diff --git a/content/en/docs/reference/commands/galley/index.html b/content/en/docs/reference/commands/galley/index.html
index 7404ff89ac..8a64dc8e3c 100644
--- a/content/en/docs/reference/commands/galley/index.html
+++ b/content/en/docs/reference/commands/galley/index.html
@@ -199,7 +199,7 @@ number_of_entries: 5
--disableResourceReadyCheck |
|
-Disable resource readiness checks. This allows Galley to start if not all resource types are supported |
+(DEPRECATED) Disable resource readiness checks. This allows Galley to start if not all resource types are supported |
--domain <string> |
@@ -222,6 +222,11 @@ number_of_entries: 5
Run galley validation mode |
+--enableAnalysis |
+ |
+Enable config analysis service |
+
+
--enableProfiling |
|
Enable profiling for Galley |
@@ -234,7 +239,7 @@ number_of_entries: 5
--excludedResourceKinds <stringSlice> |
|
-Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`) |
+(DEPRECATED) Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`) |
--insecure |
diff --git a/content/en/docs/reference/commands/istio_ca/index.html b/content/en/docs/reference/commands/istio_ca/index.html
index 481df75e20..d157b40d2e 100644
--- a/content/en/docs/reference/commands/istio_ca/index.html
+++ b/content/en/docs/reference/commands/istio_ca/index.html
@@ -83,11 +83,11 @@ number_of_entries: 4
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -107,7 +107,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -135,7 +135,7 @@ number_of_entries: 4
--read-signing-cert-only |
-When set, Citadel only reads the self-signed signing key and cert from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false. |
+When set, Citadel only reads the self-signed signing cert and key from Kubernetes secret without generating one (if not exist). This flag avoids racing condition between multiple Citadels generating self-signed key and cert. Please make sure one and only one Citadel instance has this flag set to false. |
--requested-ca-cert-ttl <duration> |
@@ -154,10 +154,6 @@ number_of_entries: 4
Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored. |
---self-signed-ca-cert-ttl <duration> |
-The TTL of self-signed CA root certificate. (default `87600h0m0s`) |
-
-
--server-only |
When set, Citadel only serves as a server without writing the Kubernetes secrets. |
@@ -186,10 +182,6 @@ number_of_entries: 4
The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default `0.5`) |
---workload-cert-min-grace-period <duration> |
-The minimum workload certificate rotation grace period. (default `10m0s`) |
-
-
--workload-cert-ttl <duration> |
The TTL of issued workload certificates. (default `2160h0m0s`) |
@@ -225,11 +217,11 @@ number_of_entries: 4
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -249,7 +241,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -292,12 +284,12 @@ number_of_entries: 4
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -322,7 +314,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, k8sController, monitor, pkiCaLog, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, caSecretController, configMapController, default, k8sController, monitor, pkiCaLog, rootCertRotator, serverCaLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -354,12 +346,42 @@ These environment variables affect the behavior of the istio_ca com
+CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR |
+Boolean |
+true |
+If true, set up a jitter to start root cert rotator. Jitter selects a backoff time in seconds to start root cert rotator, and the back off time is below root cert check interval. |
+
+
CITADEL_ENABLE_NAMESPACES_BY_DEFAULT |
Boolean |
true |
Determines whether unlabeled namespaces should be targeted by this Citadel instance |
+CITADEL_SELF_SIGNED_CA_CERT_TTL |
+Time Duration |
+87600h0m0s |
+The TTL of self-signed CA root certificate. |
+
+
+CITADEL_SELF_SIGNED_ROOT_CERT_CHECK_INTERVAL |
+Time Duration |
+1h0m0s |
+The interval that self-signed CA checks its root certificate expiration time and rotates root certificate. Setting this interval to zero or a negative value disables automated root cert check and rotation. This interval is suggested to be larger than 10 minutes. |
+
+
+CITADEL_SELF_SIGNED_ROOT_CERT_GRACE_PERIOD_PERCENTILE |
+Integer |
+20 |
+Grace period percentile for self-signed root cert. |
+
+
+CITADEL_WORKLOAD_CERT_MIN_GRACE_PERIOD |
+Time Duration |
+10m0s |
+The minimum workload certificate rotation grace period. |
+
+
NAMESPACE |
String |
|
diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html
index 244d377814..c4836e3c99 100644
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
@@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
title: istioctl
description: Istio control interface.
