mirror of https://github.com/istio/istio.io.git
Automator: update istio.io@ reference docs (#14875)
This commit is contained in:
Istio Automation
GitHub
parent
d66c819ad5
commit
de9a08f9cd
|
|
@ -1220,6 +1220,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -67,11 +67,11 @@ remove_toc_prefix: 'operator '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -91,11 +91,11 @@ remove_toc_prefix: 'operator '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -165,11 +165,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -189,11 +189,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -278,11 +278,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -302,11 +302,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -386,11 +386,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -410,11 +410,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -493,11 +493,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -517,11 +517,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -607,11 +607,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -631,11 +631,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -765,11 +765,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -789,11 +789,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -877,7 +877,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--output <string></code></td>
|
||||
|
|
@ -887,7 +887,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -917,12 +917,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -1506,6 +1506,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -1769,6 +1769,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -197,6 +197,11 @@ to enable it. You can execute the following once:</p>
|
|||
<td>Namespace for ConfigMap which stores clusters configs (default `istio-system`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--cniNamespace <string></code></td>
|
||||
<td></td>
|
||||
<td>Select a namespace where the istio-cni resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--configDir <string></code></td>
|
||||
<td></td>
|
||||
<td>Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``)</td>
|
||||
|
|
@ -269,12 +274,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -299,7 +304,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -1077,6 +1082,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -380,6 +380,30 @@ instances in the same namespace. If the <code>EnvoyFilter</code> is present
|
|||
in the config root namespace, it will be applied to all applicable
|
||||
workloads in any namespace.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="EnvoyFilter-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
|
|
|
|||
|
|
@ -194,25 +194,31 @@ configuration will be applied to all workload instances in the same
|
|||
namespace. If the <code>WasmPlugin</code> is present in the config root
|
||||
namespace, it will be applied to all applicable workloads in any
|
||||
namespace.</p>
|
||||
<p>At most, only one of the selector or <code>targetRef</code> can be set for a given policy.</p>
|
||||
<p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="WasmPlugin-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="WasmPlugin-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The <code>targetRef</code> specifies the gateway the policy should be
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the WasmPlugin applies to. The targeted resource must be
|
||||
a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The gateway
|
||||
must be in the same namespace as the policy.</p>
|
||||
<p>If the <code>targetRef</code> is not set, the policy is applied as defined by the selector.
|
||||
At most, only one of the selector or <code>targetRef</code> can be set for a given policy.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -218,29 +218,32 @@ spec:
|
|||
<p>Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
|
||||
in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
|
||||
will additionally match with workloads in all namespaces.</p>
|
||||
<p>If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector
|
||||
and targetRef can be set.</p>
|
||||
<p>If the selector and the targetRef are not set, the selector will match all workloads.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="AuthorizationPolicy-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="AuthorizationPolicy-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the authorization policy applies to. The targeted resource
|
||||
must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
|
||||
gateway must be in the same namespace as the authorization policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRef can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRef</code> field in a multi-revision environment with Istio versions prior to 1.20,
|
||||
it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label.
|
||||
This is to prevent proxies connected to older istiod control planes (that don’t know about the targetRef field)
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -222,26 +222,32 @@ spec:
|
|||
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
|
||||
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
|
||||
the selector will additionally match with workloads in all namespaces.</p>
|
||||
<p>If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.</p>
|
||||
<p>If not set, the selector will match all workloads.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="RequestAuthentication-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="RequestAuthentication-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the request authentication policy to. The targeted resource
|
||||
must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
|
||||
gateway must be in the same namespace as the request authentication
|
||||
policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRef can be set.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -209,28 +209,34 @@ spec:
|
|||
<td><code>selector</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The selector decides where to apply the Telemetry policy.
|
||||
If not set, the Telemetry policy will be applied to all workloads in the
|
||||
same namespace as the Telemetry policy.</p>
|
||||
<p>At most, only one of the selector or targetRef can be set for a given policy.</p>
|
||||
<p>Optional. The selector decides where to apply the policy.
