istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reference docs. (#4737)

This commit is contained in:
Martin Taillefer 2019-07-29 10:23:50 -07:00 committed by GitHub
parent 34f7e853ed
commit 9cd1368a65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 912 additions and 799 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/boilerplates/notes/1.2.md
View File

@ -27,7 +27,7 @@
## Telemetry
- **Added** Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of [annotations](/docs/reference/commands/pilot-agent/#annotations).
- **Added** Full support for control over Envoy stats generation, based on stats prefixes, suffixes, and regular expressions through the use of annotations.
- **Changed** Prometheus generated traffic is excluded from metrics.
- **Added** support for sending traces to Datadog.
- **Graduated** [distributed tracing](/docs/tasks/telemetry/distributed-tracing/) from Beta to Stable.

35
content/docs/reference/commands/galley/index.html
View File

@ -528,38 +528,6 @@ These environment variables affect the behavior of the <code>galley</code> comma
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>galley</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>policy.istio.io/lang</code></td>
<td>Select a language runtime</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
@ -623,8 +591,11 @@ These resource annotations are used by the <code>galley</code> command.
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

67
content/docs/reference/commands/istio_ca/index.html
View File

@ -87,11 +87,11 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, monitor, rbac] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, monitor] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -111,7 +111,7 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -150,6 +150,10 @@ number_of_entries: 4
<td>Path to the root certificate file. (default ``)</td>
</tr>
<tr>
<td><code>--sds-enabled</code></td>
<td>Whether SDS is enabled. </td>
</tr>
<tr>
<td><code>--self-signed-ca</code></td>
<td>Indicates whether to use auto-generated self-signed CA certificate. When set to true, the &#39;--signing-cert&#39; and &#39;--signing-key&#39; options are ignored. </td>
</tr>
@ -225,11 +229,11 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, monitor, rbac] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, monitor] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -249,7 +253,7 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -292,12 +296,12 @@ number_of_entries: 4
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, monitor, rbac] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, monitor] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -322,7 +326,7 @@ number_of_entries: 4
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, model, monitor, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, monitor] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -361,51 +365,16 @@ These environment variables affect the behavior of the <code>istio_ca</code> com
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>istio_ca</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
<tr><td><code>csr_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when creating the CSR.</td></tr>
<tr><td><code>csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
<tr><td><code>svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
<tr><td><code>svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
</tbody>
</table>

285
content/docs/reference/commands/istioctl/index.html
View File

@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
title: istioctl
description: Istio control interface.
generator: pkg-collateral-docs
number_of_entries: 38
number_of_entries: 39
---
<p>Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
@ -138,7 +138,7 @@ and check if TLS settings are compatible between them.
# Check settings for pod &#34;foo-656bd7df7c-5zp4s&#34; in namespace default:
istioctl authn tls-check foo-656bd7df7c-5zp4s.default
# Check settings for pod &#34;foo-656bd7df7c-5zp4s&#34; in namespace default, filtered on destintation
# Check settings for pod &#34;foo-656bd7df7c-5zp4s&#34; in namespace default, filtered on destination
service &#34;bar&#34; :
istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
@ -794,6 +794,71 @@ istioctl experimental d [flags]
</table>
<h3 id="istioctl-experimental-dashboard-zipkin Examples">Examples</h3>
<pre class="language-bash"><code>istioctl experimental dashboard zipkin
</code></pre>
<h2 id="istioctl-experimental-kube-uninject">istioctl experimental kube-uninject</h2>
<p></p>
<p>kube-uninject is used to prevent Istio from adding a sidecar and
also provides the inverse of &#34;istioctl kube-inject -f&#34;.</p>
<p></p>
<pre class="language-bash"><code>istioctl experimental kube-uninject [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--filename &lt;string&gt;</code></td>
<td><code>-f</code></td>
<td>Input Kubernetes resource filename (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>Modified output Kubernetes resource filename (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-kube-uninject Examples">Examples</h3>
<pre class="language-bash"><code>
# Update resources before applying.
kubectl apply -f &lt;(istioctl experimental kube-uninject -f &lt;resource.yaml&gt;)
# Create a persistent version of the deployment by removing Envoy sidecar.
istioctl experimental kube-uninject -f deployment.yaml -o deployment-uninjected.yaml
# Update an existing deployment.
kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kubectl apply -f -
</code></pre>
<h2 id="istioctl-experimental-metrics">istioctl experimental metrics</h2>
<p>
@ -1695,7 +1760,7 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>ISTIO_LANG</code></td>
@ -1719,13 +1784,13 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
@ -1734,27 +1799,9 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EDS_ISOLATION</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EMPTY_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisableEmptyRouteResponse provides an option to disable a partial route response. This will cause Pilot to ignore a route request if Pilot generates a nil route (due to an error). This may cause Envoy to wait forever for the route, blocking listeners from receiving traffic. The default behavior (without this flag set) is to explicitly send an empty route. This will break routing for that particular route, but allow others on the same listener to work.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_PARTIAL_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisablePartialRouteResponse provides an option to disable a partial route response. This will cause Pilot to send an error if any routes are invalid. The default behavior (without this flag) is to just skip the invalid route.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>String</td>
<td><code></code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
@ -1764,12 +1811,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_LOCALITY_LOAD_BALANCING</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -1782,16 +1823,10 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_WAIT_CACHE_SYNC</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
@ -1800,16 +1835,16 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_BURST</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>10</code></td>
<td></td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
@ -1821,7 +1856,7 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>POD_NAME</code></td>
@ -1830,16 +1865,16 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td></td>
</tr>
<tr>
<td><code>ProxyInboundListenPort</code></td>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>15006</code></td>
<td></td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
@ -1849,142 +1884,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>istioctl</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>policy.istio.io/lang</code></td>
<td>Select a language runtime</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/applicationPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/failureThreshold</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/initialDelaySeconds</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/periodSeconds</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/bootstrapOverride</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/controlPlaneAuthPolicy</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/discoveryAddress</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/inject</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/interceptionMode</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyCPU</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyImage</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyMemory</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/rewriteAppHTTPProbers</code></td>
<td>Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionRegexps</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionSuffixes</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/status</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolume</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolumeMount</code></td>
<td></td>
</tr>
<tr>
<td><code>status.sidecar.istio.io/port</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeInboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundIPRanges</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeInboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeOutboundIPRanges</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/kubevirtInterfaces</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
@ -2027,11 +1926,14 @@ These resource annotations are used by the <code>istioctl</code> command.
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_inbound_updates</code></td><td><code>Sum</code></td><td>Total number of updates received by pilot.</td></tr>
<tr><td><code>pilot_invalid_out_listeners</code></td><td><code>LastValue</code></td><td>Number of invalid outbound listeners.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_k8s_cfg_events</code></td><td><code>Sum</code></td><td>Events from k8s config.</td></tr>
<tr><td><code>pilot_k8s_object_errors</code></td><td><code>LastValue</code></td><td>Errors converting k8s CRDs</td></tr>
<tr><td><code>pilot_k8s_reg_events</code></td><td><code>Sum</code></td><td>Events from k8s registry.</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_proxy_convergence_time</code></td><td><code>Distribution</code></td><td>Delay between config change and all proxies converging.</td></tr>
<tr><td><code>pilot_proxy_queue_time</code></td><td><code>Distribution</code></td><td>Time a proxy is in the push queue before being dequeued.</td></tr>
<tr><td><code>pilot_rds_expired_nonce</code></td><td><code>Sum</code></td><td>Total number of RDS messages with an expired nonce.</td></tr>
<tr><td><code>pilot_services</code></td><td><code>LastValue</code></td><td>Total services known to pilot.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
@ -2045,9 +1947,6 @@ These resource annotations are used by the <code>istioctl</code> command.
<tr><td><code>pilot_xds_eds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected EDS.</td></tr>
<tr><td><code>pilot_xds_lds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected LDS.</td></tr>
<tr><td><code>pilot_xds_push_context_errors</code></td><td><code>Sum</code></td><td>Number of errors (timeouts) initiating push context.</td></tr>
<tr><td><code>pilot_xds_push_errors</code></td><td><code>Sum</code></td><td>Number of errors (timeouts) pushing to sidecars.</td></tr>
<tr><td><code>pilot_xds_push_timeout</code></td><td><code>Sum</code></td><td>Pilot push timeout, will retry.</td></tr>
<tr><td><code>pilot_xds_push_timeout_failures</code></td><td><code>Sum</code></td><td>Pilot push timeout failures after repeated attempts.</td></tr>
<tr><td><code>pilot_xds_pushes</code></td><td><code>Sum</code></td><td>Pilot build and send errors for lds, rds, cds and eds.</td></tr>
<tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
<tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>