generator: pkg-collateral-docs
-number_of_entries: 62
+number_of_entries: 63
---
Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
@@ -36,7 +36,7 @@ debug and diagnose their Istio mesh.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -76,7 +76,7 @@ debug and diagnose their Istio mesh.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -117,7 +117,7 @@ A group of commands used to interact with Istio authentication policies.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -164,7 +164,7 @@ and check if TLS settings are compatible between them.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -219,7 +219,7 @@ istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -271,7 +271,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -316,7 +316,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -359,7 +359,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -402,7 +402,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -445,7 +445,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -488,7 +488,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -531,7 +531,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -574,7 +574,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -617,7 +617,7 @@ istioctl d [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -659,7 +659,7 @@ istioctl deregister my-svc 172.17.0.2
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -702,7 +702,7 @@ istioctl deregister my-svc 172.17.0.2
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -756,7 +756,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -820,7 +820,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--meshConfigFile <string> |
@@ -866,6 +866,11 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
The name of the kubeconfig context to use (default ``) |
+--discovery <string> |
+-d |
+'true' to enable service discovery, 'false' to disable it. Defaults to true if --use-kube is set, false otherwise. Analyzers requiring resources made available by enabling service discovery will be skipped. (default ``) |
+
+
--istioNamespace <string> |
-i |
Istio system namespace (default `istio-system`) |
@@ -878,7 +883,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -888,7 +893,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--use-kube |
-k |
-Use live kubernetes cluster for analysis |
+Use live Kubernetes cluster for analysis |
@@ -903,6 +908,12 @@ istioctl experimental analyze -k
# Analyze the current live cluster, simulating the effect of applying additional yaml files
istioctl experimental analyze -k a.yaml b.yaml
+# Analyze yaml files, overriding service discovery to enabled
+istioctl experimental analyze -d true a.yaml b.yaml services.yaml
+
+# Analyze the current live cluster, overriding service discovery to disabled
+istioctl experimental analyze -k -d false
+
istioctl experimental auth
Commands to inspect and interact with the authentication (TLS, JWT) and authorization (RBAC) policies in the mesh
@@ -936,7 +947,7 @@ istioctl experimental analyze -k a.yaml b.yaml
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1002,7 +1013,7 @@ the cluster results of the client pod and the listener results of the server pod
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1058,7 +1069,7 @@ the cluster results of the client pod and the listener results of the server pod
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1101,7 +1112,7 @@ the cluster results of the client pod and the listener results of the server pod
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1141,7 +1152,7 @@ the cluster results of the client pod and the listener results of the server pod
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1198,7 +1209,7 @@ istioctl --kubeconfig=c0.yaml x create-remote-secret c1 \
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1241,7 +1252,7 @@ istioctl --kubeconfig=c0.yaml x create-remote-secret c1 \
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1289,7 +1300,7 @@ the configuration objects that affect that pod.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1340,7 +1351,7 @@ also provides the inverse of "istioctl kube-inject -f".
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1400,7 +1411,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1460,7 +1471,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1547,7 +1558,7 @@ customization file (default `[]`)
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1616,7 +1627,7 @@ e.g.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1683,7 +1694,7 @@ customization file (default `[]`)
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1738,7 +1749,7 @@ customization file (default `[]`)
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1807,7 +1818,7 @@ calculated over a time interval of 1 minute.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -1859,7 +1870,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1914,7 +1925,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -1984,7 +1995,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -2039,7 +2050,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--logtostderr |
@@ -2092,7 +2103,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2136,7 +2147,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2181,7 +2192,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2252,7 +2263,7 @@ kube-inject on deployments to get the most up-to-date changes.
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--meshConfigFile <string> |
@@ -2333,7 +2344,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2385,7 +2396,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2449,7 +2460,7 @@ istioctl proxy-config c <pod-name[.namespace]> [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2529,7 +2540,7 @@ istioctl proxy-config ep <pod-name[.namespace]> [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2609,7 +2620,7 @@ istioctl proxy-config l <pod-name[.namespace]> [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2643,6 +2654,75 @@ istioctl proxy-config l <pod-name[.namespace]> [flags]
# Retrieve full listener dump for HTTP listeners with a wildcard address (0.0.0.0).
istioctl proxy-config listeners <pod-name[.namespace]> --type HTTP --address 0.0.0.0 -o json
+
+istioctl proxy-config log
+(experimental) Retrieve information about logging levels of the Envoy instance in the specified pod, and update optionally
+istioctl proxy-config log <pod-name[.namespace]> [flags]
+
+
+
istioctl proxy-config o <pod-name[.namespace]> [flags]
+
+
+
+| Flags |
+Shorthand |
+Description |
+
+
+
+
+--context <string> |
+ |
+The name of the kubeconfig context to use (default ``) |
+
+
+--istioNamespace <string> |
+-i |
+Istio system namespace (default `istio-system`) |
+
+
+--kubeconfig <string> |
+-c |
+Kubernetes configuration file (default ``) |
+
+
+--level <string> |
+ |
+Comma-separated minimum per-logger level of messages to output, in the form of <logger>:<level>,<logger>:<level>,... where logger can be one of admin, all, aws, assert, backtrace, client, config, connection, dubbo, file, filter, forward_proxy, grpc, hc, health_checker, http, http2, hystrix, init, io, jwt, kafka, lua, main, misc, mongo, quic, pool, rbac, redis, router, runtime, stats, secret, tap, testing, thrift, tracing, upstream, udp, wasm and level can be one of [trace, debug, info, warning, error, critical, off] (default ``) |
+
+
+--log_output_level <string> |
+ |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
+
+
+--namespace <string> |
+-n |
+Config namespace (default ``) |
+
+
+--output <string> |
+-o |
+Output format: one of json|short (default `short`) |
+
+
+--reset |
+-r |
+Specify if the reset log level to default value (warning). |
+
+
+
+Examples
+ # Retrieve information about logging levels for a given pod from Envoy.
+ istioctl proxy-config log <pod-name[.namespace]>
+
+ # Update levels of the specified loggers and retrieve all the information about logging levels.
+ istioctl proxy-config log <pod-name[.namespace]> --level all:warning,http:debug,redis:debug
+
+ # Reset levels of all the loggers to default value (warning) and retrieve all the information about logging levels.
+ istioctl proxy-config log <pod-name[.namespace]> -r
+
istioctl proxy-config route
Retrieve information about route configuration for the Envoy instance in the specified pod.