|
||||
If not set, the policy will be applied to all workloads in the
|
||||
same namespace as the policy.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="Telemetry-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="Telemetry-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The <code>targetRef</code> specifies the gateway the policy should be
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the telemetry policy applies to. The targeted resource
|
||||
must be a Kubernetes gateway. The resource must be in the same namespace as
|
||||
the Telemetry policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most, only one of the selector or <code>targetRef</code> can be set for a given policy.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -1220,6 +1220,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -67,11 +67,11 @@ remove_toc_prefix: 'operator '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -91,11 +91,11 @@ remove_toc_prefix: 'operator '
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -165,11 +165,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -189,11 +189,11 @@ See each sub-command's help for details on how to use the generated script.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -278,11 +278,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -302,11 +302,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -386,11 +386,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -410,11 +410,11 @@ If it is not installed already, you can install it via your OS's package man
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -493,11 +493,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -517,11 +517,11 @@ to your powershell profile.
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -607,11 +607,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -631,11 +631,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -765,11 +765,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -789,11 +789,11 @@ to enable it. You can execute the following once:</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -877,7 +877,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--organization <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's Organization to issue conformance to (default ``)</td>
|
||||
<td>Implementation's Organization (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--output <string></code></td>
|
||||
|
|
@ -887,7 +887,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--project <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's project to issue conformance to (default ``)</td>
|
||||
<td>Implementation's project (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--report-output <string></code></td>
|
||||
|
|
@ -917,12 +917,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--url <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's url to issue conformance to (default ``)</td>
|
||||
<td>Implementation's url (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--version <string></code></td>
|
||||
<td></td>
|
||||
<td>Implementation's version to issue conformance to (default ``)</td>
|
||||
<td>Implementation's version (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--vklog <Level></code></td>
|
||||
|
|
@ -1506,6 +1506,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -1769,6 +1769,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -197,6 +197,11 @@ to enable it. You can execute the following once:</p>
|
|||
<td>Namespace for ConfigMap which stores clusters configs (default `istio-system`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--cniNamespace <string></code></td>
|
||||
<td></td>
|
||||
<td>Select a namespace where the istio-cni resides. If not set, uses ${POD_NAMESPACE} environment variable (default `istio-system`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--configDir <string></code></td>
|
||||
<td></td>
|
||||
<td>Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. (default ``)</td>
|
||||
|
|
@ -269,12 +274,12 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_caller <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] (default ``)</td>
|
||||
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_output_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default ``)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_rotate <string></code></td>
|
||||
|
|
@ -299,7 +304,7 @@ to enable it. You can execute the following once:</p>
|
|||
<tr>
|
||||
<td><code>--log_stacktrace_level <string></code></td>
|
||||
<td></td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>--log_target <stringArray></code></td>
|
||||
|
|
@ -1077,6 +1082,12 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
|
|||
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_NODE_UNTAINT_CONTROLLERS</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
<td>If enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><code>PILOT_ENABLE_PERSISTENT_SESSION_FILTER</code></td>
|
||||
<td>Boolean</td>
|
||||
<td><code>false</code></td>
|
||||
|
|
|
|||
|
|
@ -380,6 +380,30 @@ instances in the same namespace. If the <code>EnvoyFilter</code> is present
|
|||
in the config root namespace, it will be applied to all applicable
|
||||
workloads in any namespace.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="EnvoyFilter-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
|
|
|
|||
|
|
@ -194,25 +194,31 @@ configuration will be applied to all workload instances in the same
|
|||
namespace. If the <code>WasmPlugin</code> is present in the config root
|
||||
namespace, it will be applied to all applicable workloads in any
|
||||
namespace.</p>
|
||||
<p>At most, only one of the selector or <code>targetRef</code> can be set for a given policy.</p>
|
||||
<p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="WasmPlugin-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="WasmPlugin-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The <code>targetRef</code> specifies the gateway the policy should be
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the WasmPlugin applies to. The targeted resource must be
|
||||
a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The gateway
|
||||
must be in the same namespace as the policy.</p>
|
||||
<p>If the <code>targetRef</code> is not set, the policy is applied as defined by the selector.