56
content/docs/reference/commands/mixs/index.html
View File

@ -30,11 +30,11 @@ nexus for policy evaluation and telemetry reporting.</p>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -54,7 +54,7 @@ nexus for policy evaluation and telemetry reporting.</p>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -177,12 +177,12 @@ nexus for policy evaluation and telemetry reporting.</p>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -207,7 +207,7 @@ nexus for policy evaluation and telemetry reporting.</p>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig, model, rbac] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [adapters, all, api, attributes, default, grpcAdapter, kube-converter, loadshedding, mcp, meshconfig] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -359,45 +359,12 @@ These environment variables affect the behavior of the <code>mixs</code> command
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>mixs</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>policy.istio.io/lang</code></td>
<td>Select a language runtime</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>mixer_config_adapter_info_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the adapter info configuration.</td></tr>
<tr><td><code>mixer_config_adapter_info_configs_total</code></td><td><code>LastValue</code></td><td>The number of known adapters in the current config.</td></tr>
<tr><td><code>mixer_config_attributes_total</code></td><td><code>LastValue</code></td><td>The number of known attributes in the current config.</td></tr>
@ -424,16 +391,5 @@ These resource annotations are used by the <code>mixs</code> command.
<tr><td><code>mixer_loadshedding_requests_throttled</code></td><td><code>Count</code></td><td>The number of requests that have been dropped by the loadshedder.</td></tr>
<tr><td><code>mixer_runtime_dispatch_duration_seconds</code></td><td><code>Distribution</code></td><td>Duration in seconds for adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>mixer_runtime_dispatches_total</code></td><td><code>Count</code></td><td>Total number of adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

6
content/docs/reference/commands/operator/index.html
View File

@ -63,11 +63,11 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include called information, scopes can be any of [default] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [default, util] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>The minimum logging level of messages to output, can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [default, util] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -87,7 +87,7 @@ number_of_entries: 4
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>The minimum logging level at which stack traces are captured, can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [default, util] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>

133
content/docs/reference/commands/pilot-agent/index.html
View File

@ -397,7 +397,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>ISTIO_KUBE_APP_PROBERS</code></td>
@ -457,13 +457,13 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
@ -472,27 +472,9 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EDS_ISOLATION</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EMPTY_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisableEmptyRouteResponse provides an option to disable a partial route response. This will cause Pilot to ignore a route request if Pilot generates a nil route (due to an error). This may cause Envoy to wait forever for the route, blocking listeners from receiving traffic. The default behavior (without this flag set) is to explicitly send an empty route. This will break routing for that particular route, but allow others on the same listener to work.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_PARTIAL_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisablePartialRouteResponse provides an option to disable a partial route response. This will cause Pilot to send an error if any routes are invalid. The default behavior (without this flag) is to just skip the invalid route.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>String</td>
<td><code></code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
@ -502,12 +484,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_LOCALITY_LOAD_BALANCING</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -520,16 +496,10 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_WAIT_CACHE_SYNC</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
@ -538,16 +508,16 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_BURST</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>10</code></td>
<td></td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
@ -559,7 +529,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>POD_NAME</code></td>
@ -574,12 +544,36 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>String</td>
<td><code></code></td>
<td><code>SDS_ENABLED</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>SDS_JWT_PATH</code></td>
<td>String</td>
<td><code>/var/run/secrets/tokens/istio-token</code></td>
<td>path of token which is used for request key/cert through SDS</td>
</tr>
<tr>
<td><code>SDS_UDS_PATH</code></td>
<td>String</td>
<td><code>/var/run/sds/uds_path</code></td>
<td>SDS unix domain socket path</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
@ -587,46 +581,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>pilot-agent</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
<td>Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionRegexps</code></td>
<td>Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionSuffixes</code></td>
<td>Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
@ -645,8 +599,11 @@ These resource annotations are used by the <code>pilot-agent</code> command.
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

