istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Manual ref doc update from release 1.6 with galley removed. (#7171) 

* Run SOURCE_BRANCH_NAME=release-1.6 make update_ref_docs

* Fix galley reference doc being removed.
This commit is contained in:
Eric Van Norman 2020-04-28 11:20:17 -05:00 committed by GitHub
parent 5f7bacdd7c
commit dab6c9adb9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 3040 additions and 2005 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
content/en/docs/concepts/observability/index.md
View File

@ -117,7 +117,6 @@ of Istio itself (as distinct from that of the services within the mesh).
For more information on which metrics are maintained, please refer to the reference documentation for each of the components:
- [Pilot](/docs/reference/commands/pilot-discovery/#metrics)
- [Galley](/docs/reference/commands/galley/#metrics)
- [Mixer](/docs/reference/commands/mixs/#metrics)
## Distributed traces

609
content/en/docs/reference/commands/galley/index.html
View File

@ -1,609 +0,0 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
source_repo: https://github.com/istio/istio
title: galley
description: Galley provides configuration management services for Istio.
generator: pkg-collateral-docs
number_of_entries: 5
max_toc_level: 2
remove_toc_prefix: 'galley '
---
<p>Galley provides configuration management services for Istio.</p>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--config &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Config file containing args (default ``)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
</tbody>
</table>
<h2 id="galley-probe">galley probe</h2>
<p>Check the liveness or readiness of a locally-running server</p>
<pre class="language-bash"><code>galley probe [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--config &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Config file containing args (default ``)</td>
</tr>
<tr>
<td><code>--interval &lt;duration&gt;</code></td>
<td></td>
<td>Duration used for checking the target file&#39;s last modified time. (default `0s`)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--probe-path &lt;string&gt;</code></td>
<td></td>
<td>Path of the file for checking the availability. (default ``)</td>
</tr>
</tbody>
</table>
<h2 id="galley-server">galley server</h2>
<p>Starts Galley as a server</p>
<pre class="language-bash"><code>galley server [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--accessListFile &lt;string&gt;</code></td>
<td></td>
<td>The access list yaml file that contains the allowed mTLS peer ids. (default `/etc/config/accesslist.yaml`)</td>
</tr>
<tr>
<td><code>--caCertFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the caBundle that signed the cert/key specified by --tlsCertFile and --tlsKeyFile. (default `/etc/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--config &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Config file containing args (default ``)</td>
</tr>
<tr>
<td><code>--configPath &lt;string&gt;</code></td>
<td></td>
<td>Istio config file path (default ``)</td>
</tr>
<tr>
<td><code>--ctrlz_address &lt;string&gt;</code></td>
<td></td>
<td>The IP Address to listen on for the ControlZ introspection facility. Use &#39;*&#39; to indicate all addresses. (default `localhost`)</td>
</tr>
<tr>
<td><code>--ctrlz_port &lt;uint16&gt;</code></td>
<td></td>
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
</tr>
<tr>
<td><code>--deployment-name &lt;string&gt;</code></td>
<td></td>
<td>Name of the deployment for the validation pod (default `istio-galley`)</td>
</tr>
<tr>
<td><code>--deployment-namespace &lt;string&gt;</code></td>
<td></td>
<td>Namespace of the deployment for the validation pod (default `istio-system`)</td>
</tr>
<tr>
<td><code>--disableResourceReadyCheck</code></td>
<td></td>
<td>Disable resource readiness checks. This allows Galley to start if not all resource types are supported </td>
</tr>
<tr>
<td><code>--domain &lt;string&gt;</code></td>
<td></td>
<td>DNS domain suffix (default `cluster.local`)</td>
</tr>
<tr>
<td><code>--enable-reconcileWebhookConfiguration</code></td>
<td></td>
<td>Enable reconciliation for webhook configuration. </td>
</tr>
<tr>
<td><code>--enable-server</code></td>
<td></td>
<td>Run galley server mode </td>
</tr>
<tr>
<td><code>--enable-validation</code></td>
<td></td>
<td>Run galley validation mode </td>
</tr>
<tr>
<td><code>--enableAnalysis</code></td>
<td></td>
<td>Enable config analysis service </td>
</tr>
<tr>
<td><code>--enableProfiling</code></td>
<td></td>
<td>Enable profiling for Galley </td>
</tr>
<tr>
<td><code>--enableServiceDiscovery</code></td>
<td></td>
<td>Enable service discovery processing in Galley </td>
</tr>
<tr>
<td><code>--excludedResourceKinds &lt;stringSlice&gt;</code></td>
<td></td>
<td>Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`)</td>
</tr>
<tr>
<td><code>--insecure</code></td>
<td></td>
<td>Use insecure gRPC communication </td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td></td>
<td>Use a Kubernetes configuration file instead of in-cluster configuration (default ``)</td>
</tr>
<tr>
<td><code>--livenessProbeInterval &lt;duration&gt;</code></td>
<td></td>
<td>Interval of updating file for the Galley liveness probe. (default `2s`)</td>
</tr>
<tr>
<td><code>--livenessProbePath &lt;string&gt;</code></td>
<td></td>
<td>Path to the file for the Galley liveness probe. (default `/healthLiveness`)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--meshConfigFile &lt;string&gt;</code></td>
<td></td>
<td>Path to the mesh config file (default `/etc/mesh-config/mesh`)</td>
</tr>
<tr>
<td><code>--monitoringPort &lt;uint&gt;</code></td>
<td></td>
<td>Port to use for exposing self-monitoring information (default `15014`)</td>
</tr>
<tr>
<td><code>--pprofPort &lt;uint&gt;</code></td>
<td></td>
<td>Port to use for exposing profiling (default `9094`)</td>
</tr>
<tr>
<td><code>--readinessProbeInterval &lt;duration&gt;</code></td>
<td></td>
<td>Interval of updating file for the Galley readiness probe. (default `2s`)</td>
</tr>
<tr>
<td><code>--readinessProbePath &lt;string&gt;</code></td>
<td></td>
<td>Path to the file for the Galley readiness probe. (default `/healthReadiness`)</td>
</tr>
<tr>
<td><code>--resyncPeriod &lt;duration&gt;</code></td>
<td></td>
<td>Resync period for rescanning Kubernetes resources (default `0s`)</td>
</tr>
<tr>
<td><code>--server-address &lt;string&gt;</code></td>
<td></td>
<td>Address to use for Galley&#39;s gRPC API, e.g. tcp://localhost:9092 or unix:///path/to/file (default `tcp://0.0.0.0:9901`)</td>
</tr>
<tr>
<td><code>--server-maxConcurrentStreams &lt;uint&gt;</code></td>
<td></td>
<td>Maximum number of outstanding RPCs per connection (default `1024`)</td>
</tr>
<tr>
<td><code>--server-maxReceivedMessageSize &lt;uint&gt;</code></td>
<td></td>
<td>Maximum size of individual gRPC messages (default `1048576`)</td>
</tr>
<tr>
<td><code>--service-name &lt;string&gt;</code></td>
<td></td>
<td>Name of the validation service running in the same namespace as the deployment (default `istio-galley`)</td>
</tr>
<tr>
<td><code>--sinkAddress &lt;string&gt;</code></td>
<td></td>
<td>Address of MCP Resource Sink server for Galley to connect to. Ex: &#39;foo.com:1234&#39; (default ``)</td>
</tr>
<tr>
<td><code>--sinkAuthMode &lt;string&gt;</code></td>
<td></td>
<td>Name of authentication plugin to use for connection to sink server. (default ``)</td>
</tr>
<tr>
<td><code>--sinkMeta &lt;stringSlice&gt;</code></td>
<td></td>
<td>Comma-separated list of key=values to attach as metadata to outgoing sink connections. Ex: &#39;key=value,key2=value2&#39; (default `[]`)</td>
</tr>
<tr>
<td><code>--tlsCertFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 Certificate for HTTPS. (default `/etc/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--tlsKeyFile &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 private key matching --tlsCertFile. (default `/etc/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--validation-port &lt;uint&gt;</code></td>
<td></td>
