-Retrieves the debug information from Istiod or Pods in the mesh using the service account from the pod if --cert-dir is empty. -By default it will use the default serviceAccount from (istio-system) namespace if the pod is not specified.
--THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
-istioctl experimental debug [<type>/]<name>[.<namespace>] [flags]
-| Flags | -Shorthand | -Description | -
|---|---|---|
--authority <string> |
-- | XDS Subject Alternative Name (for example istiod.istio-system.svc) (default ``) | -
--cert-dir <string> |
-- | XDS Endpoint certificate directory (default ``) | -
--context <string> |
-- | The name of the kubeconfig context to use (default ``) | -
--insecure |
-- | Skip server certificate and domain verification. (NOT SECURE!) | -
--istioNamespace <string> |
--i |
-Istio system namespace (default `istio-system`) | -
--kubeconfig <string> |
--c |
-Kubernetes configuration file (default ``) | -
--namespace <string> |
--n |
-Config namespace (default ``) | -
--plaintext |
-- | Use plain-text HTTP/2 when connecting to server (no TLS). | -
--revision <string> |
--r |
-Control plane revision (default ``) | -
--timeout <duration> |
-- | The duration to wait before failing (default `30s`) | -
--xds-address <string> |
-- | XDS Endpoint (default ``) | -
--xds-label <string> |
-- | Istiod pod label selector (default ``) | -
--xds-port <int> |
-- | Istiod pod port (default `15012`) | -
# Retrieve sync status for all Envoys in a mesh
- istioctl x debug syncz
-
- # Retrieve sync diff for a single Envoy and Istiod
- istioctl x debug syncz istio-egressgateway-59585c5b9c-ndc59.istio-system
-
- # SECURITY OPTIONS
-
- # Retrieve syncz debug information directly from the control plane, using token security
- # (This is the usual way to get the debug information with an out-of-cluster control plane.)
- istioctl x debug syncz --xds-address istio.cloudprovider.example.com:15012
-
- # Retrieve syncz debug information via Kubernetes config, using token security
- # (This is the usual way to get the debug information with an in-cluster control plane.)
- istioctl x debug syncz
-
- # Retrieve syncz debug information directly from the control plane, using RSA certificate security
- # (Certificates must be obtained before this step. The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
- istioctl x debug syncz --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
-
- # Retrieve syncz information via XDS from specific control plane in multi-control plane in-cluster configuration
- # (Select a specific control plane in an in-cluster canary Istio configuration.)
- istioctl x debug syncz --xds-label istio.io/rev=default
-
-Describe resource and related Istio configuration
istioctl experimental describe [flags]
@@ -1969,6 +1859,116 @@ the configuration objects that affect that service.
Examples
istioctl experimental injector list
+
+istioctl experimental internal-debug
+
+Retrieves the debug information from Istiod or Pods in the mesh using the service account from the pod if --cert-dir is empty.
+By default it will use the default serviceAccount from (istio-system) namespace if the pod is not specified.
+
+THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
+istioctl experimental internal-debug [<type>/]<name>[.<namespace>] [flags]
+
+
+
+
+Flags
+Shorthand
+Description
+
+
+
+
+--authority <string>XDS Subject Alternative Name (for example istiod.istio-system.svc) (default ``)
+
+
+--cert-dir <string>XDS Endpoint certificate directory (default ``)
+
+
+--context <string>The name of the kubeconfig context to use (default ``)
+
+
+--insecureSkip server certificate and domain verification. (NOT SECURE!)
+
+
+--istioNamespace <string>-iIstio system namespace (default `istio-system`)
+
+
+--kubeconfig <string>-cKubernetes configuration file (default ``)
+
+
+--namespace <string>-nConfig namespace (default ``)
+
+
+--plaintextUse plain-text HTTP/2 when connecting to server (no TLS).
+
+
+--revision <string>-rControl plane revision (default ``)
+
+
+--timeout <duration>The duration to wait before failing (default `30s`)
+
+
+--xds-address <string>XDS Endpoint (default ``)
+
+
+--xds-label <string>Istiod pod label selector (default ``)
+
+
+--xds-port <int>Istiod pod port (default `15012`)
+
+
+
+Examples
+ # Retrieve sync status for all Envoys in a mesh
+ istioctl x internal-debug syncz
+
+ # Retrieve sync diff for a single Envoy and Istiod
+ istioctl x internal-debug syncz istio-egressgateway-59585c5b9c-ndc59.istio-system
+
+ # SECURITY OPTIONS
+
+ # Retrieve syncz debug information directly from the control plane, using token security
+ # (This is the usual way to get the debug information with an out-of-cluster control plane.)
+ istioctl x internal-debug syncz --xds-address istio.cloudprovider.example.com:15012
+
+ # Retrieve syncz debug information via Kubernetes config, using token security
+ # (This is the usual way to get the debug information with an in-cluster control plane.)
+ istioctl x internal-debug syncz
+
+ # Retrieve syncz debug information directly from the control plane, using RSA certificate security
+ # (Certificates must be obtained before this step. The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+ istioctl x internal-debug syncz --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+ # Retrieve syncz information via XDS from specific control plane in multi-control plane in-cluster configuration
+ # (Select a specific control plane in an in-cluster canary Istio configuration.)
+ istioctl x internal-debug syncz --xds-label istio.io/rev=default
+
istioctl experimental kube-uninject
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index fd112aef18..1aa2d465bc 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -701,13 +701,19 @@ No
Delegate
Delegate is used to specify the particular VirtualService which
-can be used to define delegate HTTPRoute.
-It can be set only when Route and Redirect are empty, and the route rules of the
-delegate VirtualService will be merged with that in the current one.
-NOTE:
- 1. Only one level delegation is supported.
- 2. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
- otherwise there is a conflict and the HTTPRoute will not take effect.
+can be used to define delegate HTTPRoute.
+
+It can be set only when Route and Redirect are empty, and the route
+rules of the delegate VirtualService will be merged with that in the
+current one.
+
+NOTE:
+
+
+- Only one level delegation is supported.
+- The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
+otherwise there is a conflict and the HTTPRoute will not take effect.
+
@@ -1470,14 +1476,19 @@ No
Query parameters for matching.
-Ex:
-- For a query parameter like “?key=true”, the map key would be “key” and
- the string match could be defined as exact: "true".
-- For a query parameter like “?key”, the map key would be “key” and the
- string match could be defined as exact: "".
-- For a query parameter like “?key=123”, the map key would be “key” and the
- string match could be defined as regex: "\d+$". Note that this
- configuration will only match values like “123” but not “a123” or “123a”.
+Ex:
+
+
+For a query parameter like “?key=true”, the map key would be “key” and
+the string match could be defined as exact: "true".
For a query parameter like “?key”, the map key would be “key” and the
+string match could be defined as exact: "".
For a query parameter like “?key=123”, the map key would be “key” and the
+string match could be defined as regex: "\d+$". Note that this
+configuration will only match values like “123” but not “a123” or “123a”.
Note: prefix matching is currently not supported.
diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html
index c4368b92f7..bc294237e6 100644
--- a/content/en/docs/reference/config/security/peer_authentication/index.html
+++ b/content/en/docs/reference/config/security/peer_authentication/index.html
@@ -130,7 +130,8 @@ No
portLevelMtlsmap<uint32, MutualTLS>
-Port specific mutual TLS settings.
+Port specific mutual TLS settings. These only apply when a workload selector
+is specified.