120
content/docs/reference/commands/pilot-discovery/index.html
View File

@ -471,7 +471,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>K8S_INGRESS_NS</code></td>
@ -489,13 +489,13 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
@ -504,27 +504,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EDS_ISOLATION</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_EMPTY_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisableEmptyRouteResponse provides an option to disable a partial route response. This will cause Pilot to ignore a route request if Pilot generates a nil route (due to an error). This may cause Envoy to wait forever for the route, blocking listeners from receiving traffic. The default behavior (without this flag set) is to explicitly send an empty route. This will break routing for that particular route, but allow others on the same listener to work.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_PARTIAL_ROUTE_RESPONSE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>DisablePartialRouteResponse provides an option to disable a partial route response. This will cause Pilot to send an error if any routes are invalid. The default behavior (without this flag) is to just skip the invalid route.</td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>String</td>
<td><code></code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
@ -534,12 +516,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_LOCALITY_LOAD_BALANCING</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -552,16 +528,10 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_WAIT_CACHE_SYNC</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
@ -570,16 +540,16 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_BURST</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>10</code></td>
<td></td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
@ -591,7 +561,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>POD_NAME</code></td>
@ -606,16 +576,16 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>ProxyInboundListenPort</code></td>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>15006</code></td>
<td></td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
@ -625,46 +595,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>pilot-discovery</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
<td>Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionRegexps</code></td>
<td>Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionSuffixes</code></td>
<td>Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
@ -685,11 +615,14 @@ These resource annotations are used by the <code>pilot-discovery</code> command.
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_inbound_updates</code></td><td><code>Sum</code></td><td>Total number of updates received by pilot.</td></tr>
<tr><td><code>pilot_invalid_out_listeners</code></td><td><code>LastValue</code></td><td>Number of invalid outbound listeners.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_k8s_cfg_events</code></td><td><code>Sum</code></td><td>Events from k8s config.</td></tr>
<tr><td><code>pilot_k8s_object_errors</code></td><td><code>LastValue</code></td><td>Errors converting k8s CRDs</td></tr>
<tr><td><code>pilot_k8s_reg_events</code></td><td><code>Sum</code></td><td>Events from k8s registry.</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_proxy_convergence_time</code></td><td><code>Distribution</code></td><td>Delay between config change and all proxies converging.</td></tr>
<tr><td><code>pilot_proxy_queue_time</code></td><td><code>Distribution</code></td><td>Time a proxy is in the push queue before being dequeued.</td></tr>
<tr><td><code>pilot_rds_expired_nonce</code></td><td><code>Sum</code></td><td>Total number of RDS messages with an expired nonce.</td></tr>
<tr><td><code>pilot_services</code></td><td><code>LastValue</code></td><td>Total services known to pilot.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
@ -703,9 +636,6 @@ These resource annotations are used by the <code>pilot-discovery</code> command.
<tr><td><code>pilot_xds_eds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected EDS.</td></tr>
<tr><td><code>pilot_xds_lds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected LDS.</td></tr>
<tr><td><code>pilot_xds_push_context_errors</code></td><td><code>Sum</code></td><td>Number of errors (timeouts) initiating push context.</td></tr>
<tr><td><code>pilot_xds_push_errors</code></td><td><code>Sum</code></td><td>Number of errors (timeouts) pushing to sidecars.</td></tr>
<tr><td><code>pilot_xds_push_timeout</code></td><td><code>Sum</code></td><td>Pilot push timeout, will retry.</td></tr>
<tr><td><code>pilot_xds_push_timeout_failures</code></td><td><code>Sum</code></td><td>Pilot push timeout failures after repeated attempts.</td></tr>
<tr><td><code>pilot_xds_pushes</code></td><td><code>Sum</code></td><td>Pilot build and send errors for lds, rds, cds and eds.</td></tr>
<tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
<tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>

135
content/docs/reference/commands/sidecar-injector/index.html
View File

@ -339,138 +339,6 @@ number_of_entries: 4
</tr>
</tbody>
</table>
<h2 id="annotations">Annotations</h2>
These resource annotations are used by the <code>sidecar-injector</code> command.
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/applicationPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/failureThreshold</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/initialDelaySeconds</code></td>
<td></td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/periodSeconds</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/bootstrapOverride</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/controlPlaneAuthPolicy</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/discoveryAddress</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/inject</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/interceptionMode</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyCPU</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyImage</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyMemory</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/rewriteAppHTTPProbers</code></td>
<td>Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionRegexps</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionSuffixes</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/status</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolume</code></td>
<td></td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolumeMount</code></td>
<td></td>
</tr>
<tr>
<td><code>status.sidecar.istio.io/port</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeInboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundIPRanges</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeInboundPorts</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeOutboundIPRanges</code></td>
<td></td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/kubevirtInterfaces</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
@ -486,8 +354,11 @@ These resource annotations are used by the <code>sidecar-injector</code> command
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