<td>HTTPS port of the validation service. (default `9443`)</td>
</tr>
<tr>
<td><code>--validation.tls.caCertificates &lt;string&gt;</code></td>
<td></td>
<td>File containing the caBundle that signed the cert/key specified by --validation.tls.clientCertificate and --validation.tls.privateKey. (default `/etc/certs/root-cert.pem`)</td>
</tr>
<tr>
<td><code>--validation.tls.clientCertificate &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 Certificate for HTTPS validation. (default `/etc/certs/cert-chain.pem`)</td>
</tr>
<tr>
<td><code>--validation.tls.privateKey &lt;string&gt;</code></td>
<td></td>
<td>File containing the x509 private key matching --validation.tls.clientCertificate. (default `/etc/certs/key.pem`)</td>
</tr>
<tr>
<td><code>--watchConfigFiles</code></td>
<td></td>
<td>Enable the Fsnotify for watching config source files on the disk and implicit signaling on a config change. Explicit signaling will still be enabled </td>
</tr>
<tr>
<td><code>--webhook-name &lt;string&gt;</code></td>
<td></td>
<td>Name of the k8s validatingwebhookconfiguration (default `istio-galley`)</td>
</tr>
</tbody>
</table>
<p/>Accepts deep config files, like:
<pre class="language-yaml"><code>general:
introspection:
address: --ctrlz_address
port: --ctrlz_port
kubeconfig: --kubeconfig
processing:
domainsuffix: --domain
server:
address: --server-address
auth:
insecure: --insecure
enable: --enable-server
validation:
deploymentname: --deployment-name
deploymentnamespace: --deployment-namespace
enable: --enable-validation
servicename: --service-name
tls:
caCertificates: --validation.tls.caCertificates
clientCertificate: --validation.tls.clientCertificate
privateKey: --validation.tls.privateKey
webhookconfigfile: --validation-webhook-config-file
webhookname: --webhook-name
webhookport: --validation-port
</code></pre>
<h2 id="galley-version">galley version</h2>
<p>Prints out build version information</p>
<pre class="language-bash"><code>galley version [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--config &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Config file containing args (default ``)</td>
</tr>
<tr>
<td><code>--log_as_json</code></td>
<td></td>
<td>Whether to format output as JSON or in plain console-friendly format </td>
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
<td></td>
<td>The path for the optional rotating log file (default ``)</td>
</tr>
<tr>
<td><code>--log_rotate_max_age &lt;int&gt;</code></td>
<td></td>
<td>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_backups &lt;int&gt;</code></td>
<td></td>
<td>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)</td>
</tr>
<tr>
<td><code>--log_rotate_max_size &lt;int&gt;</code></td>
<td></td>
<td>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)</td>
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
<td></td>
<td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)</td>
</tr>
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>One of &#39;yaml&#39; or &#39;json&#39;. (default ``)</td>
</tr>
<tr>
<td><code>--short</code></td>
<td><code>-s</code></td>
<td>Use --short=false to generate full version information </td>
</tr>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>galley</code> command.
<table class="envvars">
<thead>
<tr>
<th>Variable Name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>AUTHZ_FAILURE_LOG_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>1</code></td>
<td></td>
</tr>
<tr>
<td><code>AUTHZ_FAILURE_LOG_FREQ</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>MCP_SOURCE_REQ_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>MCP_SOURCE_REQ_FREQ</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td></td>
</tr>
<tr>
<td><code>SOURCE_SERVER_STREAM_BURST_SIZE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td></td>
</tr>
<tr>
<td><code>SOURCE_SERVER_STREAM_FREQ</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>galley_runtime_processor_event_span_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration between each incoming event</td></tr>
<tr><td><code>galley_runtime_processor_events_processed_total</code></td><td><code>Count</code></td><td>The number of events that have been processed</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_events_total</code></td><td><code>Distribution</code></td><td>The number of events per snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_lifetime_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration of each snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshots_published_total</code></td><td><code>Count</code></td><td>The number of snapshots that have been published</td></tr>
<tr><td><code>galley_runtime_state_type_instances_total</code></td><td><code>LastValue</code></td><td>The number of type instances per type URL</td></tr>
<tr><td><code>galley_runtime_strategy_on_change_total</code></td><td><code>Count</code></td><td>The number of times the strategy's onChange has been called</td></tr>
<tr><td><code>galley_runtime_strategy_timer_max_time_reached_total</code></td><td><code>Count</code></td><td>The number of times the max time has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_quiesce_reached_total</code></td><td><code>Count</code></td><td>The number of times a quiesce has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_resets_total</code></td><td><code>Count</code></td><td>The number of times the timer has been reset</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_failure_total</code></td><td><code>Count</code></td><td>The number of times a dynamnic kubernetes source failed converting a resources</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_success_total</code></td><td><code>Count</code></td><td>The number of times a dynamic kubernetes source successfully converted a resource</td></tr>
<tr><td><code>galley_source_kube_event_error_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source encountered errored while handling an event</td></tr>
<tr><td><code>galley_source_kube_event_success_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source successfully handled an event</td></tr>
<tr><td><code>galley_validation_cert_key_update_errors</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates errors</td></tr>
<tr><td><code>galley_validation_cert_key_updates</code></td><td><code>Count</code></td><td>Galley validation webhook certificate updates</td></tr>
<tr><td><code>galley_validation_config_delete_error</code></td><td><code>Count</code></td><td>k8s webhook configuration delete error</td></tr>
<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>
<tr><td><code>galley_validation_config_updates</code></td><td><code>Count</code></td><td>k8s webhook configuration updates</td></tr>
<tr><td><code>galley_validation_failed</code></td><td><code>Count</code></td><td>Resource validation failed</td></tr>
<tr><td><code>galley_validation_http_error</code></td><td><code>Count</code></td><td>Resource validation http serve errors</td></tr>
<tr><td><code>galley_validation_passed</code></td><td><code>Count</code></td><td>Resource is valid</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>istio_mcp_clients_total</code></td><td><code>LastValue</code></td><td>The number of streams currently connected.</td></tr>
<tr><td><code>istio_mcp_message_sizes_bytes</code></td><td><code>Distribution</code></td><td>Size of messages received from clients.</td></tr>
<tr><td><code>istio_mcp_reconnections</code></td><td><code>Sum</code></td><td>The number of times the sink has reconnected.</td></tr>
<tr><td><code>istio_mcp_recv_failures_total</code></td><td><code>Sum</code></td><td>The number of recv failures in the source.</td></tr>
<tr><td><code>istio_mcp_request_acks_total</code></td><td><code>Sum</code></td><td>The number of request acks received by the source.</td></tr>
<tr><td><code>istio_mcp_request_nacks_total</code></td><td><code>Sum</code></td><td>The number of request nacks received by the source.</td></tr>
<tr><td><code>istio_mcp_send_failures_total</code></td><td><code>Sum</code></td><td>The number of send failures in the source.</td></tr>
</tbody>
</table>