@@ -2679,7 +2759,7 @@ istioctl proxy-config r <pod-name[.namespace]> [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--name <string> |
@@ -2743,7 +2823,7 @@ istioctl proxy-config r <pod-name[.namespace]> [flags]
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2800,7 +2880,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2868,7 +2948,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2918,7 +2998,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -2992,7 +3072,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -3049,7 +3129,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, configMapController, conversions, default, googleCAClientLog, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,processing:error,source:error`) |
--namespace <string> |
@@ -3134,6 +3214,12 @@ These environment variables affect the behavior of the istioctl com
namespace that nodeagent/citadel run in |
+PILOT_BLOCK_HTTP_ON_443 |
+Boolean |
+true |
+If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic |
+
+
PILOT_CERT_DIR |
String |
|
@@ -3179,7 +3265,7 @@ These environment variables affect the behavior of the istioctl com
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS |
Boolean |
true |
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
+If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_MYSQL_FILTER |
@@ -3357,6 +3443,7 @@ These environment variables affect the behavior of the istioctl com
outgoing_latency | Sum | The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds. |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
+pilot_conflict_outbound_listener_http_over_https | LastValue | Number of conflicting HTTP listeners with well known HTTPS ports |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
@@ -3371,8 +3458,8 @@ These environment variables affect the behavior of the istioctl com
pilot_k8s_object_errors | LastValue | Errors converting k8s CRDs |
pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
-pilot_proxy_convergence_time | Distribution | Delay between config change and all proxies converging. |
-pilot_proxy_queue_time | Distribution | Time a proxy is in the push queue before being dequeued. |
+pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
+pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
pilot_rds_expired_nonce | Sum | Total number of RDS messages with an expired nonce. |
pilot_services | LastValue | Total services known to pilot. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
@@ -3386,7 +3473,7 @@ These environment variables affect the behavior of the istioctl com
pilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_push_context_errors | Sum | Number of errors (timeouts) initiating push context. |
-pilot_xds_push_time | Distribution | Total time in second Pilot takes to push lds, rds, cds and eds. |
+pilot_xds_push_time | Distribution | Total time in seconds Pilot takes to push lds, rds, cds and eds. |
pilot_xds_pushes | Sum | Pilot build and send errors for lds, rds, cds and eds. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index 533fddfc58..ce4aa3533e 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -63,11 +63,11 @@ number_of_entries: 4
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [default, util] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [default, name, patch, tpath, translator, util, validation] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [default, util] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [default, name, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -87,7 +87,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [default, util] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [default, name, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index dc9fc2b165..60830ca9ea 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -21,11 +21,11 @@ number_of_entries: 5
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -45,7 +45,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -159,11 +159,11 @@ number_of_entries: 5
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -183,7 +183,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -261,11 +261,11 @@ number_of_entries: 5
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -285,7 +285,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -314,12 +314,12 @@ number_of_entries: 5
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -344,7 +344,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -448,6 +448,12 @@ These environment variables affect the behavior of the pilot-agent
|
+PILOT_BLOCK_HTTP_ON_443 |
+Boolean |
+true |
+If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic |
+
+
PILOT_CERT_DIR |
String |
|
@@ -493,7 +499,7 @@ These environment variables affect the behavior of the pilot-agent
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS |
Boolean |
true |
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
+If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_MYSQL_FILTER |
@@ -633,6 +639,7 @@ These environment variables affect the behavior of the pilot-agent
istio_build | LastValue | Istio component build info |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
+pilot_conflict_outbound_listener_http_over_https | LastValue | Number of conflicting HTTP listeners with well known HTTPS ports |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
@@ -642,7 +649,6 @@ These environment variables affect the behavior of the pilot-agent
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
-pilot_invalid_out_listeners | LastValue | Number of invalid outbound listeners. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index b6b1d06c76..f5970d21a2 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -41,11 +41,11 @@ number_of_entries: 5
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, default, mcp, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -65,7 +65,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -174,12 +174,12 @@ number_of_entries: 5
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, default, mcp, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -204,7 +204,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -316,11 +316,11 @@ number_of_entries: 5
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, default, mcp, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -340,7 +340,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -394,12 +394,12 @@ number_of_entries: 5
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, default, mcp, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -424,7 +424,7 @@ number_of_entries: 5
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, default, mcp, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, authn, caSecretController, configMapController, default, k8sController, mcp, model, pkiCaLog, rbac, rootCertRotator] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -468,6 +468,12 @@ These environment variables affect the behavior of the pilot-discovery
+PILOT_BLOCK_HTTP_ON_443 |
+Boolean |
+true |
+If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic |
+
+
PILOT_CERT_DIR |
String |
|
@@ -513,7 +519,7 @@ These environment variables affect the behavior of the pilot-discoveryPILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
Boolean |
true |
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
+If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_MYSQL_FILTER |
@@ -637,6 +643,11 @@ These environment variables affect the behavior of the pilot-discovery| Metric Name | Type | Description |
