metrics |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies if application Prometheus metric will be merged with Envoy metrics for this workload. |
+
+
+proxy.istio.io/config
+
+
+ | Name |
proxy.istio.io/config |
+
+
+ | Feature Status |
Beta |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig. |
+
+
+readiness.status.sidecar.istio.io/applicationPorts
+
+
+ | Name |
readiness.status.sidecar.istio.io/applicationPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. |
+
+
+readiness.status.sidecar.istio.io/failureThreshold
+
+
+ | Name |
readiness.status.sidecar.istio.io/failureThreshold |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the failure threshold for the Envoy sidecar readiness probe. |
+
+
+readiness.status.sidecar.istio.io/initialDelaySeconds
+
+
+ | Name |
readiness.status.sidecar.istio.io/initialDelaySeconds |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. |
+
+
+readiness.status.sidecar.istio.io/periodSeconds
+
+
+ | Name |
readiness.status.sidecar.istio.io/periodSeconds |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the period (in seconds) for the Envoy sidecar readiness probe. |
+
+
+sidecar.istio.io/agentLogLevel
+
+
+ | Name |
sidecar.istio.io/agentLogLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the log output level for pilot-agent. |
+
+
+sidecar.istio.io/bootstrapOverride
+
+
+ | Name |
sidecar.istio.io/bootstrapOverride |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies an alternative Envoy bootstrap configuration file. |
+
+
+sidecar.istio.io/componentLogLevel
+
+
+ | Name |
sidecar.istio.io/componentLogLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the component log level for Envoy. |
+
+
+sidecar.istio.io/controlPlaneAuthPolicy
+
+
+ | Name |
sidecar.istio.io/controlPlaneAuthPolicy |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections. |
+
+
+sidecar.istio.io/discoveryAddress
+
+
+ | Name |
sidecar.istio.io/discoveryAddress |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the XDS discovery address to be used by the Envoy sidecar. |
+
+
+sidecar.istio.io/enableCoreDump
+
+
+ | Name |
sidecar.istio.io/enableCoreDump |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should enable core dump. |
+
+
+
+
+
+ | Name |
sidecar.istio.io/extraStatTags |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list. |
+
+
+sidecar.istio.io/inject
+
+
+ | Name |
sidecar.istio.io/inject |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label. |
+
+
+sidecar.istio.io/interceptionMode
+
+
+ | Name |
sidecar.istio.io/interceptionMode |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
+
+
+sidecar.istio.io/logLevel
+
+
+ | Name |
sidecar.istio.io/logLevel |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the log level for Envoy. |
+
+
+sidecar.istio.io/proxyCPU
+
+
+ | Name |
sidecar.istio.io/proxyCPU |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the requested CPU setting for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyCPULimit
+
+
+ | Name |
sidecar.istio.io/proxyCPULimit |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the CPU limit for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyImage
+
+
+ | Name |
sidecar.istio.io/proxyImage |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the Docker image to be used by the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyImageType
+
+
+ | Name |
sidecar.istio.io/proxyImageType |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag. |
+
+
+sidecar.istio.io/proxyMemory
+
+
+ | Name |
sidecar.istio.io/proxyMemory |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the requested memory setting for the Envoy sidecar. |
+
+
+sidecar.istio.io/proxyMemoryLimit
+
+
+ | Name |
sidecar.istio.io/proxyMemoryLimit |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the memory limit for the Envoy sidecar. |
+
+
+sidecar.istio.io/rewriteAppHTTPProbers
+
+
+ | Name |
sidecar.istio.io/rewriteAppHTTPProbers |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. |
+
+
+sidecar.istio.io/statsHistogramBuckets
+
+
+ | Name |
sidecar.istio.io/statsHistogramBuckets |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`. |
+
+
+sidecar.istio.io/statsInclusionPrefixes
+
+
+ | Name |
sidecar.istio.io/statsInclusionPrefixes |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
+
+
+sidecar.istio.io/statsInclusionRegexps
+
+
+ | Name |
sidecar.istio.io/statsInclusionRegexps |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
+
+
+sidecar.istio.io/statsInclusionSuffixes
+
+
+ | Name |
sidecar.istio.io/statsInclusionSuffixes |
+
+
+ | Feature Status |
Deprecated |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
+
+
+sidecar.istio.io/status
+
+
+ | Name |
sidecar.istio.io/status |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
+
+
+sidecar.istio.io/userVolume
+
+
+ | Name |
sidecar.istio.io/userVolume |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. |
+
+
+sidecar.istio.io/userVolumeMount
+
+
+ | Name |
sidecar.istio.io/userVolumeMount |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. |
+
+
+status.sidecar.istio.io/port
+
+
+ | Name |
status.sidecar.istio.io/port |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. |
+
+
+topology.istio.io/controlPlaneClusters
+
+
+ | Name |
topology.istio.io/controlPlaneClusters |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Namespace] |
+
+
+ | Description |
A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters. |
+
+
+traffic.istio.io/nodeSelector
+
+
+ | Name |
traffic.istio.io/nodeSelector |
+
+
+ | Feature Status |
Stable |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication. |
+
+
+traffic.sidecar.istio.io/excludeInboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/excludeInboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. |
+
+
+traffic.sidecar.istio.io/excludeInterfaces
+
+
+ | Name |
traffic.sidecar.istio.io/excludeInterfaces |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of interfaces to be excluded from Istio traffic capture |
+
+
+traffic.sidecar.istio.io/excludeOutboundIPRanges
+
+
+ | Name |
traffic.sidecar.istio.io/excludeOutboundIPRanges |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. |
+
+
+traffic.sidecar.istio.io/excludeOutboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/excludeOutboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of outbound ports to be excluded from redirection to Envoy. |
+
+
+traffic.sidecar.istio.io/includeInboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/includeInboundPorts |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
+
+
+traffic.sidecar.istio.io/includeOutboundIPRanges
+
+
+ | Name |
traffic.sidecar.istio.io/includeOutboundIPRanges |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
+
+
+traffic.sidecar.istio.io/includeOutboundPorts
+
+
+ | Name |
traffic.sidecar.istio.io/includeOutboundPorts |
- Alpha |
- [Pod] |
- A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. |
- traffic.sidecar.istio.io/kubevirtInterfaces |
+ Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
- A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |
-
+
+
+ | Description |
+ A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. |
+
+
+traffic.sidecar.istio.io/kubevirtInterfaces
+
+
+
+ | Name |
+ traffic.sidecar.istio.io/kubevirtInterfaces |
+
+
+ | Feature Status |
+ Alpha |
+
+
+ | Resource Types |
+ [Pod] |
+
+
+ | Description |
+ A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |
+
+
+
\ No newline at end of file
diff --git a/content/zh/docs/reference/config/labels/index.html b/content/zh/docs/reference/config/labels/index.html
index b0898a84fb..d492883f2b 100644
--- a/content/zh/docs/reference/config/labels/index.html
+++ b/content/zh/docs/reference/config/labels/index.html
@@ -11,63 +11,171 @@ weight: 60
This page presents the various resource labels that
Istio supports to control its behavior.