342
content/docs/reference/config/annotations/index.html Normal file
View File

@ -0,0 +1,342 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE https://github.com/istio/api REPO
source_repo: https://github.com/istio/api
title: Resource Annotations
description: Resource annotations used by Istio.
location: https://istio.io/docs/reference/config/annotations.html
weight: 29
---
<p>
This page presents the various <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/">resource annotations</a> that
Istio supports to control its behavior.
</p>
<table class="annotations">
<thead>
<tr>
<th>Annotation Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>networking.istio.io/exportTo</code></td>
<td>Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace.</td>
</tr>
<tr>
<td><code>policy.istio.io/check</code></td>
<td>Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkBaseRetryWaitTime</code></td>
<td>Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkMaxRetryWaitTime</code></td>
<td>Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms.</td>
</tr>
<tr>
<td><code>policy.istio.io/checkRetries</code></td>
<td>The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries.</td>
</tr>
<tr>
<td><code>policy.istio.io/lang</code></td>
<td>Selects the attribute expression langauge runtime for Mixer..</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/applicationPorts</code></td>
<td>Specifies the list of ports exposed by the application container. Used by the istio-proxy readiness probe to determine that Envoy is configured and ready to receive traffic.</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/failureThreshold</code></td>
<td>Specifies the failure threshold for the istio-proxy readiness probe.</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/initialDelaySeconds</code></td>
<td>Specifies the initial delay (in seconds) for the istio-proxy readiness probe.</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/periodSeconds</code></td>
<td>Specifies the period (in seconds) for the istio-proxy readiness probe.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/bootstrapOverride</code></td>
<td>Specifies an alternative Envoy bootstrap configuration file.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/componentLogLevel</code></td>
<td>Specifies the component log level for Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/controlPlaneAuthPolicy</code></td>
<td>Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between istio-proxy sidecars will be wrapped into mutual TLS connections.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/discoveryAddress</code></td>
<td>Specifies the XDS discovery address to be used by the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/inject</code></td>
<td>Specifies whether or not an istio-proxy sidecar should be automatically injected into the workload.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/interceptionMode</code></td>
<td>Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).</td>
</tr>
<tr>
<td><code>sidecar.istio.io/logLevel</code></td>
<td>Specifies the log level for Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyCPU</code></td>
<td>Specifies the requested CPU setting for the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyImage</code></td>
<td>Specifies the Docker image to be used by the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/proxyMemory</code></td>
<td>Specifies the requested memory setting for the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/rewriteAppHTTPProbers</code></td>
<td>Rewrite HTTP readiness and liveness probes to be redirected to istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
<td>Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionRegexps</code></td>
<td>Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/statsInclusionSuffixes</code></td>
<td>Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/status</code></td>
<td>Generated by istio-proxy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolume</code></td>
<td>Specifies one or more user volumes (as a JSON array) to be added to the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>sidecar.istio.io/userVolumeMount</code></td>
<td>Specifies one or more user volume mounts (as a JSON array) to be added to the istio-proxy sidecar.</td>
</tr>
<tr>
<td><code>status.sidecar.istio.io/port</code></td>
<td>Specifies the HTTP status Port for the istio-proxy sidecar. If zero, the istio-proxy will not provide status.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeInboundPorts</code></td>
<td>A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundIPRanges</code></td>
<td>A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/excludeOutboundPorts</code></td>
<td>A comma separated list of outbound ports to be excluded from redirection to Envoy.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeInboundPorts</code></td>
<td>A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/includeOutboundIPRanges</code></td>
<td>A comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.</td>
</tr>
<tr>
<td><code>traffic.sidecar.istio.io/kubevirtInterfaces</code></td>
<td>A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.</td>
</tr>
</tbody>
</table>

66
content/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html
View File

@ -6,7 +6,7 @@ description: Configuration for Role Based Access Control.
location: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 8
number_of_entries: 9
---
<p>Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding
objects.</p>
@ -170,6 +170,64 @@ Exact match, prefix match, and suffix match are supported.
For example, the value &ldquo;v1alpha2&rdquo; matches &ldquo;v1alpha2&rdquo; (exact match),
or &ldquo;v1<em>&rdquo; (prefix match), or &ldquo;</em>alpha2&rdquo; (suffix match).</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="RbacConfig">RbacConfig</h2>
<section>
<p>RbacConfig implements the ClusterRbaConfig Custom Resource Definition for controlling Istio RBAC behavior.
The ClusterRbaConfig Custom Resource is a singleton where only one ClusterRbaConfig should be created
globally in the mesh and the namespace should be the same to other Istio components, which usually is <code>istio-system</code>.</p>
<p>Below is an example of an <code>ClusterRbacConfig</code> resource called <code>istio-rbac-config</code> which enables Istio RBAC for all
services in the default namespace.</p>
<pre><code class="language-yaml">apiVersion: &quot;rbac.istio.io/v1alpha1&quot;
kind: ClusterRbacConfig
metadata:
name: default
namespace: istio-system
spec:
mode: ON_WITH_INCLUSION
inclusion:
namespaces: [ &quot;default&quot; ]
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="RbacConfig-mode">
<td><code>mode</code></td>
<td><code><a href="#RbacConfig-Mode">RbacConfig.Mode</a></code></td>
<td>
<p>Istio RBAC mode.</p>
</td>
</tr>
<tr id="RbacConfig-inclusion">
<td><code>inclusion</code></td>
<td><code><a href="#RbacConfig-Target">RbacConfig.Target</a></code></td>
<td>
<p>A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ON<em>WITH</em>INCLUSION and will be ignored for any other modes.</p>
</td>
</tr>
<tr id="RbacConfig-exclusion">
<td><code>exclusion</code></td>
<td><code><a href="#RbacConfig-Target">RbacConfig.Target</a></code></td>
<td>
<p>A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
effect only when mode is ON<em>WITH</em>EXCLUSION and will be ignored for any other modes.</p>
</td>
</tr>
</tbody>
@ -188,15 +246,15 @@ or &ldquo;v1<em>&rdquo; (prefix match), or &ldquo;</em>alpha2&rdquo; (suffix mat
<tr id="RbacConfig-Mode-OFF">
<td><code>OFF</code></td>
<td>
<p>Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies
will not be enforced.</p>
<p>Disable Istio RBAC completely, Istio RBAC policies will not be enforced.</p>
</td>
</tr>
<tr id="RbacConfig-Mode-ON">
<td><code>ON</code></td>
<td>
<p>Enable Istio RBAC for all services and namespaces.</p>
<p>Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default
which means all requests will be denied if it&rsquo;s not allowed by RBAC rules.</p>
</td>
</tr>

1
content/docs/reference/config/istio.authentication.v1alpha1/index.html
View File

@ -6,6 +6,7 @@ description: Authentication policy for Istio services.
location: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 29
number_of_entries: 11
---
<p>This package defines user-facing authentication policy.</p>