+citadel_secret_controller_csr_err_count | Sum | The number of errors occurred when creating the CSR. |
+citadel_secret_controller_csr_sign_err_count | Sum | The number of errors occurred when signing the CSR. |
+citadel_secret_controller_secret_deleted_cert_count | Sum | The number of certificates recreated due to secret deletion (service account still exists). |
+citadel_secret_controller_svc_acc_created_cert_count | Sum | The number of certificates created due to service account creation. |
+citadel_secret_controller_svc_acc_deleted_cert_count | Sum | The number of certificates deleted due to service account deletion. |
endpoint_no_pod | LastValue | Endpoints without an associated pod. |
istio_build | LastValue | Istio component build info |
istio_mcp_clients_total | LastValue | The number of streams currently connected. |
@@ -648,6 +659,7 @@ These environment variables affect the behavior of the pilot-discoveryistio_mcp_send_failures_total | Sum | The number of send failures in the source. |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
+pilot_conflict_outbound_listener_http_over_https | LastValue | Number of conflicting HTTP listeners with well known HTTPS ports |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
@@ -665,8 +677,8 @@ These environment variables affect the behavior of the pilot-discoverypilot_k8s_object_errors | LastValue | Errors converting k8s CRDs |
pilot_k8s_reg_events | Sum | Events from k8s registry. |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
-pilot_proxy_convergence_time | Distribution | Delay between config change and all proxies converging. |
-pilot_proxy_queue_time | Distribution | Time a proxy is in the push queue before being dequeued. |
+pilot_proxy_convergence_time | Distribution | Delay in seconds between config change and a proxy receiving all required configuration. |
+pilot_proxy_queue_time | Distribution | Time in seconds, a proxy is in the push queue before being dequeued. |
pilot_rds_expired_nonce | Sum | Total number of RDS messages with an expired nonce. |
pilot_services | LastValue | Total services known to pilot. |
pilot_total_rejected_configs | Sum | Total number of configs that Pilot had to reject or ignore. |
@@ -680,7 +692,7 @@ These environment variables affect the behavior of the pilot-discoverypilot_xds_eds_reject | LastValue | Pilot rejected EDS. |
pilot_xds_lds_reject | LastValue | Pilot rejected LDS. |
pilot_xds_push_context_errors | Sum | Number of errors (timeouts) initiating push context. |
-pilot_xds_push_time | Distribution | Total time in second Pilot takes to push lds, rds, cds and eds. |
+pilot_xds_push_time | Distribution | Total time in seconds Pilot takes to push lds, rds, cds and eds. |
pilot_xds_pushes | Sum | Pilot build and send errors for lds, rds, cds and eds. |
pilot_xds_rds_reject | LastValue | Pilot rejected RDS. |
pilot_xds_write_timeout | Sum | Pilot XDS response write timeouts. |
diff --git a/content/en/docs/reference/commands/sidecar-injector/index.html b/content/en/docs/reference/commands/sidecar-injector/index.html
index edc6e587ee..9eaa6c70f5 100644
--- a/content/en/docs/reference/commands/sidecar-injector/index.html
+++ b/content/en/docs/reference/commands/sidecar-injector/index.html
@@ -47,11 +47,11 @@ number_of_entries: 4
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -71,7 +71,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -90,6 +90,10 @@ number_of_entries: 4
Webhook port (default `443`) |
+--reconcileWebhookConfig |
+Enable managing webhook configuration. |
+
+
--tlsCertFile <string> |
File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`) |
@@ -153,11 +157,11 @@ number_of_entries: 4
--log_caller <string> |
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -177,7 +181,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -200,6 +204,10 @@ number_of_entries: 4
Path of the file for checking the availability. (default ``) |
+--reconcileWebhookConfig |
+Enable managing webhook configuration. |
+
+
--tlsCertFile <string> |
File containing the x509 Certificate for HTTPS. (default `/etc/istio/certs/cert-chain.pem`) |
@@ -268,12 +276,12 @@ number_of_entries: 4
--log_caller <string> |
|
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, default, model, rbac] (default ``) |
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac] (default ``) |
--log_output_level <string> |
|
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) |
--log_rotate <string> |
@@ -298,7 +306,7 @@ number_of_entries: 4
--log_stacktrace_level <string> |
|
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) |
--log_target <stringArray> |
@@ -326,6 +334,11 @@ number_of_entries: 4
Webhook port (default `443`) |
+--reconcileWebhookConfig |
+ |
+Enable managing webhook configuration. |
+
+
--short |
-s |
Use --short=false to generate full version information |
@@ -371,6 +384,12 @@ These environment variables affect the behavior of the sidecar-injectorSets the maximum number of concurrent grpc streams.
+PILOT_BLOCK_HTTP_ON_443 |
+Boolean |
+true |
+If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic |
+
+
PILOT_CERT_DIR |
String |
|
@@ -416,7 +435,7 @@ These environment variables affect the behavior of the sidecar-injectorPILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
Boolean |
true |
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
+If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. |
PILOT_ENABLE_MYSQL_FILTER |
@@ -532,13 +551,13 @@ These environment variables affect the behavior of the sidecar-injectoristio_build | LastValue | Istio component build info |
pilot_conflict_inbound_listener | LastValue | Number of conflicting inbound listeners. |
pilot_conflict_outbound_listener_http_over_current_tcp | LastValue | Number of conflicting wildcard http listeners with current wildcard tcp listener. |
+pilot_conflict_outbound_listener_http_over_https | LastValue | Number of conflicting HTTP listeners with well known HTTPS ports |
pilot_conflict_outbound_listener_tcp_over_current_http | LastValue | Number of conflicting wildcard tcp listeners with current wildcard http listener. |
pilot_conflict_outbound_listener_tcp_over_current_tcp | LastValue | Number of conflicting tcp listeners with current tcp listener. |
pilot_destrule_subsets | LastValue | Duplicate subsets across destination rules for same host |
pilot_duplicate_envoy_clusters | LastValue | Duplicate envoy clusters caused by service entries with same hostname |
pilot_eds_no_instances | LastValue | Number of clusters without instances. |
pilot_endpoint_not_ready | LastValue | Endpoint found in unready state. |
-pilot_invalid_out_listeners | LastValue | Number of invalid outbound listeners. |
pilot_jwks_resolver_network_fetch_fail_total | Sum | Total number of failed network fetch by pilot jwks resolver |
pilot_jwks_resolver_network_fetch_success_total | Sum | Total number of successfully network fetch by pilot jwks resolver |
pilot_no_ip | LastValue | Pods not found in the endpoint table, possibly invalid. |
diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html
index 32bb26a107..ac2e26bd9d 100644
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@@ -15,6 +15,7 @@ Istio supports to control its behavior.
| Annotation Name |
+ Resource Types |
Description |
@@ -31,6 +32,7 @@ Istio supports to control its behavior.
kubernetes.io/ingress.class |
+ [Ingress] |
Annotation on an Ingress resources denoting the class of controllers responsible for it. |
@@ -46,6 +48,7 @@ Istio supports to control its behavior.