353
content/en/docs/reference/commands/istioctl/index.html
View File

@ -1132,7 +1132,6 @@ istioctl analyze -L
<h2 id="istioctl-experimental-authz">istioctl experimental authz</h2>
<p>Commands to inspect and interact with the authorization policies
check - check Envoy config dump for authorization configuration
convert - convert v1alpha1 RBAC policies to v1beta1 authorization policies
</p>
<table class="command-flags">
<thead>
@ -1169,12 +1168,6 @@ istioctl analyze -L
<pre class="language-bash"><code> # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
istioctl x authz check httpbin-88ddbcfdd-nt5jb
# Convert the v1alpha1 RBAC policies in the current cluster:
istioctl x authz convert &gt; authorization-policies.yaml
# Convert the v1alpha1 RBAC policies in the file with the given services and root namespace:
istioctl x authz convert -f rbac-policies.yaml -s my-service.yaml -r istio-system &gt; authorization-policies.yaml
</code></pre>
<h2 id="istioctl-experimental-authz-check">istioctl experimental authz check</h2>
<p>Check reads the Envoy config dump and checks the filter configuration
@ -1234,82 +1227,6 @@ with authorization and the rules used in the authorization.</p>
# Check Envoy authorization configuration from a config dump file:
istioctl x authz check -f httpbin_config_dump.json
</code></pre>
<h2 id="istioctl-experimental-authz-convert">istioctl experimental authz convert</h2>
<p>Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. By default,
The command talks to Istio Pilot and Kubernetes API server to get all the information
needed for the conversion, including the v1alpha1 RBAC policies in the current cluster,
the value of the root namespace and the Kubernetes services that provide the mapping from the
service name to workload selector.</p>
<p>The tool can also be used in an offline mode when specified with flag -f. In this mode,
the tool doesn&#39;t access the network and all needed information is provided
through the command line.</p>
<p>Note: The converter tool makes a best effort attempt to keep the syntax unchanged during
the conversion. However, in some cases, strict mapping with equivalent syntax is not
possible (e.g., constraints no longer supported in the new workload oriented model).</p>
<p>PLEASE ALWAYS REVIEW THE CONVERTED POLICIES BEFORE APPLYING.
</p>
<pre class="language-bash"><code>istioctl experimental authz convert [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--allowNoClusterRbacConfig</code></td>
<td></td>
<td>Continue the conversion even if there is no ClusterRbacConfig in the cluster </td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--file &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>The yaml file with v1alpha1 RBAC policies to be converted (default `[]`)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--rootNamespace &lt;string&gt;</code></td>
<td><code>-r</code></td>
<td>Override the root namespace used in the conversion (default `istio-system`)</td>
</tr>
<tr>
<td><code>--service &lt;stringSlice&gt;</code></td>
<td><code>-s</code></td>
<td>The yaml file with Kubernetes services for the mapping from the service name to workload selector, used with -f (default `[]`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-authz-convert Examples">Examples</h3>
<pre class="language-bash"><code> # Convert the v1alpha1 RBAC policy in the current cluster:
istioctl x authz convert &gt; authorization-policies.yaml
# Convert the v1alpha1 RBAC policy in the given file:
istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
-s my-services.yaml -r my-root-namespace &gt; authorization-policies.yaml
</code></pre>
<h2 id="istioctl-experimental-convert-ingress">istioctl experimental convert-ingress</h2>
<p>(convert-ingress has graduated. Use `istioctl convert-ingress`)</p>
<pre class="language-bash"><code>istioctl experimental convert-ingress [flags]
@ -2165,6 +2082,70 @@ istioctl experimental post-install webhook status --validation --validation-conf
istioctl experimental post-install webhook status --validation --validation-config istio-galley
--injection --injection-config istio-sidecar-injector
</code></pre>
<h2 id="istioctl-experimental-precheck">istioctl experimental precheck</h2>
<p>
precheck inspects a Kubernetes cluster for Istio install requirements.
</p>
<pre class="language-bash"><code>istioctl experimental precheck [-f &lt;deployment or istio operator file&gt;] [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--filename &lt;stringSlice&gt;</code></td>
<td><code>-f</code></td>
<td>Istio YAML installation file. (default `[]`)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--recursive</code></td>
<td><code>-R</code></td>
<td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-precheck Examples">Examples</h3>
<pre class="language-bash"><code>
# Verify that Istio can be installed
istioctl experimental precheck
# Verify the deployment matches a custom Istio deployment configuration
istioctl x precheck --set profile=demo
# Verify the deployment matches the Istio Operator deployment definition
istioctl x precheck -f iop.yaml
</code></pre>
<h2 id="istioctl-experimental-remove-from-mesh">istioctl experimental remove-from-mesh</h2>
<p>Remove workloads from Istio service mesh</p>
@ -2370,11 +2351,6 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -2453,6 +2429,11 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>wait for a specific version of config to become current, rather than using whatever is latest in kubernetes (default ``)</td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--threshold &lt;float32&gt;</code></td>
<td></td>
<td>the ratio of distribution required for success (default `1`)</td>
@ -2487,6 +2468,14 @@ istioctl experimental wait --for=distribution --threshold=.99 --timeout=300 virt
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -2518,11 +2507,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -2715,11 +2699,6 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -2745,6 +2724,14 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -2776,11 +2763,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -2874,11 +2856,6 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -2920,6 +2897,14 @@ e.g.
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -2951,11 +2936,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3033,11 +3013,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3083,11 +3058,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3151,6 +3121,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -3176,11 +3154,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3216,6 +3189,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -3246,11 +3227,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3296,6 +3272,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
</thead>
<tbody>
<tr>
<td><code>--charts &lt;string&gt;</code></td>
<td><code>-d</code></td>
<td>Specify a path to a directory of charts and profiles
(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator)
or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz).
(default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
@ -3331,11 +3315,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3432,11 +3411,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3486,11 +3460,6 @@ istioctl manifest apply --set profile=demo # Use a profile from the list
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3518,7 +3487,7 @@ istioctl manifest apply --set profile=demo # Use a profile from the list
<tr>
<td><code>--config-path &lt;string&gt;</code></td>
<td><code>-p</code></td>
<td>The path the root of the configuration subtree to dump e.g. trafficManagement.components.pilot. By default, dump whole tree (default ``)</td>
<td>The path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree (default ``)</td>
</tr>
<tr>
<td><code>--context &lt;string&gt;</code></td>
@ -3547,11 +3516,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -3602,11 +3566,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -4203,6 +4162,11 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--sds</code></td>
<td><code>-s</code></td>
<td>(experimental) Retrieve synchronization between active secrets on Envoy instance with those on corresponding node agents </td>
@ -4316,11 +4280,6 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
<td></td>
<td>Send logs to stderr. </td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
@ -4424,7 +4383,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<p> If you do not specify installation file it will perform pre-check for your cluster
and report whether the cluster is ready for Istio installation.
</p>
<pre class="language-bash"><code>istioctl verify-install [flags]
<pre class="language-bash"><code>istioctl verify-install [-f &lt;deployment or istio operator file&gt;] [--revision &lt;revision&gt;] [flags]
</code></pre>
<table class="command-flags">
<thead>
@ -4470,16 +4429,24 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td><code>-R</code></td>
<td>Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. </td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-verify-install Examples">Examples</h3>
<pre class="language-bash"><code>
# Verify that Istio can be freshly installed
istioctl verify-install
# Verify the deployment matches a custom Istio deployment configuration
istioctl verify-install -f $HOME/istio.yaml
# Verify the deployment matches the Istio Operator deployment definition
istioctl verify-install --revision &lt;canary&gt;
</code></pre>
<h2 id="istioctl-version">istioctl version</h2>
<p>Prints out build version information</p>
@ -4525,6 +4492,11 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
<td>Use --remote=false to suppress control plane check </td>
</tr>
<tr>
<td><code>--revision &lt;string&gt;</code></td>
<td></td>
<td>control plane revision (default ``)</td>
</tr>
<tr>
<td><code>--short</code></td>
<td><code>-s</code></td>
<td>Use --short=false to generate full version information </td>
@ -4550,6 +4522,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>CENTRAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, one Istiod will control remote clusters including CA.</td>
</tr>
<tr>
<td><code>CLUSTER_ID</code></td>
<td>String</td>
<td><code>Kubernetes</code></td>
@ -4604,6 +4582,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>ISTIO_PROMETHEUS_ANNOTATIONS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
@ -4622,12 +4606,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>namespace that nodeagent/citadel run in</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
@ -4706,6 +4684,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -4730,6 +4714,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -4742,6 +4732,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -4790,6 +4786,18 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_STATUS_BURST</code></td>
<td>Integer</td>
<td><code>500</code></td>
<td>If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst</td>
</tr>
<tr>
<td><code>PILOT_STATUS_QPS</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
@ -4887,7 +4895,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<tr><td><code>outgoing_latency</code></td><td><code>Sum</code></td><td>The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>