27
content/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -6,7 +6,7 @@ description: Configuration affecting the service mesh as a whole.
location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 22
number_of_entries: 23
---
<p>Configuration affecting the service mesh as a whole.</p>
@ -1269,6 +1269,14 @@ For pilot/mixer, it&rsquo;s passed as arguments to istio-proxy container in pilo
<td>
<p>Use a Datadog tracer.</p>
</td>
</tr>
<tr id="Tracing-stackdriver" class="oneof">
<td><code>stackdriver</code></td>
<td><code><a href="#Tracing-Stackdriver">Tracing.Stackdriver (oneof)</a></code></td>
<td>
<p>Use a Stackdriver tracer.</p>
</td>
</tr>
</tbody>
@ -1346,6 +1354,23 @@ For pilot/mixer, it&rsquo;s passed as arguments to istio-proxy container in pilo
</tbody>
</table>
</section>
<h2 id="Tracing-Stackdriver">Tracing.Stackdriver</h2>
<section>
<p>Stackdriver defines configuration for a Stackdriver tracer.
See <a href="https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto">Opencensus trace config</a> for details.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</section>
<h2 id="Tracing-Zipkin">Tracing.Zipkin</h2>
<section>
<p>Zipkin defines configuration for a Zipkin tracer.</p>

11
content/docs/reference/config/networking/v1alpha3/destination-rule/index.html
View File

@ -712,7 +712,9 @@ service that can be ejected. Defaults to 10%.</p>
pool has at least min<em>health</em>percent hosts in healthy mode. When the
percentage of healthy hosts in the load balancing pool drops below this
threshold, outlier detection will be disabled and the proxy will load balance
across all hosts in the pool (healthy and unhealthy). The default is 50%.</p>
across all hosts in the pool (healthy and unhealthy). The threshold can be
disabled by setting it to 0%. The default is 0% as it&rsquo;s not typically
applicable in k8s environments with few pods per service.</p>
</td>
</tr>
@ -1047,14 +1049,9 @@ to fields omitted in port-level traffic policies.</p>
<td><code>port</code></td>
<td><code><a href="/docs/reference/config/networking/v1alpha3/virtual-service.html#PortSelector">PortSelector</a></code></td>
<td>
<p>Specifies the port name or number of a port on the destination service
<p>Specifies the number of a port on the destination service
on which this policy is being applied.</p>
<p>Names must comply with DNS label syntax (rfc1035) and therefore cannot
collide with numbers. If there are multiple ports on a service with
the same protocol the names should be of the form &lt;protocol-name&gt;-&lt;DNS
label&gt;.</p>
</td>
</tr>
<tr id="TrafficPolicy-PortTrafficPolicy-load_balancer">

159
content/docs/reference/config/networking/v1alpha3/envoy-filter/index.html
View File