networking.istio.io/exportTo |
+ [Service] |
Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. |
@@ -55,6 +58,7 @@ Istio supports to control its behavior.
policy.istio.io/check |
+ [Pod] |
Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests. |
@@ -64,6 +68,7 @@ Istio supports to control its behavior.
policy.istio.io/checkBaseRetryWaitTime |
+ [Pod] |
Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms. |
@@ -73,6 +78,7 @@ Istio supports to control its behavior.
policy.istio.io/checkMaxRetryWaitTime |
+ [Pod] |
Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms. |
@@ -82,6 +88,7 @@ Istio supports to control its behavior.
policy.istio.io/checkRetries |
+ [Pod] |
The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries. |
@@ -91,7 +98,8 @@ Istio supports to control its behavior.
policy.istio.io/lang |
- Selects the attribute expression langauge runtime for Mixer.. |
+ [Pod] |
+ Selects the attribute expression language runtime for Mixer. |
@@ -100,7 +108,8 @@ Istio supports to control its behavior.
readiness.status.sidecar.istio.io/applicationPorts |
- Specifies the list of ports exposed by the application container. Used by the istio-proxy readiness probe to determine that Envoy is configured and ready to receive traffic. |
+ [Pod] |
+ Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. |
@@ -109,7 +118,8 @@ Istio supports to control its behavior.
readiness.status.sidecar.istio.io/failureThreshold |
- Specifies the failure threshold for the istio-proxy readiness probe. |
+ [Pod] |
+ Specifies the failure threshold for the Envoy sidecar readiness probe. |
@@ -118,7 +128,8 @@ Istio supports to control its behavior.
readiness.status.sidecar.istio.io/initialDelaySeconds |
- Specifies the initial delay (in seconds) for the istio-proxy readiness probe. |
+ [Pod] |
+ Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. |
@@ -127,7 +138,8 @@ Istio supports to control its behavior.
readiness.status.sidecar.istio.io/periodSeconds |
- Specifies the period (in seconds) for the istio-proxy readiness probe. |
+ [Pod] |
+ Specifies the period (in seconds) for the Envoy sidecar readiness probe. |
@@ -138,6 +150,7 @@ Istio supports to control its behavior.
sidecar.istio.io/bootstrapOverride |
+ [Pod] |
Specifies an alternative Envoy bootstrap configuration file. |
@@ -147,6 +160,7 @@ Istio supports to control its behavior.
sidecar.istio.io/componentLogLevel |
+ [Pod] |
Specifies the component log level for Envoy. |
@@ -156,7 +170,8 @@ Istio supports to control its behavior.
sidecar.istio.io/controlPlaneAuthPolicy |
- Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between istio-proxy sidecars will be wrapped into mutual TLS connections. |
+ [Pod] |
+ Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections. |
@@ -165,7 +180,8 @@ Istio supports to control its behavior.
sidecar.istio.io/discoveryAddress |
- Specifies the XDS discovery address to be used by the istio-proxy sidecar. |
+ [Pod] |
+ Specifies the XDS discovery address to be used by the Envoy sidecar. |
@@ -174,7 +190,8 @@ Istio supports to control its behavior.
sidecar.istio.io/inject |
- Specifies whether or not an istio-proxy sidecar should be automatically injected into the workload. |
+ [Pod] |
+ Specifies whether or not an Envoy sidecar should be automatically injected into the workload. |
@@ -183,6 +200,7 @@ Istio supports to control its behavior.
sidecar.istio.io/interceptionMode |
+ [Pod] |
Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
@@ -192,6 +210,7 @@ Istio supports to control its behavior.
sidecar.istio.io/logLevel |
+ [Pod] |
Specifies the log level for Envoy. |
@@ -201,7 +220,8 @@ Istio supports to control its behavior.
sidecar.istio.io/proxyCPU |
- Specifies the requested CPU setting for the istio-proxy sidecar. |
+ [Pod] |
+ Specifies the requested CPU setting for the Envoy sidecar. |
@@ -210,7 +230,8 @@ Istio supports to control its behavior.
sidecar.istio.io/proxyImage |
- Specifies the Docker image to be used by the istio-proxy sidecar. |
+ [Pod] |
+ Specifies the Docker image to be used by the Envoy sidecar. |
@@ -219,7 +240,8 @@ Istio supports to control its behavior.
sidecar.istio.io/proxyMemory |
- Specifies the requested memory setting for the istio-proxy sidecar. |
+ [Pod] |
+ Specifies the requested memory setting for the Envoy sidecar. |
@@ -228,7 +250,8 @@ Istio supports to control its behavior.
sidecar.istio.io/rewriteAppHTTPProbers |
- Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar. |
+ [Pod] |
+ Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. |
@@ -237,6 +260,7 @@ Istio supports to control its behavior.
sidecar.istio.io/statsInclusionPrefixes |
+ [Pod] |
Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
@@ -246,6 +270,7 @@ Istio supports to control its behavior.
sidecar.istio.io/statsInclusionRegexps |
+ [Pod] |
Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
@@ -255,6 +280,7 @@ Istio supports to control its behavior.
sidecar.istio.io/statsInclusionSuffixes |
+ [Pod] |
Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
@@ -264,7 +290,8 @@ Istio supports to control its behavior.
sidecar.istio.io/status |
- Generated by istio-proxy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
+ [Pod] |
+ Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
@@ -273,7 +300,8 @@ Istio supports to control its behavior.
sidecar.istio.io/userVolume |
- Specifies one or more user volumes (as a JSON array) to be added to the istio-proxy sidecar. |
+ [Pod] |
+ Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. |
@@ -282,7 +310,8 @@ Istio supports to control its behavior.
sidecar.istio.io/userVolumeMount |
- Specifies one or more user volume mounts (as a JSON array) to be added to the istio-proxy sidecar. |
+ [Pod] |
+ Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. |
@@ -291,7 +320,8 @@ Istio supports to control its behavior.