252
content/en/docs/reference/commands/mixs/index.html
View File

@ -347,23 +347,275 @@ These environment variables affect the behavior of the <code>mixs</code> command
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>CENTRAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, one Istiod will control remote clusters including CA.</td>
</tr>
<tr>
<td><code>CLUSTER_ID</code></td>
<td>String</td>
<td><code>Kubernetes</code></td>
<td>Defines the cluster and service registry that this Istiod instance is belongs to</td>
</tr>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Default Http and gRPC Request timeout</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>ISTIO_LANG</code></td>
<td>String</td>
<td><code></code></td>
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>KUBECONFIG</code></td>
<td>String</td>
<td><code></code></td>
<td>Path for a kubeconfig file.</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>istiod</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLED_SERVICE_APIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_ANALYSIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_REDIS_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_THRIFT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td>Protocol detection timeout for inbound listener</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_GATEWAY_TO_NAMESPACE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
</tr>
<tr>
<td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_STATUS_BURST</code></td>
<td>Integer</td>
<td><code>500</code></td>
<td>If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst</td>
</tr>
<tr>
<td><code>PILOT_STATUS_QPS</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>POD_NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
<td>Namespace for the Mixer pod (Downward API).</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>

295
content/en/docs/reference/commands/operator/index.html
View File

@ -40,10 +40,6 @@ remove_toc_prefix: 'operator '
</thead>
<tbody>
<tr>
<td><code>--base-chart-path &lt;string&gt;</code></td>
<td>The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm. This will be used as the base path for any IstioOperator instances specifying a relative ChartPath. (default ``)</td>
</tr>
<tr>
<td><code>--ctrlz_address &lt;string&gt;</code></td>
<td>The IP Address to listen on for the ControlZ introspection facility. Use &#39;*&#39; to indicate all addresses. (default `localhost`)</td>
</tr>
@ -52,10 +48,6 @@ remove_toc_prefix: 'operator '
<td>The IP port to use for the ControlZ introspection facility (default `9876`)</td>
</tr>
<tr>
<td><code>--default-chart-path &lt;string&gt;</code></td>
<td>A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioOperator resource, e.g. 1.1.0/istio (default ``)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td>Paths to a kubeconfig. Only required if out-of-cluster. (default ``)</td>
</tr>
@ -65,11 +57,11 @@ remove_toc_prefix: 'operator '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, installer, patch, tpath, translator, util, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, default, installer, model, patch, tpath, translator, util, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, default, installer, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, default, installer, model, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -89,7 +81,7 @@ remove_toc_prefix: 'operator '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, default, installer, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, default, installer, model, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -136,12 +128,293 @@ remove_toc_prefix: 'operator '
</tr>
</tbody>
</table>
<h2 id="envvars">Environment variables</h2>
These environment variables affect the behavior of the <code>operator</code> command.
<table class="envvars">
<thead>
<tr>
<th>Variable Name</th>
<th>Type</th>
<th>Default Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>CENTRAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, one Istiod will control remote clusters including CA.</td>
</tr>
<tr>
<td><code>CLUSTER_ID</code></td>
<td>String</td>
<td><code>Kubernetes</code></td>
<td>Defines the cluster and service registry that this Istiod instance is belongs to</td>
</tr>
<tr>
<td><code>ISTIOD_ADDR</code></td>
<td>String</td>
<td><code></code></td>
<td>Service name of istiod. If empty the istiod listener, certs will be disabled.</td>
</tr>
<tr>
<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Default Http and gRPC Request timeout</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXRECVMSGSIZE</code></td>
<td>Integer</td>
<td><code>4194304</code></td>
<td>Sets the max receive buffer size of gRPC stream in bytes.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_CERT_PROVIDER</code></td>
<td>String</td>
<td><code>istiod</code></td>
<td>the provider of Pilot DNS certificate.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISTRIBUTION_HISTORY_RETENTION</code></td>
<td>Time Duration</td>
<td><code>1m0s</code></td>
<td>If enabled, Pilot will keep track of old versions of distributed config for this duration.</td>
</tr>
<tr>
<td><code>PILOT_ENABLED_SERVICE_APIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will be enabled. This feature is currently experimental, and is off by default.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_ANALYSIS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_CRD_VALIDATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_REDIS_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_THRIFT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td>Protocol detection timeout for inbound listener</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_GATEWAY_TO_NAMESPACE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
</tr>
<tr>
<td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_STATUS_BURST</code></td>
<td>Integer</td>
<td><code>500</code></td>
<td>If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst</td>
</tr>
<tr>
<td><code>PILOT_STATUS_QPS</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>PILOT_USE_ENDPOINT_SLICE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
<table class="metrics">
<thead>
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