@ -6,7 +6,7 @@ description: Customizing Envoy configuration generated by Istio.
location: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 20
number_of_entries: 18
---
<p><code>EnvoyFilter</code> provides a mechanism to customize the Envoy
configuration generated by Istio Pilot. Use EnvoyFilter to modify
@ -236,6 +236,13 @@ namespace.</p>
<td>
<p>Applies the patch to the listener.</p>
</td>
</tr>
<tr id="EnvoyFilter-ApplyTo-FILTER_CHAIN">
<td><code>FILTER_CHAIN</code></td>
<td>
<p>Applies the patch to the filter chain.</p>
</td>
</tr>
<tr id="EnvoyFilter-ApplyTo-NETWORK_FILTER">
@ -253,6 +260,21 @@ existing filter or add a new filter.</p>
connection manager, to modify an existing filter or add a new
filter.</p>
</td>
</tr>
<tr id="EnvoyFilter-ApplyTo-ROUTE_CONFIGURATION">
<td><code>ROUTE_CONFIGURATION</code></td>
<td>
<p>Applies the patch to the Route configuration (rds output) inside a HTTP
connection manager. This does not apply to the virtual host.</p>
</td>
</tr>
<tr id="EnvoyFilter-ApplyTo-VIRTUAL_HOST">
<td><code>VIRTUAL_HOST</code></td>
<td>
<p>Applies the patch to a virtual host inside a route configuration.</p>
</td>
</tr>
<tr id="EnvoyFilter-ApplyTo-CLUSTER">
@ -408,6 +430,12 @@ name.</p>
</tr>
</thead>
<tbody>
<tr id="EnvoyFilter-EnvoyConfigObjectMatch-context">
<td><code>context</code></td>
<td><code><a href="#EnvoyFilter-PatchContext">EnvoyFilter.PatchContext</a></code></td>
<td>
</td>
</tr>
<tr id="EnvoyFilter-EnvoyConfigObjectMatch-listener" class="oneof oneof-start">
<td><code>listener</code></td>
<td><code><a href="#EnvoyFilter-ListenerMatch">EnvoyFilter.ListenerMatch (oneof)</a></code></td>
@ -453,7 +481,8 @@ HTTP<em>FILTER is expected to have a match condition on the
listeners, with a network filter selection on
envoy.http</em>connection_manager and a sub filter selection on the
HTTP filter relative to which the insertion should be
performed.</p>
performed. Similarly, an applyTo on CLUSTER should have a match
(if provided) on the cluster and not on a listener.</p>
</td>
</tr>
@ -471,34 +500,6 @@ performed.</p>
<td>
<p>The patch to apply along with the operation.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="EnvoyFilter-EnvoyFilterMatchCondition">EnvoyFilter.EnvoyFilterMatchCondition</h2>
<section>
<p>Match conditions for selecting an object to patch.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="EnvoyFilter-EnvoyFilterMatchCondition-context">
<td><code>context</code></td>
<td><code><a href="#EnvoyFilter-PatchContext">EnvoyFilter.PatchContext</a></code></td>
<td>
</td>
</tr>
<tr id="EnvoyFilter-EnvoyFilterMatchCondition-match">
<td><code>match</code></td>
<td><code><a href="#EnvoyFilter-EnvoyConfigObjectMatch">EnvoyFilter.EnvoyConfigObjectMatch</a></code></td>
<td>
</td>
</tr>
</tbody>
@ -725,8 +726,7 @@ patch to the HTTP connection manager.</p>
<td>
<p>The next level filter within this filter to match
upon. Typically used for HTTP Connection Manager filters and
Thrift filters. This field is REQUIRED when the apply to is
HTTP_FILTER.</p>
Thrift filters.</p>
</td>
</tr>
@ -762,8 +762,7 @@ could also be applicable for thrift filters.</p>
</section>
<h2 id="EnvoyFilter-Patch">EnvoyFilter.Patch</h2>
<section>
<p>Patch specifies the JSON path in the generated proto and the
content to merge/remove on the specific path.</p>
<p>Patch specifies how the selected object should be modified.</p>
<table class="message-fields">
<thead>
@ -784,9 +783,9 @@ content to merge/remove on the specific path.</p>
</tr>
<tr id="EnvoyFilter-Patch-value">
<td><code>value</code></td>
<td><code><a href="#google-protobuf-Value">google.protobuf.Value</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">google.protobuf.Struct</a></code></td>
<td>
<p>The proto equivalent of JSON Value. This will be merged using
<p>The JSON config of the object being patched. This will be merged using
json merge semantics with the existing proto in the path.</p>
</td>
@ -815,26 +814,29 @@ configuration.</p>
<tr id="EnvoyFilter-Patch-Operation-MERGE">
<td><code>MERGE</code></td>
<td>
<p>Overlay the value onto the element selected by the path using
json merge semantics. For primitive fields this is equivalent
to ADD.</p>
<p>Merge the provided config with the generated config using
json merge semantics.</p>
</td>
</tr>
<tr id="EnvoyFilter-Patch-Operation-ADD">
<td><code>ADD</code></td>
<td>
<p>For maps this will either add to the map or replace the value
for the key. For fields this will replace the value.</p>
<p>Add the provided config to an existing list (of listeners,
clusters, virtual hosts, network filters, or http
filters). This operation will be ignored when applyTo is set
to ROUTE_CONFIGURATION.</p>
</td>
</tr>
<tr id="EnvoyFilter-Patch-Operation-REMOVE">
<td><code>REMOVE</code></td>
<td>
<p>Remove the selected elements from their parent. Does not
require a value to be specified. When removing fields their
values are reset to their intrinsic default.</p>
<p>Remove the selected object from the list (of listeners,
clusters, virtual hosts, network filters, or http
filters). Does not require a value to be specified. This
operation will be ignored when applyTo is set to
ROUTE_CONFIGURATION.</p>
</td>
</tr>
@ -1007,72 +1009,3 @@ registry.</p>
</tbody>
</table>
</section>
<h2 id="google-protobuf-Value">google.protobuf.Value</h2>
<section>
<p><code>Value</code> represents a dynamically typed value which can be either
null, a number, a string, a boolean, a recursive struct value, or a
list of values. A producer of value is expected to set one of that
variants, absence of any variant indicates an error.</p>
<p>The JSON representation for <code>Value</code> is JSON value.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="google-protobuf-Value-null_value" class="oneof oneof-start">
<td><code>nullValue</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#nullvalue">google.protobuf.NullValue (oneof)</a></code></td>
<td>
<p>Represents a null value.</p>
</td>
</tr>
<tr id="google-protobuf-Value-number_value" class="oneof">
<td><code>numberValue</code></td>
<td><code>double (oneof)</code></td>
<td>
<p>Represents a double value.</p>
</td>
</tr>
<tr id="google-protobuf-Value-string_value" class="oneof">
<td><code>stringValue</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Represents a string value.</p>
</td>
</tr>
<tr id="google-protobuf-Value-bool_value" class="oneof">
<td><code>boolValue</code></td>
<td><code>bool (oneof)</code></td>
<td>
<p>Represents a boolean value.</p>
</td>
</tr>
<tr id="google-protobuf-Value-struct_value" class="oneof">
<td><code>structValue</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">google.protobuf.Struct (oneof)</a></code></td>
<td>
<p>Represents a structured value.</p>
</td>
</tr>
<tr id="google-protobuf-Value-list_value" class="oneof">
<td><code>listValue</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#listvalue">google.protobuf.ListValue (oneof)</a></code></td>
<td>
<p>Represents a repeated <code>Value</code>.</p>
</td>
</tr>
</tbody>
</table>
</section>

41
content/docs/reference/config/networking/v1alpha3/gateway/index.html
View File

@ -473,6 +473,31 @@ enable the dynamic credential fetching feature.</p>
<p>A list of alternate names to verify the subject identity in the
certificate presented by the client.</p>
</td>
</tr>
<tr id="Server-TLSOptions-verify_certificate_spki">
<td><code>verifyCertificateSpki</code></td>
<td><code>string[]</code></td>
<td>
<p>An optional list of base64-encoded SHA-256 hashes of the SKPIs of
authorized client certificates.
Note: When both verify<em>certificate</em>hash and verify<em>certificate</em>spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
</tr>
<tr id="Server-TLSOptions-verify_certificate_hash">
<td><code>verifyCertificateHash</code></td>
<td><code>string[]</code></td>
<td>
<p>An optional list of hex-encoded SHA-256 hashes of the
authorized client certificates. Both simple and colon separated
formats are acceptable.
Note: When both verify<em>certificate</em>hash and verify<em>certificate</em>spki
are specified, a hash matching either value will result in the
certificate being accepted.</p>
</td>
</tr>
<tr id="Server-TLSOptions-min_protocol_version">
@ -584,8 +609,8 @@ destination service from the service registry.</p>
<tr id="Server-TLSOptions-TLSmode-MUTUAL">
<td><code>MUTUAL</code></td>
<td>
<p>Secure connections to the upstream using mutual TLS by presenting
client certificates for authentication.</p>
<p>Secure connections to the downstream using mutual TLS by presenting
server certificates for authentication.</p>
</td>
</tr>
@ -603,6 +628,18 @@ networks that otherwise do not have direct connectivity between
their respective endpoints. Use of this mode assumes that both the
source and the destination are using Istio mTLS to secure traffic.</p>
</td>
</tr>
<tr id="Server-TLSOptions-TLSmode-ISTIO_MUTUAL">
<td><code>ISTIO_MUTUAL</code></td>
<td>
<p>Secure connections from the downstream using mutual TLS by presenting
server certificates for authentication.
Compared to Mutual mode, this mode uses certificates, representing
gateway workload identity, generated automatically by Istio for
mTLS authentication. When this mode is used, all other fields in
<code>TLSOptions</code> should be empty.</p>
</td>
</tr>
</tbody>