|
||||
At most, only one of the selector or <code>targetRef</code> can be set for a given policy.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -218,29 +218,32 @@ spec:
|
|||
<p>Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
|
||||
in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
|
||||
will additionally match with workloads in all namespaces.</p>
|
||||
<p>If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector
|
||||
and targetRef can be set.</p>
|
||||
<p>If the selector and the targetRef are not set, the selector will match all workloads.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="AuthorizationPolicy-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="AuthorizationPolicy-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the authorization policy applies to. The targeted resource
|
||||
must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
|
||||
gateway must be in the same namespace as the authorization policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRef can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRef</code> field in a multi-revision environment with Istio versions prior to 1.20,
|
||||
it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label.
|
||||
This is to prevent proxies connected to older istiod control planes (that don’t know about the targetRef field)
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -222,26 +222,32 @@ spec:
|
|||
<p>Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
|
||||
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
|
||||
the selector will additionally match with workloads in all namespaces.</p>
|
||||
<p>If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.</p>
|
||||
<p>If not set, the selector will match all workloads.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="RequestAuthentication-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="RequestAuthentication-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the request authentication policy to. The targeted resource
|
||||
must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
|
||||
gateway must be in the same namespace as the request authentication
|
||||
policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most one of the selector and targetRef can be set.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
|
|
@ -209,28 +209,34 @@ spec:
|
|||
<td><code>selector</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#WorkloadSelector">WorkloadSelector</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The selector decides where to apply the Telemetry policy.
|
||||
If not set, the Telemetry policy will be applied to all workloads in the
|
||||
same namespace as the Telemetry policy.</p>
|
||||
<p>At most, only one of the selector or targetRef can be set for a given policy.</p>
|
||||
<p>Optional. The selector decides where to apply the policy.
|
||||
If not set, the policy will be applied to all workloads in the
|
||||
same namespace as the policy.</p>
|
||||
<p>At most one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
No
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="Telemetry-targetRef">
|
||||
<td><code>targetRef</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
|
||||
<tr id="Telemetry-targetRefs">
|
||||
<td><code>targetRefs</code></td>
|
||||
<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
|
||||
<td>
|
||||
<p>Optional. The <code>targetRef</code> specifies the gateway the policy should be
|
||||
<p>Optional. The targetRef specifies the gateway the policy should be
|
||||
applied to. The targeted resource specified will determine which
|
||||
workloads the telemetry policy applies to. The targeted resource
|
||||
must be a Kubernetes gateway. The resource must be in the same namespace as
|
||||
the Telemetry policy.</p>
|
||||
workloads the policy applies to.</p>
|
||||
<p>Currently, the following resource attachment types are supported:</p>
|
||||
<ul>
|
||||
<li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
|
||||
</ul>
|
||||
<p>If not set, the policy is applied as defined by the selector.
|
||||
At most, only one of the selector or <code>targetRef</code> can be set for a given policy.
|
||||
Waypoint proxies will not respect selectors even if they match.</p>
|
||||
At most one of the selector and targetRefs can be set.</p>
|
||||
<p>NOTE: If you are using the <code>targetRefs</code> field in a multi-revision environment with Istio versions prior to 1.22,
|
||||
it is highly recommended that you pin the policy to a revision running 1.22+ via the <code>istio.io/rev</code> label.
|
||||
This is to prevent proxies connected to older control planes (that don’t know about the <code>targetRefs</code> field)
|
||||
from misinterpreting the policy as namespace-wide during the upgrade process.</p>
|
||||
<p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
|
|
|||
Loading…
Reference in New Issue