127
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -81,12 +81,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -111,7 +111,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -206,12 +206,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -236,7 +236,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -313,11 +313,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -337,7 +337,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -345,7 +345,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--meshConfig &lt;string&gt;</code></td>
<td>File name for Istio mesh configuration. If not specified, a default mesh will be used. MESH_CONFIG environment variable takes precedence. (default `/etc/istio/config/mesh`)</td>
<td>File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or istio.io/proxyConfig annotation. (default `./etc/istio/config/mesh`)</td>
</tr>
<tr>
<td><code>--mixerIdentity &lt;string&gt;</code></td>
@ -411,11 +411,11 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -435,7 +435,7 @@ remove_toc_prefix: 'pilot-agent '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -464,12 +464,12 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -494,7 +494,7 @@ remove_toc_prefix: 'pilot-agent '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -538,12 +538,42 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>CENTRAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, one Istiod will control remote clusters including CA.</td>
</tr>
<tr>
<td><code>CLUSTER_ID</code></td>
<td>String</td>
<td><code>Kubernetes</code></td>
<td>Defines the cluster and service registry that this Istiod instance is belongs to</td>
</tr>
<tr>
<td><code>DNS_ADDR</code></td>
<td>String</td>
<td><code>:15053</code></td>
<td>DNS listen address</td>
</tr>
<tr>
<td><code>DNS_AGENT</code></td>
<td>String</td>
<td><code></code></td>
<td>DNS-over-TLS upstream server</td>
</tr>
<tr>
<td><code>DNS_CAPTURE</code></td>
<td>String</td>
<td><code></code></td>
<td>If set, enable the capture of outgoing DNS packets on port 53, redirecting to :15013</td>
</tr>
<tr>
<td><code>DNS_SERVER</code></td>
<td>String</td>
<td><code></code></td>
<td>Protocol and DNS server to use. Currently only tcp-tls: is supported.</td>
</tr>
<tr>
<td><code>ENABLE_INGRESS_GATEWAY_SDS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -640,18 +670,18 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td></td>
</tr>
<tr>
<td><code>ISTIO_PROMETHEUS_ANNOTATIONS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
<td>The JWT validation policy.</td>
</tr>
<tr>
<td><code>MESH_CONFIG</code></td>
<td>String</td>
<td><code></code></td>
<td>The mesh configuration</td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
@ -664,12 +694,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.</td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
@ -748,6 +772,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -772,6 +802,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -784,6 +820,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -832,6 +874,18 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_STATUS_BURST</code></td>
<td>Integer</td>
<td><code>500</code></td>
<td>If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst</td>
</tr>
<tr>
<td><code>PILOT_STATUS_QPS</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
@ -874,6 +928,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td>Set to a directory containing provisioned certs, for VMs</td>
</tr>
<tr>
<td><code>PROXY_CONFIG</code></td>
<td>String</td>
<td><code></code></td>
<td>The proxy configuration. This will be set by the injection - gateways will use file mounts.</td>
</tr>
<tr>
<td><code>SECRET_GRACE_PERIOD_RATIO</code></td>
<td>Floating-Point</td>
<td><code>0.5</code></td>
@ -931,7 +991,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr><td><code>outgoing_latency</code></td><td><code>Sum</code></td><td>The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
@ -944,6 +1003,10 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
<tr><td><code>sidecar_injection_failure_total</code></td><td><code>Sum</code></td><td>Total number of failed Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_requests_total</code></td><td><code>Sum</code></td><td>Total number of Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_skip_total</code></td><td><code>Sum</code></td><td>Total number of skipped injection requests.</td></tr>
<tr><td><code>sidecar_injection_success_total</code></td><td><code>Sum</code></td><td>Total number of successful Side car injection requests.</td></tr>
<tr><td><code>total_active_connections</code></td><td><code>Sum</code></td><td>The total number of active SDS connections.</td></tr>
<tr><td><code>total_push_errors</code></td><td><code>Sum</code></td><td>The total number of failed SDS pushes.</td></tr>
<tr><td><code>total_pushes</code></td><td><code>Sum</code></td><td>The total number of SDS pushes.</td></tr>