88
content/docs/reference/config/networking/v1alpha3/sidecar/index.html
View File

@ -6,7 +6,7 @@ description: Configuration affecting network reachability of a sidecar.
location: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 5
number_of_entries: 7
---
<p><code>Sidecar</code> describes the configuration of the sidecar proxy that mediates
inbound and outbound communication to the workload instance it is attached to. By
@ -25,7 +25,7 @@ resource in a namespace will apply to one or more workload instances in the same
namespace, selected using the workloadSelector. In the absence of a
workloadSelector, it will apply to all workload instances in the same
namespace. When determining the Sidecar resource to be applied to a
workload instsance, preference will be given to the resource with a
workload instance, preference will be given to the resource with a
workloadSelector that selects this workload instance, over a Sidecar resource
without any workloadSelector.</p>
@ -314,8 +314,8 @@ associated <code>DestinationRule</code> in the same namespace will also be used.
<p>The <code>dnsName</code> should be specified using FQDN format, optionally including
a wildcard character in the left-most component (e.g., <code>prod/*.example.com</code>).
Set the <code>dnsName</code> to <code>*</code> to select all services from the specified namespace
(e.g.,<code>prod/*</code>). The <code>namespace</code> can also be set to <code>*</code> to select a particular
service from any available namespace (e.g., &ldquo;*/foo.example.com&rdquo;).</p>
(e.g., <code>prod/*</code>). The <code>namespace</code> can also be set to <code>*</code> to select a particular
service from any available namespace (e.g., <code>*/foo.example.com</code>).</p>
<p>NOTE: Only services and configuration artifacts exported to the sidecar&rsquo;s
namespace (e.g., <code>exportTo</code> value of <code>*</code>) can be referenced.
@ -323,6 +323,15 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
<p><strong>WARNING:</strong> The list of egress hosts in a <code>Sidecar</code> must also include
the Mixer control plane services if they are enabled. Envoy will not
be able to reach them otherwise. For example, add host
<code>istio-system/istio-telemetry.istio-system.svc.cluster.local</code> if telemetry
is enabled, <code>istio-system/istio-policy.istio-system.svc.cluster.local</code> if
policy is enabled, or add <code>istio-system/*</code> to allow all services in the
<code>istio-system</code> namespace. This requirement is temporary and will be removed
in a future Istio release.</p>
</td>
</tr>
</tbody>
@ -384,6 +393,65 @@ redirect traffic arriving at the bind point on the sidecar to a port
or Unix domain socket where the application workload instance is listening for
connections. Format should be 127.0.0.1:PORT or <code>unix:///path/to/socket</code></p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy">OutboundTrafficPolicy</h2>
<section>
<p>OutboundTrafficPolicy sets the default behavior of the sidecar for
handling outbound traffic from the application.
If your application uses one or more external
services that are not known apriori, setting the policy to ALLOW<em>ANY
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use ServiceEntries to explicitly declare any external
dependencies, instead of using allow</em>any, so that traffic to these
services can be monitored.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-mode">
<td><code>mode</code></td>
<td><code><a href="#OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</a></code></td>
<td>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p>
</td>
</tr>
<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p>
</td>
</tr>
</tbody>
@ -432,6 +500,18 @@ outbound traffic from the attached workload instance to other services in the
mesh. If omitted, Istio will automatically configure the sidecar to be able to
reach every service in the mesh that is visible to this namespace.</p>
</td>
</tr>
<tr id="Sidecar-outbound_traffic_policy">
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>This allows to configure the outbound traffic policy.
If your application uses one or more external
services that are not known apriori, setting the policy to ALLOW_ANY
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination.</p>
</td>
</tr>
</tbody>

44
content/docs/reference/config/networking/v1alpha3/virtual-service/index.html
View File

@ -802,6 +802,15 @@ request URI being matched as an exact path or prefix.</p>
<p>On a redirect, overwrite the Authority/Host portion of the URL with
this value.</p>
</td>
</tr>
<tr id="HTTPRedirect-redirect_code">
<td><code>redirectCode</code></td>
<td><code>uint32</code></td>
<td>
<p>On a redirect, Specifies the HTTP status code to use in the redirect
response. The default response code is MOVED_PERMANENTLY (301).</p>
</td>
</tr>
</tbody>
@ -1234,7 +1243,40 @@ field instead.</p>
</section>
<h2 id="Headers">Headers</h2>
<section>
<p>Header manipulation rules</p>
<p>Message headers can be manipulated when Envoy forwards requests to,
or responses from, a destination service. Header manipulation rules can
be specified for a specific route destination or for all destinations.
The following VirtualService adds a <code>test</code> header with the value <code>true</code>
to requests that are routed to any <code>reviews</code> service destination.
It also romoves the <code>foo</code> response header, but only from responses
coming from the <code>v1</code> subset (version) of the <code>reviews</code> service.</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- headers:
request:
set:
test: true
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
headers:
response:
remove:
- foo
weight: 75
</code></pre>
<table class="message-fields">
<thead>

40
content/docs/reference/config/policy-and-telemetry/adapters/redisquota/index.html
View File