-
+istio.io/rev
-
-
- | Label Name |
- Feature Status |
- Resource Types |
- Description |
-
-
+ | Name |
istio.io/rev |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Namespace] |
+
+
+ | Description |
Istio control plane revision associated with the resource; e.g. `canary` |
+
+
+networking.istio.io/gatewayPort
+
+
+ | Name |
networking.istio.io/gatewayPort |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Service] |
+
+
+ | Description |
IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway's port |
+
+
+service.istio.io/canonical-name
+
+
+ | Name |
service.istio.io/canonical-name |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of the canonical service a workload belongs to |
+
+
+service.istio.io/canonical-revision
+
+
+ | Name |
service.istio.io/canonical-revision |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
The name of a revision within a canonical service that the workload belongs to |
+
+
+sidecar.istio.io/inject
+
+
+ | Name |
sidecar.istio.io/inject |
+
+
+ | Feature Status |
Beta |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. |
+
+
+topology.istio.io/cluster
+
+
+ | Name |
topology.istio.io/cluster |
+
+
+ | Feature Status |
Alpha |
+
+
+ | Resource Types |
[Pod] |
+
+
+ | Description |
This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via `values.global.multiCluster.clusterName`. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently. |
+
+
+topology.istio.io/network
+
+
+ | Name |
topology.istio.io/network |
- Beta |
- [Namespace Pod Service] |
- A label used to identify the network for one or more pods. This is used
internally by Istio to group pods resident in the same L3 domain/network.
Istio assumes that pods in the same network are directly reachable from
one another. When pods are in different networks, an Istio Gateway
(e.g. east-west gateway) is typically used to establish connectivity
(with AUTO_PASSTHROUGH mode). This label can be applied to the following
resources to help automate Istio's multi-network configuration.
* Istio System Namespace: Applying this label to the system namespace
establishes a default network for pods managed by the control plane.
This is typically configured during control plane installation using an
admin-specified value.
* Pod: Applying this label to a pod allows overriding the default network
on a per-pod basis. This is typically applied to the pod via webhook
injection, but can also be manually specified on the pod by the service
owner. The Istio installation in each cluster configures webhook injection
using an admin-specified value.
* Gateway Service: Applying this label to the Service for an Istio Gateway,
indicates that Istio should use this service as the gateway for the
network, when configuring cross-network traffic. Istio will configure
pods residing outside of the network to access the Gateway service
via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
of a NodePort service, the Node's address. The label is configured when
installing the gateway (e.g. east-west gateway) and should match either
the default network for the control plane (as specified by the Istio System
Namespace label) or the network of the targeted pods. |
- topology.istio.io/subzone |
+ Feature Status |
Beta |
- [Node] |
- User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones. |
-
+
+
+ | Resource Types |
+ [Namespace Pod Service] |
+
+
+ | Description |
+ A label used to identify the network for one or more pods. This is used
internally by Istio to group pods resident in the same L3 domain/network.
Istio assumes that pods in the same network are directly reachable from
one another. When pods are in different networks, an Istio Gateway
(e.g. east-west gateway) is typically used to establish connectivity
(with AUTO_PASSTHROUGH mode). This label can be applied to the following
resources to help automate Istio's multi-network configuration.
* Istio System Namespace: Applying this label to the system namespace
establishes a default network for pods managed by the control plane.
This is typically configured during control plane installation using an
admin-specified value.
* Pod: Applying this label to a pod allows overriding the default network
on a per-pod basis. This is typically applied to the pod via webhook
injection, but can also be manually specified on the pod by the service
owner. The Istio installation in each cluster configures webhook injection
using an admin-specified value.
* Gateway Service: Applying this label to the Service for an Istio Gateway,
indicates that Istio should use this service as the gateway for the
network, when configuring cross-network traffic. Istio will configure
pods residing outside of the network to access the Gateway service
via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
of a NodePort service, the Node's address. The label is configured when
installing the gateway (e.g. east-west gateway) and should match either
the default network for the control plane (as specified by the Istio System
Namespace label) or the network of the targeted pods. |
+
+
+topology.istio.io/subzone
+
+
+
+ | Name |
+ topology.istio.io/subzone |
+
+
+ | Feature Status |
+ Beta |
+
+
+ | Resource Types |
+ [Node] |
+
+
+ | Description |
+ User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones. |
+
+
+
\ No newline at end of file