108
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -67,7 +67,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -94,6 +94,11 @@ remove_toc_prefix: 'pilot-discovery '
<td>Restrict the applications namespace the controller manages; if not set, controller watches all namespaces (default ``)</td>
</tr>
<tr>
<td><code>--clusterID &lt;string&gt;</code></td>
<td></td>
<td>The ID of the cluster that this Istiod instance resides (default `Kubernetes`)</td>
</tr>
<tr>
<td><code>--clusterRegistriesNamespace &lt;string&gt;</code></td>
<td></td>
<td>Namespace for ConfigMap which stores clusters configs (default `istio-system`)</td>
@ -166,12 +171,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -196,7 +201,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -303,11 +308,11 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -327,7 +332,7 @@ remove_toc_prefix: 'pilot-discovery '
</tr>
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -381,12 +386,12 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -411,7 +416,7 @@ remove_toc_prefix: 'pilot-discovery '
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -467,6 +472,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>CENTRAL_ISTIOD</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If this is set to true, one Istiod will control remote clusters including CA.</td>
</tr>
<tr>
<td><code>CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -503,6 +514,30 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>The default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.</td>
</tr>
<tr>
<td><code>DNS_ADDR</code></td>
<td>String</td>
<td><code>:15053</code></td>
<td>DNS listen address</td>
</tr>
<tr>
<td><code>DNS_AGENT</code></td>
<td>String</td>
<td><code></code></td>
<td>DNS-over-TLS upstream server</td>
</tr>
<tr>
<td><code>DNS_SERVER</code></td>
<td>String</td>
<td><code></code></td>
<td>Protocol and DNS server to use. Currently only tcp-tls: is supported.</td>
</tr>
<tr>
<td><code>ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>INJECTION_WEBHOOK_CONFIG_NAME</code></td>
<td>String</td>
<td><code>istio-sidecar-injector</code></td>
@ -539,6 +574,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>ISTIO_PROMETHEUS_ANNOTATIONS</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>JWT_POLICY</code></td>
<td>String</td>
<td><code>third-party-jwt</code></td>
@ -557,12 +598,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Kuberenetes service host, set automatically when running in-cluster</td>
</tr>
<tr>
<td><code>MASTER_ELECTION</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>Enable master election</td>
</tr>
<tr>
<td><code>MAX_WORKLOAD_CERT_TTL</code></td>
<td>Time Duration</td>
<td><code>2160h0m0s</code></td>
@ -581,12 +616,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td></td>
</tr>
<tr>
<td><code>PILOT_BLOCK_HTTP_ON_443</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
@ -665,6 +694,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_INCREMENTAL_MCP</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -689,6 +724,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_STATUS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_TCP_METADATA_EXCHANGE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
@ -701,6 +742,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored</td>
</tr>
<tr>
<td><code>PILOT_FILTER_GATEWAY_CLUSTER_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
@ -749,6 +796,18 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_STATUS_BURST</code></td>
<td>Integer</td>
<td><code>500</code></td>
<td>If status is enabled, controls the Burst rate with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config Burst</td>
</tr>
<tr>
<td><code>PILOT_STATUS_QPS</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>If status is enabled, controls the QPS with which status will be updated. See https://godoc.org/k8s.io/client-go/rest#Config QPS</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
@ -895,7 +954,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr><td><code>mixer_runtime_dispatches_total</code></td><td><code>Count</code></td><td>Total number of adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_https</code></td><td><code>LastValue</code></td><td>Number of conflicting HTTP listeners with well known HTTPS ports</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>

10
content/en/docs/reference/config/annotations/index.html
View File

@ -139,6 +139,16 @@ Istio supports to control its behavior.
<tr>
<td><code>prometheus.istio.io/merge-metrics</code></td>
<td>[Pod]</td>
<td>Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.</td>
</tr>
<tr>
<td><code>readiness.status.sidecar.istio.io/applicationPorts</code></td>

281
content/en/docs/reference/config/attributegen/index.html Normal file
View File

@ -0,0 +1,281 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
source_repo: https://github.com/istio/proxy
title: AttributeGen Config
description: Configuration for Attribute Generation plugin.
location: https://istio.io/docs/reference/config/attributegen.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.attributegen
weight: 20
number_of_entries: 3
---
<p>AttributeGen plugin uses <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter#condition">builtin attributes</a>
as inputs and produces new attributes that can be used by downstream plugins.</p>
<p>The following is an example of a configuration that produces one attribute
named <code>istio.operationId</code> using <code>request.url_path</code> and <code>request.method</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">{
&quot;attributes&quot;: [
{
&quot;output_attribute&quot;: &quot;istio.operationId&quot;,
&quot;match&quot;: [
{
&quot;value&quot;: &quot;ListBooks&quot;,
&quot;condition&quot;: &quot;request.url_path == '/books' &amp;&amp; request.method ==
'GET'&quot;
},
{
&quot;value&quot;: &quot;GetBook&quot;,
&quot;condition&quot;:
&quot;request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
&amp;&amp; request.method == 'GET'&quot;
},
{
&quot;value&quot;: &quot;CreateBook&quot;,
&quot;condition&quot;: &quot;request.url_path == '/books/' &amp;&amp; request.method ==
'POST'&quot;
}
]
}
]
}
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the Stats plugin runs after AttributeGen, it can use <code>istio.operationId</code>
to populate a dimension on a metric.</p>
<p>The following is an example of response codes being mapped into a smaller
number of response classes as the <code>istio.responseClass</code> attribute. For
example, all response codes in 200s are mapped to <code>2xx</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">{
&quot;attributes&quot;: [
{
&quot;output_attribute&quot;: &quot;istio.responseClass&quot;,
&quot;match&quot;: [
{
&quot;value&quot;: &quot;2xx&quot;,
&quot;condition&quot;: &quot;response.code &gt;= 200 &amp;&amp; response.code &lt;= 299&quot;
},
{
&quot;value&quot;: &quot;3xx&quot;,
&quot;condition&quot;: &quot;response.code &gt;= 300 &amp;&amp; response.code &lt;= 399&quot;
},
{
&quot;value&quot;: &quot;404&quot;,
&quot;condition&quot;: &quot;response.code == 404&quot;
},
{
&quot;value&quot;: &quot;429&quot;,
&quot;condition&quot;: &quot;response.code == 429&quot;
},
{
&quot;value&quot;: &quot;503&quot;,
&quot;condition&quot;: &quot;response.code == 503&quot;
},
{
&quot;value&quot;: &quot;5xx&quot;,
&quot;condition&quot;: &quot;response.code &gt;= 500 &amp;&amp; response.code &lt;= 599&quot;
},
{
&quot;value&quot;: &quot;4xx&quot;,
&quot;condition&quot;: &quot;response.code &gt;= 400 &amp;&amp; response.code &lt;= 499&quot;
}
]
}
]
}
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If multiple AttributeGene configurations produce the same attribute, the
result of the last configuration will be visible to downstream filters.</p>
<h2 id="PluginConfig">PluginConfig</h2>
<section>
<p>Top level configuration to generate new attributes based on attributes of the
proxied traffic.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PluginConfig-debug">
<td><code>debug</code></td>
<td><code>bool</code></td>
<td>
<p>The following settings should be rarely used.
Enable debug for this filter.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-attributes">
<td><code>attributes</code></td>
<td><code><a href="#AttributeGeneration">AttributeGeneration[]</a></code></td>
<td>
<p>Multiple independent attribute generation configurations.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AttributeGeneration">AttributeGeneration</h2>
<section>
<p>AttributeGeneration define generation of one attribute.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AttributeGeneration-output_attribute">
<td><code>outputAttribute</code></td>
<td><code>string</code></td>
<td>
<p>The name of the attribute that is populated on a successful match.</p>
<p>Example: <code>istio.operationId</code></p>
<p><code>istio.</code> attribute namespace is reserved by Istio.</p>
<p>AttributeGeneration may fail to evaluate when an attribute is not
available. For example, <code>response.code</code> may not be available when a request
ends abruptly. When attribute generation fails, it will not populate the
attribute.</p>
<p>If the generated attribute is used by an authz plugin, it should account
for the possibility that the attribute may be missing. Use
<code>has(attribute_name)</code> function to check for presence of an attribute before
using its value, and provide appropriate defaults. For example the
following is a safe use of <code>response.code</code></p>
<p><code>has(response.code)?response.code:200</code></p>
</td>
<td>
No
</td>
</tr>
<tr id="AttributeGeneration-match">
<td><code>match</code></td>
<td><code><a href="#Match">Match[]</a></code></td>
<td>
<p>Matches are evaluated in order until the first successful match.
The value specified by the successful match is assgined to the
output_attribute.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Match">Match</h2>
<section>
<p>If the condition evaluates to true then the Match returns the specified
value.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Match-condition">
<td><code>condition</code></td>
<td><code>string</code></td>
<td>
<p>The condition is a <a href="https://github.com/google/cel-spec/blob/master/doc/langdef.md">CEL
expression</a>
that may use <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter#condition">builtin attributes</a>.</p>
<p>Example:</p>
<p>{{<tabset category-name="example">}}
{{<tab name="attribute-match" >}}</p>
<pre><code class="language-yaml"> {
&quot;value&quot;: &quot;GetBook&quot;,
&quot;condition&quot;:
&quot;request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
&amp;&amp; request.method == 'GET'&quot;
},
</code></pre>
<p>Note: CEL uses <a href="https://github.com/google/re2/wiki/Syntax">re2</a> regex
library. Use anchors <code>{^, $}</code> to ensure that the regex evaluates
efficiently.</p>
<p>Note: <code>request.url_path</code> is normalized and stripped of query params.</p>
<p>a Read only operation on books</p>
<pre><code class="language-yaml">{ &quot;value&quot;: &quot;ReadOnlyBooks&quot;,
&quot;condition&quot;: &quot;request.url_path.startsWith('/books/') &amp;&amp;
in(request.method, ['GET', 'HEAD'])&quot;}
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>An empty condition evaluates to <code>true</code> and should be used to provide a
default value.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Match-value">
<td><code>value</code></td>
<td><code>string</code></td>
<td>
<p>If condition evaluates to true, return the <code>value</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>