@ -26,19 +26,19 @@ rolling window algorithm. And it is using Redis as a shared data storage.</p>
<pre><code class="language-yaml">redisServerUrl: localhost:6379
connectionPoolSize: 10
quotas:
- name: requestcount.quota.istio-system
maxAmount: 50
validDuration: 60s
bucketDuration: 1s
rateLimitAlgorithm: ROLLING_WINDOW
overrides:
- dimensions:
destination: ratings
source: reviews
maxAmount: 12
- dimensions:
destination: reviews
maxAmount: 5
- name: requestcount.quota.istio-system
maxAmount: 50
validDuration: 60s
bucketDuration: 1s
rateLimitAlgorithm: ROLLING_WINDOW
overrides:
- dimensions:
destination: ratings
source: reviews
maxAmount: 12
- dimensions:
destination: reviews
maxAmount: 5
</code></pre>
<table class="message-fields">
@ -96,7 +96,7 @@ Default is 10 connections per every CPU as reported by runtime.NumCPU.</p>
<td>
<p>The specific dimensions for which this override applies.
String representation of instance dimensions is used to check against configured dimensions.
dimensions should not be empty</p>
<code>dimensions</code> should not be empty</p>
</td>
</tr>
@ -145,7 +145,7 @@ This value should be bigger than 0</p>
<td>
<p>The amount of time allocated quota remains valid before it is
automatically released. This is only meaningful for rate limit quotas.
value should be 0 &lt; valid_duration</p>
value should be <code>0 &lt; validDuration</code></p>
</td>
</tr>
@ -153,8 +153,8 @@ value should be 0 &lt; valid_duration</p>
<td><code>bucketDuration</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">google.protobuf.Duration</a></code></td>
<td>
<p>bucket<em>duration will be ignored if rate</em>limit<em>algorithm is FIXED</em>WINDOW
value should be 0 &lt; bucket<em>duration &lt; valid</em>duration</p>
<p>The <code>bucketDuration</code> will be ignored if <code>rateLimitAlgorithm</code> is <code>FIXED_WINDOW</code>
value should be <code>0 &lt; bucketDuration &lt; validDuration</code></p>
</td>
</tr>
@ -162,7 +162,7 @@ value should be 0 &lt; bucket<em>duration &lt; valid</em>duration</p>
<td><code>rateLimitAlgorithm</code></td>
<td><code><a href="#Params-QuotaAlgorithm">Params.QuotaAlgorithm</a></code></td>
<td>
<p>Quota management algorithm. The default value is FIXED_WINDOW</p>
<p>Quota management algorithm. The default value is <code>FIXED_WINDOW</code></p>
</td>
</tr>
@ -193,14 +193,14 @@ The first matching override is applied.</p>
<tr id="Params-QuotaAlgorithm-FIXED_WINDOW">
<td><code>FIXED_WINDOW</code></td>
<td>
<p>FIXED_WINDOW The fixed window approach can allow 2x peak specified rate, whereas the rolling-window doesn&rsquo;t.</p>
<p><code>FIXED_WINDOW</code> The fixed window approach can allow 2x peak specified rate, whereas the rolling-window doesn&rsquo;t.</p>
</td>
</tr>
<tr id="Params-QuotaAlgorithm-ROLLING_WINDOW">
<td><code>ROLLING_WINDOW</code></td>
<td>
<p>ROLLING_WINDOW The rolling window algorithm&rsquo;s additional precision comes at the cost of increased redis resource usage.</p>
<p><code>ROLLING_WINDOW</code> The rolling window algorithm&rsquo;s additional precision comes at the cost of increased redis resource usage.</p>
</td>
</tr>

38
content/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html
View File

@ -6,7 +6,7 @@ description: Describes the rules used to configure Mixer's policy and telemetry
location: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 25
number_of_entries: 26
---
<p>Describes the rules used to configure Mixer&rsquo;s policy and telemetry features.</p>
@ -1237,6 +1237,34 @@ adapter to optionally modify the headers.</p>
<td>
<p>Append values to the existing header values.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="StringMap">StringMap</h2>
<section>
<p>An instance field of type StringMap denotes that the expression for the field must evaluate to
<a href="#ValueType-STRING_MAP">ValueType.STRING_MAP</a></p>
<p>Objects of type StringMap are also passed to the adapters during request-time for the instance fields of
type StringMap</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="StringMap-value">
<td><code>value</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>StringMap encoded as a map of strings</p>
</td>
</tr>
</tbody>
@ -1498,6 +1526,14 @@ the equivalent oneof field in <code>Value</code> is populated by Mixer and passe
<td>
<p>Used for values of type Uri</p>
</td>
</tr>
<tr id="Value-string_map_value" class="oneof">
<td><code>stringMapValue</code></td>
<td><code><a href="#StringMap">StringMap (oneof)</a></code></td>
<td>
<p>Used for values of type STRING_MAP</p>
</td>
</tr>
</tbody>

15
scripts/grab_reference_docs.sh
View File

@ -17,6 +17,9 @@ REPOS=(
https://github.com/osswangxining/alicloud-istio-grpcadapter.git@master
https://github.com/vmware/wavefront-adapter-for-istio.git@master
https://github.com/apache/skywalking-data-collect-protocol.git@master
# This is disabled since it causes a linting error at the moment
# https://github.com/ibm-cloud-security/app-identity-and-access-adapter.git@master
)
# The components to build and extract usage docs from.
@ -96,7 +99,7 @@ handle_doc_scraping() {
echo " INPUT REPO: ${REPO_URL}@${REPO_BRANCH}"
git clone -q -b ${REPO_BRANCH} ${REPO_URL} ${DEST_DIR}
git clone --depth=1 -q -b ${REPO_BRANCH} ${REPO_URL} ${DEST_DIR}
# delete the vendor directory so we don't get .pb.html out of there
rm -fr ${DEST_DIR}/vendor
@ -121,12 +124,18 @@ handle_components() {
echo " COMPONENT: ${COMP_NAME} from ${REPO_URL}@${REPO_BRANCH}"
git clone -q -b ${REPO_BRANCH} ${REPO_URL}
git clone --depth=1 -q -b ${REPO_BRANCH} ${REPO_URL}
pushd ${REPO_NAME}
pushd ${COMP_PATH}
# until we're on the go module plan in istio/istio and istio/operator
# until we're on the go module plan in istio/istio
GO111MODULE=off
if [[ "${COMP_NAME}" == "operator" ]]
then
GO111MODULE=on
fi
go build -o ${COMP_NAME}
mkdir -p ${COMP_OUTPUT_DIR}/${COMP_NAME}
./${COMP_NAME} collateral -o ${COMP_OUTPUT_DIR}/${COMP_NAME} --html_fragment_with_front_matter > /dev/null