status.sidecar.istio.io/port |
- Specifies the HTTP status Port for the istio-proxy sidecar. If zero, the istio-proxy will not provide status. |
+ [Pod] |
+ Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. |
@@ -300,6 +330,7 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/excludeInboundPorts |
+ [Pod] |
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. |
@@ -309,6 +340,7 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/excludeOutboundIPRanges |
+ [Pod] |
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. |
@@ -318,6 +350,7 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/excludeOutboundPorts |
+ [Pod] |
A comma separated list of outbound ports to be excluded from redirection to Envoy. |
@@ -327,6 +360,7 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/includeInboundPorts |
+ [Pod] |
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
@@ -336,7 +370,8 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/includeOutboundIPRanges |
- A comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
+ [Pod] |
+ A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
@@ -345,6 +380,7 @@ Istio supports to control its behavior.
traffic.sidecar.istio.io/kubevirtInterfaces |
+ [Pod] |
A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |
diff --git a/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html b/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
index 6e919567f3..acf1899e59 100644
--- a/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.authentication.v1alpha1/index.html
@@ -14,9 +14,8 @@ number_of_entries: 11
Jwt
JSON Web Token (JWT) token format for authentication as defined by
-RFC 7519. See OAuth
-2.0 and OIDC
-1.0 for how this is used in the whole
+RFC 7519. See OAuth 2.0 and
+OIDC 1.0 for how this is used in the whole
authentication flow.
For example:
@@ -145,7 +144,7 @@ See https://auth0.com/docs/jwks.
header name.
For example, if header=x-goog-iap-jwt-assertion, the header
-format will be x-goog-iap-jwt-assertion: <JWT>.
+format will be x-goog-iap-jwt-assertion: <JWT>.
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 9d0330e578..30085a4b9b 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -6,7 +6,7 @@ description: Configuration affecting the service mesh as a whole.
location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
-number_of_entries: 25
+number_of_entries: 26
---
Configuration affecting the service mesh as a whole.
@@ -45,6 +45,54 @@ Mesh policy cannot be INHERIT.
Use the policy defined by the parent scope. Should not be used for mesh
policy.
+
+
+
+
+
+Certificate
+
+Certificate configures the provision of a certificate and its key.
+Example 1: key and cert stored in a secret
+{ secretName: galley-cert
+ secretNamespace: istio-system
+ dnsNames:
+ - galley.istio-system.svc
+ - galley.mydomain.com
+}
+Example 2: key and cert stored in a directory
+{ dnsNames:
+ - pilot.istio-system
+ - pilot.istio-system.svc
+ - pilot.mydomain.com
+}
+
+
+
+
+| Field |
+Type |
+Description |
+
+
+
+
+secretName |
+string |
+
+ Name of the secret the certificate and its key will be stored into.
+If it is empty, it will not be stored into a secret.
+Instead, the certificate and its key will be stored into a hard-coded directory.
+
+ |
+
+
+dnsNames |
+string[] |
+
+ The DNS names for the certificate. A certificate may contain
+multiple DNS names.
+
|
@@ -529,8 +577,23 @@ If service DestinationRule exists and has TLSSettings specified, that is always
string |
The trust domain corresponds to the trust root of a system.
-Refer to SPIFFE-ID
-Fallback to old identity format(without trust domain) if not set.
+Refer to SPIFFE-ID
+
+ |
+
+
+trustDomainAliases |
+string[] |
+
+ The trust domain aliases represent the aliases of trust_domain.
+For example, if we have
+
+trustDomain: td1
+trustDomainAliases: [“td2”, "td3"]
+
+
+Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
+or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.
|
@@ -668,7 +731,7 @@ It can be enabled by destination using the destinationRule.trafficPolicy.connect
string |
Name to be used while emitting statistics for inbound clusters.
-By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
+By default, Istio emits statistics with the pattern inbound|||.
For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.
A Pattern can be composed of various pre-defined variables. The following variables are supported.
@@ -688,7 +751,7 @@ For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can b
| string |
Name to be used while emitting statistics for outbound clusters.
-By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
+By default, Istio emits statistics with the pattern outbound|||.
For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
A Pattern can be composed of various pre-defined variables. The following variables are supported.
@@ -702,6 +765,14 @@ For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to
%SERVICEFQDN%%SERVICEPORT% will use reviews.prod.svc.cluster.local7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.
+ |
+
+
+certificates |
+Certificate[] |
+
+ Configure the provision of certificates.
+
|
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
index f6c3d6e8e8..0d0182e865 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html
@@ -1,12 +1,10 @@
---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/operator' REPO
-source_repo: https://github.com/istio/operator
title: Operator Installation
description: Configuration for Istio control plane installation through the Operator.
location: https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb.html
layout: protoc-gen-docs
generator: protoc-gen-docs
-number_of_entries: 52
+number_of_entries: 55
---
IstioControlPlane is a schema for both defining and customizing Istio control plane installations.
Running the operator with an empty user defined InstallSpec results in an control plane with default values, using the
@@ -19,8 +17,7 @@ Istio.
Deeper customization is possible at three levels:
-- New APIs defined in this file
-
+New APIs defined in this file
Feature API: this API groups an Istio install by features and allows enabling/disabling the features, selecting base
control plane profiles, as well as some additional high level settings that are feature specific. Each feature contains
@@ -28,131 +25,119 @@ one or more components, which correspond to Istio components (Pods) in the clust
k8s API: this API is a pass through to k8s resource settings for Istio k8s resources. It allows customizing Istio k8s
resources like Affinity, Resource requests/limits, PodDisruptionBudgetSpec, Selectors etc. in a more consistent and
-k8s specific way compared to values.yaml. See KubernetesResourcesSpec in this file for details.