116
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 24
number_of_entries: 25
---
<p>Configuration affecting the service mesh as a whole.</p>
@ -64,6 +64,19 @@ No
<td>
<p>Use a Stackdriver tracer.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Tracing-tls_settings">
<td><code>tlsSettings</code></td>
<td><code><a href="/docs/reference/config/networking/destination-rule.html#ClientTLSSettings">ClientTLSSettings</a></code></td>
<td>
<p>Use the tls_settings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p>
</td>
<td>
No
@ -359,6 +372,20 @@ No
<td>
<p>Port on which the agent should listen for administrative commands such as readiness probe.</p>
</td>
<td>
No
</td>
</tr>
<tr id="ProxyConfig-extra_stat_tags">
<td><code>extraStatTags</code></td>
<td><code>string[]</code></td>
<td>
<p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
and exposed as Prometheus metrics.</p>
</td>
<td>
No
@ -490,28 +517,6 @@ No
<td>
<p>The Lightstep access token.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Tracing-Lightstep-secure">
<td><code>secure</code></td>
<td><code>bool</code></td>
<td>
<p>True if a secure connection should be used when communicating with the pool.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Tracing-Lightstep-cacert_path">
<td><code>cacertPath</code></td>
<td><code>string</code></td>
<td>
<p>Path to the trusted cacert used to authenticate the pool.</p>
</td>
<td>
No
@ -1165,6 +1170,25 @@ No
<td>
<p>Set configuration for Thrift protocol</p>
</td>
<td>
No
</td>
</tr>
<tr id="MeshConfig-enable_prometheus_merge">
<td><code>enablePrometheusMerge</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
<td>
<p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
<code>prometheus.io/path</code> annotations.
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
In this case, it is recommended to disable aggregation on that deployment with the
<code>prometheus.istio.io/merge-metrics: &quot;false&quot;</code> annotation.
If not specified, this will be enabled by default.</p>
</td>
<td>
No
@ -1339,6 +1363,52 @@ No
<td>
<p>Specify thrift rate limit service timeout, in milliseconds. Default is 50ms</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="MeshConfig-ServiceSettings-Settings">MeshConfig.ServiceSettings.Settings</h2>
<section>
<p>Settings for the selected services.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ServiceSettings-Settings-cluster_local">
<td><code>clusterLocal</code></td>
<td><code>bool</code></td>
<td>
<p>If true, specifies that the client and service endpoints must reside in the same cluster.
By default, in multi-cluster deployments, the Istio control plane assumes all service
endpoints to be reachable from any client in any of the clusters which are part of the
mesh. This configuration option limits the set of service endpoints visible to a client
to be cluster scoped.</p>
<p>There are some common scenarios when this can be useful:</p>
<ul>
<li>A service (or group of services) is inherently local to the cluster and has local storage
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li>
<li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
having services cluster-local and then slowly transition them to mesh-wide. They could do
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
(e.g. *.myns.svc.cluster.local).</li>
</ul>
<p>By default, Istio will consider all services in the kube-system namespace to be cluster-local,
unless explicitly overridden here.</p>
</td>
<td>
No

2
content/en/docs/reference/config/istio.operator.v1alpha1/index.html
View File

@ -2715,7 +2715,7 @@ No
</tr>
<tr id="IstioOperatorSpec-mesh_config">
<td><code>meshConfig</code></td>
<td><code><a href="/docs/reference/config/istio.mesh.v1alpha1.html#MeshConfig">MeshConfig</a></code></td>
<td><code><a href="#TypeMapStringInterface2">TypeMapStringInterface2</a></code></td>
<td>
<p>Config used by control plane components internally.</p>

2
content/en/docs/reference/config/networking/envoy-filter/index.html
View File

@ -121,7 +121,7 @@ spec:
value: # lua filter specification
name: envoy.lua
typed_config:
&quot;@type&quot;: &quot;type.googleapis.com/envoy.config.filter.http.lua.v2.Lua&quot;
&quot;@type&quot;: &quot;type.googleapis.com/envoy.config.filter.http.lua.v2.Lua&quot;
inlineCode: |
function envoy_on_request(request_handle)
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.

2
content/en/docs/reference/config/networking/gateway/index.html
View File

@ -656,7 +656,7 @@ Yes
</td>
<td>
No
Yes
</td>
</tr>
</tbody>

6
content/en/docs/reference/config/networking/service-entry/index.html
View File

@ -564,13 +564,13 @@ spec:
endpoints:
- address: us.foo.bar.com
ports:
https: 8080
http: 8080
- address: uk.foo.bar.com
ports:
https: 9080
http: 9080
- address: in.foo.bar.com
ports:
https: 7080
http: 7080
</code></pre>
<p>{{</tab>}}</p>

2677
content/en/docs/reference/config/networking/virtual-service/index.html
View File

File diff suppressed because it is too large Load Diff

57
content/en/docs/reference/config/proxy_extensions/stats/index.html
View File

@ -24,7 +24,6 @@ path.</p>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
@ -36,9 +35,6 @@ path.</p>
metric. Conflicts are resolved by the tag name by overriding previously
supplied values.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MetricConfig-name">
@ -48,9 +44,6 @@ No
<p>(Optional) Metric name to restrict the override to a metric. If not
specified, applies to all.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MetricConfig-tags_to_remove">
@ -59,9 +52,6 @@ No
<td>
<p>(Optional) A list of tags to remove.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MetricConfig-match">
@ -70,9 +60,6 @@ No
<td>
<p>NOT IMPLEMENTED. (Optional) Conditional enabling the override.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -86,7 +73,6 @@ No
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
@ -96,9 +82,6 @@ No
<td>
<p>Metric name.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MetricDefinition-value">
@ -107,9 +90,6 @@ No
<td>
<p>Metric value expression.</p>
</td>
<td>
No
</td>
</tr>
<tr id="MetricDefinition-type">
@ -118,9 +98,6 @@ No
<td>
<p>NOT IMPLEMENTED (Optional) Metric type.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
@ -162,7 +139,6 @@ No
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
@ -174,9 +150,6 @@ No
The following settings should be rarely used.
Enable debug for this filter.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-max_peer_cache_size">
@ -187,9 +160,6 @@ No
A long lived proxy that connects with many transient peers can build up a
large cache. To turn off the cache, set this field to a negative value.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-stat_prefix">
@ -198,9 +168,6 @@ No
<td>
<p>prefix to add to stats emitted by the plugin.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-field_separator">
@ -209,12 +176,9 @@ No
<td>
<p>Stats api squashes dimensions in a single string.
The squashed string is parsed at prometheus scrape time to recover
dimensions. The following 2 fields set the field and value separators {key:
value} &ndash;&gt; key{value<em>separator}value{field</em>separator}</p>
dimensions. The following 2 fields set the field and value separators &lbrace;key:
value} &ndash;&gt; key&lbrace;value<em>separator}value&lbrace;field</em>separator}</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-value_separator">
@ -223,9 +187,6 @@ No
<td>
<p>default: &ldquo;==&rdquo;</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-disable_host_header_fallback">
@ -236,21 +197,15 @@ No
not available from the controlplane. Disable the fallback if the host
header originates outsides the mesh, like at ingress.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-tcp_reporting_duration">
<td><code>tcpReportingDuration</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">google.protobuf.Duration</a></code></td>
<td>
<p>Optional. Allows configuration of the time between calls out to for TCP
metrics reporting. The default duration is <code>15s</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-metrics">
@ -259,9 +214,6 @@ No
<td>
<p>Metric overrides.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PluginConfig-definitions">
@ -270,9 +222,6 @@ No
<td>
<p>Metric definitions.</p>
</td>
<td>
No
</td>
</tr>
</tbody>

110
content/en/docs/reference/config/security/request_authentication/index.html
View File

@ -54,68 +54,68 @@ spec:
<ul>
<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
declares it can accpet JWTs issuer by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
set from the OpenID Connect spec).
&ldquo;`yaml
apiVersion: security.istio.io/v1beta1
set from the OpenID Connect spec).</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: httpbin
namespace: foo
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:
selector:
matchLabels:
app: httpbin
jwtRules:
- issuer: &quot;issuer-foo&quot;
- issuer: &quot;issuer-bar&quot;
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;issuer-foo/*&quot;]
to:
hosts: [&quot;example.com&quot;]
- from:
- source:
requestPrincipals: [&quot;issuer-bar/*&quot;]
to:
hosts: [&quot;another-host.com&quot;]
</code></pre>
<ul>
<li>issuer: &ldquo;issuer-foo&rdquo;</li>
<li>issuer: &ldquo;issuer-bar&rdquo;
&mdash;
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:</li>
<li>from:</li>
<li>source:
requestPrincipals: [&ldquo;issuer-foo/*&rdquo;]
to:
hosts: [&ldquo;example.com&rdquo;]</li>
<li>from:</li>
<li>source:
requestPrincipals: [&ldquo;issuer-bar/<em>&rdquo;]
to:
hosts: [&ldquo;another-host.com&rdquo;]
<code>
- You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
authorization policy could be:
</code>yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&rdquo;</em>&rdquo;]
- to:
- operation:
paths: [&ldquo;/healthz]
&ldquo;`</li>
</ul></li>
<li>You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
authorization policy could be:</li>
</ul>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
requestPrincipals: [&quot;*&quot;]
- to:
- operation:
paths: [&quot;/healthz]
</code></pre>
<table class="message-fields">
<thead>
<tr>

2
content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
View File

@ -76,6 +76,6 @@ Refer to the [installation option change page](/news/releases/1.2.x/announcing-1
- **Added** a new experimental ['a-la-carte' Istio installer](https://github.com/istio/installer/wiki) to enable users to install and upgrade Istio with desired isolation and security.
- **Added** [environment variable and configuration file support](https://docs.google.com/document/d/1M-qqBMNbhbAxl3S_8qQfaeOLAiRqSBpSgfWebFBRuu8/edit) for configuring Galley, in addition to command-line flags.
- **Added** [ControlZ](/docs/ops/diagnostic-tools/controlz/) support to visualize the state of the MCP Server in Galley.
- **Added** the [`enableServiceDiscovery` command-line flag](/docs/reference/commands/galley/#galley-server) to control the service discovery module in Galley.
- **Added** the [`enableServiceDiscovery` command-line flag](https://archive.istio.io/v1.2/docs/reference/commands/galley/#galley-server) to control the service discovery module in Galley.
- **Added** `InitialWindowSize` and `InitialConnWindowSize` parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
- **Graduated** configuration processing with Galley from Alpha to Beta.

35
data/analysis.yaml
View File

@ -255,3 +255,38 @@ messages:
type: string
- name: problem
type: string
- name: "NamespaceMultipleInjectionLabels"
code: IST0123
level: Warning
description: "A namespace has both new and legacy injection labels"
template: "The namespace has both new and legacy injection labels. Run 'kubectl label namespace %s istio.io/rev-' or 'kubectl label namespace %s istio-injection-'"
args:
- name: namespace
type: string
- name: namespace2
type: string
- name: "NamespaceInvalidInjectorRevision"
code: IST0124
level: Warning
description: "A namespace is labeled to inject from unknown control plane."
template: "The namespace is labeled to inject from %q but that namespace doesn't exist. Run 'kubectl label namespace %s istio.io/rev=<revision>' where <revision> is one of %s"
args:
- name: unknownrevision
type: string
- name: namespace
type: string
- name: revisions
type: string
- name: "InvalidAnnotation"
code: IST0125
level: Warning
description: "An Istio annotation that is not valid"
template: "Invalid annotation %s: %s"
args:
- name: annotation
type: string
- name: problem
type: string