+k8s specific way compared to values.yaml. See KubernetesResourcesSpec in this file for details.
-
-- values.yaml
-
+values.yaml
The entirety of values.yaml settings is accessible through InstallSpec (see CommonComponentSpec/Values).
This API will gradually be deprecated and values there will be moved either into CRDs that are used to directly
-configure components or, in the case of k8s settings, will be replaced by the new API above.
+configure components or, in the case of k8s settings, will be replaced by the new API above.
-
-- k8s resource overlays
-
+k8s resource overlays
Once a manifest is rendered from InstallSpec, a further customization can be applied by specifying k8s resource
overlays. The concept is similar to kustomize, where JSON patches are applied for object paths. This allows
-customization at the lowest level and eliminates the need to create ad-hoc template parameters, or edit templates.
+customization at the lowest level and eliminates the need to create ad-hoc template parameters, or edit templates.
+
-EXAMPLES
+Here are a few example uses:
-- Default Istio install
-
+Default Istio install
spec:
-
-- Default minimal profile install
-
-
-spec:
+Default minimal profile install
+yaml
+spec:
profile: minimal
-
+
+
-
-- Default install with telemetry disabled
-
+Default install with telemetry disabled
spec:
-telemetry:
-enabled: false
+ telemetry:
+ enabled: false
-
-- Default install with each feature installed to different namespace and security components in separate namespaces
-
-
-spec:
+Default install with each feature installed to different namespace and security components in separate namespaces
+yaml
+spec:
traffic_management:
components:
-namespace: istio-traffic-management
+ namespace: istio-traffic-management
policy:
components:
-namespace: istio-policy
+ namespace: istio-policy
telemetry:
components:
-namespace: istio-telemetry
+ namespace: istio-telemetry
config_management:
components:
-namespace: istio-config-management
+ namespace: istio-config-management
security:
components:
-citadel:
-namespace: istio-citadel
-cert_manager:
-namespace: istio-cert-manager
-node_agent:
-namespace: istio-node-agent
-
+ citadel:
+ namespace: istio-citadel
+ cert_manager:
+ namespace: istio-cert-manager
+ node_agent:
+ namespace: istio-node-agent
+
+
-
-- Default install with specialized k8s settings for pilot
-
+Default install with specialized k8s settings for pilot
spec:
+ traffic_management:
+ components:
+ pilot:
+ k8s:
+ resources:
+ limits:
+ cpu: 444m
+ memory: 333Mi
+ requests:
+ cpu: 222m
+ memory: 111Mi
+ readinessProbe:
+ failureThreshold: 44
+ initialDelaySeconds: 11
+ periodSeconds: 22
+ successThreshold: 33
+
+
+- Default install with values.yaml customizations for proxy
+
yaml
+spec:
traffic_management:
components:
-pilot:
-k8s:
-resources:
-limits:
-cpu: 444m
-memory: 333Mi
-requests:
-cpu: 222m
-memory: 111Mi
-readinessProbe:
-failureThreshold: 44
-initialDelaySeconds: 11
-periodSeconds: 22
-successThreshold: 33
-
+ proxy:
+ values:
+ - global.proxy.enableCoreDump: true
+ - global.proxy.dnsRefreshRate: 10s
+
+
-
-- Default install with values.yaml customizations for proxy
-
+Default install with modification to container flag in galley
spec:
-traffic_management:
-components:
-proxy:
-values:
-- global.proxy.enableCoreDump: true
-- global.proxy.dnsRefreshRate: 10s
-
-
-
-- Default install with modification to container flag in galley
+ configuration_management:
+ components:
+ galley:
+ k8s:
+ overlays:
+ - apiVersion: extensions/v1beta1
+ kind: Deployment
+ name: istio-galley
+ patches:
+ - path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval]
+ value: --livenessProbeInterval=123s
+
-spec:
-configuration_management:
-components:
-galley:
-k8s:
-overlays:
-- apiVersion: extensions/v1beta1
-kind: Deployment
-name: istio-galley
-patches:
-- path: spec.template.spec.containers.[name:galley].command.[--livenessProbeInterval]
-value: --livenessProbeInterval=123s
-
-
AutoInjectionFeatureSpec
Configuration options for auto injection feature.
@@ -211,6 +196,98 @@ value: --livenessProbeInterval=123s
+CNIComponentSpec
+
+Configuration options for cni component.
+
+
+
+CNIFeatureSpec
+
+Configuration options for cni feature.
+
+
+
+CNIFeatureSpec.Components
+
+
+
+
+| Field |
+Type |
+Description |
+
+
+
+
+namespace |
+string |
+
+ Namespace that cni components are installed into.
+
+ |
+
+
+cni |
+CNIComponentSpec |
+
+ |
+
+
+
+
CertManagerComponentSpec
Configuration options for certificate manager component.
@@ -423,7 +500,7 @@ value: --livenessProbeInterval=123s
GalleyComponentSpec
-Configuration options for node agent component.
+Configuration options for galley component.
@@ -841,6 +894,12 @@ Because the spec is a customization API, specifying an empty InstallSpec results
|
+
+cni |
+CNIFeatureSpec |
+
+ |
+
values |
TypeMapStringInterface |
diff --git a/content/en/docs/reference/config/networking/v1alpha3/service-entry/index.html b/content/en/docs/reference/config/networking/v1alpha3/service-entry/index.html
index 35db7ab773..888bad5074 100644
--- a/content/en/docs/reference/config/networking/v1alpha3/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/v1alpha3/service-entry/index.html
@@ -389,7 +389,7 @@ or part of the mesh.
REQUIRED: Service discovery mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
accompanying IP addresses. In such cases, traffic to any IP on
-said port will be allowed (i.e. 0.0.0.0:<port>).
+said port will be allowed (i.e. 0.0.0.0:).
diff --git a/content/en/docs/reference/config/networking/v1alpha3/virtual-service/index.html b/content/en/docs/reference/config/networking/v1alpha3/virtual-service/index.html
index 45adee6f2b..079afe6d26 100644
--- a/content/en/docs/reference/config/networking/v1alpha3/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/v1alpha3/virtual-service/index.html
@@ -707,6 +707,17 @@ e.g. x-request-id.
only expose a single port or label ports with the protocols they support,
in these cases it is not required to explicitly select the port.
+
+
+
+sourceLabels |
+map<string, string> |
+
+ One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified at the top, it must include the reserved gateway
+mesh for this field to be applicable.
+
|
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/opa/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/opa/index.html
index edb76b0c49..44281fd62c 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/adapters/opa/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/adapters/opa/index.html
@@ -71,7 +71,7 @@ failClose: true
string |
Query method to check.
-Format: data.<package name>.<method name>
+Format: data.<package name>.<method name>
|
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/redisquota/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/redisquota/index.html
index 07b1191d99..9fc9ccad7a 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/adapters/redisquota/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/adapters/redisquota/index.html
@@ -62,7 +62,7 @@ quotas:
redisServerUrl |
string |
- Redis connection string <hostname>:<port number>
+ Redis connection string <hostname>:<port number>
ex) localhost:6379
|
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
index 674b6aaa1d..c7ce9f297b 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/adapters/signalfx/index.html
@@ -182,8 +182,8 @@ spans.
string |
Required. The name of the metric as it is sent to the adapter. In
-Kubernetes this is of the form “<name>.metric.<namespace>” where
-“<name>” is the name field of the metric resource, and “<namespace>”
+Kubernetes this is of the form <name>.metric.<namespace> where
+<name> is the name field of the metric resource, and <namespace>
is the namespace of the metric resource.
|
diff --git a/content/en/docs/reference/config/policy-and-telemetry/adapters/stackdriver/index.html b/content/en/docs/reference/config/policy-and-telemetry/adapters/stackdriver/index.html
index 7c49745ca8..bf58ab1e14 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/adapters/stackdriver/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/adapters/stackdriver/index.html
@@ -267,10 +267,12 @@ See https://godoc.org/cloud.google.com/go/logging#HTTPRequest
See https://godoc.org/cloud.google.com/go/logging/logadmin#Sink.
Ex: If you want to export it to a GCS bucket, id would be a unique idetifier you want for the sink,
destination would be the storage be name of GCS Storage bucket and filter would be user defined condition for
-filtering logs. See below for a sample config:
- id: ‘info-errors-to-gcs’
- destination: ‘storage.googleapis.com/<bucket_name>’
- filter: ‘severity >= Default’
+filtering logs. See below for a sample config:
+
+id: 'info-errors-to-gcs'
+destination: 'storage.googleapis.com/<bucket_name>'
+filter: 'severity >= Default'
+
diff --git a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
index f53c310ed3..853657ec83 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
@@ -439,6 +439,17 @@ Report. This typically includes “destination.ip” and
Default attributes to forward to upstream. This typically
includes the “source.ip” and “source.uid” attributes.
+
+
+
+ignoreForwardedAttributes |
+bool |
+
+ Whether or not to use attributes forwarded in the request headers to
+create the attribute bag to send to mixer. For intra-mesh traffic,
+this should be set to “false”. For ingress/egress gateways, this
+should be set to “true”.
+
|
@@ -819,12 +830,15 @@ includes the “source.ip” and “source.uid” attributes.
In case of a per-route override, per-route attributes take precedence
over the attributes supplied in the client configuration.
-Forwarded attributes take precedence over the static Mixer attributes.
-The full order of application is as follows:
+
Forwarded attributes take precedence over the static Mixer attributes,
+except in cases where there is clear configuration to ignore forwarded
+attributes. Gateways, for instance, should never use forwarded attributes.
+
+The full order of application is as follows:
1. static Mixer attributes from the filter config;
2. static Mixer attributes from the route config;
-3. forwarded attributes from the source filter config (if any);
-4. forwarded attributes from the source route config (if any);
+3. forwarded attributes from the source filter config (if any and not ignored);
+4. forwarded attributes from the source route config (if any and not ignored);
5. derived attributes from the request metadata.
diff --git a/content/en/docs/reference/config/security/v1beta1/authorization-policy/index.html b/content/en/docs/reference/config/security/v1beta1/authorization-policy/index.html
index 1dab747240..3062c37065 100644
--- a/content/en/docs/reference/config/security/v1beta1/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/v1beta1/authorization-policy/index.html
@@ -184,8 +184,7 @@ same namespace as the authorization policy.
string |
Required. The name of an Istio attribute.
-Note: Check https://istio.io/docs/reference/config/ for the list of supported
-attribute name.
+See the full list of supported attributes.
|
diff --git a/data/analysis.yaml b/data/analysis.yaml
index 0b9289b0a0..b3a18b6ff4 100644
--- a/data/analysis.yaml
+++ b/data/analysis.yaml
@@ -80,3 +80,14 @@ messages:
type: string
- name: port
type: int
+
+ - name: "IstioProxyVersionMismatch"
+ code: IST0105
+ level: Warning
+ description: "The version of the Istio proxy running on the pod does not match the version used by the istio injector."
+ template: "The version of the Istio proxy running on the pod does not match the version used by the istio injector (pod version: %s; injector version: %s). This often happens after upgrading the Istio control-plane and can be fixed by redeploying the pod."
+ args:
+ - name: proxyVersion
+ type: string
+ - name: injectionVersion
+ type: string