istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update reference docs. (#4979)

This commit is contained in:
Martin Taillefer 2019-09-12 13:23:39 -07:00 committed by GitHub
parent 6870ba5d28
commit e4d9f90839
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 3167 additions and 362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/boilerplates/notes/1.3.md
View File

@ -4,7 +4,7 @@
## Traffic management
- **Added** [automatic determination](/docs/ops/traffic-management/protocol-selection/) of HTTP or TCP for outbound traffic when ports are not named according to Istios [conventions](/docs/setup/additional-setup/requirements/).
- **Added** [automatic protocol determination](/docs/ops/traffic-management/protocol-selection/) of HTTP or TCP for outbound traffic when ports are not named according to Istios [conventions](/docs/setup/additional-setup/requirements/).
- **Added** a mode to the Gateway API for mutual TLS operation.
- **Fixed** issues present when a service communicates over the network first in permissive mutual TLS mode for protocols like MySQL and MongoDB.
- **Improved** Envoy proxy readiness checks. They now check Envoy's readiness status.

238
content/en/docs/reference/commands/galley/index.html
View File

@ -29,12 +29,12 @@ number_of_entries: 5
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -59,7 +59,7 @@ number_of_entries: 5
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -99,12 +99,12 @@ number_of_entries: 5
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -129,7 +129,7 @@ number_of_entries: 5
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -264,12 +264,12 @@ number_of_entries: 5
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -294,7 +294,7 @@ number_of_entries: 5
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -451,12 +451,12 @@ validation:
<tr>
<td><code>--log_caller &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--log_rotate &lt;string&gt;</code></td>
@ -481,7 +481,7 @@ validation:
<tr>
<td><code>--log_stacktrace_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)</td>
</tr>
<tr>
<td><code>--log_target &lt;stringArray&gt;</code></td>
@ -524,180 +524,6 @@ These environment variables affect the behavior of the <code>galley</code> comma
<td><code>1m0s</code></td>
<td></td>
</tr>
<tr>
<td><code>BYPASS_OOP_MTLS_SAN_VERIFICATION</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
<td>Sets the maximum number of concurrent grpc streams.</td>
</tr>
<tr>
<td><code>ISTIO_LANG</code></td>
<td>String</td>
<td><code></code></td>
<td>Selects the attribute expression langauge runtime for Mixer.</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_AFTER</code></td>
<td>Time Duration</td>
<td><code>100ms</code></td>
<td>The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen, otherwise we&#39;ll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.</td>
</tr>
<tr>
<td><code>PILOT_DEBOUNCE_MAX</code></td>
<td>Time Duration</td>
<td><code>10s</code></td>
<td>The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we&#39;ll trigger a push.</td>
</tr>
<tr>
<td><code>PILOT_DEBUG_ADSZ_CONFIG</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_DISABLE_XDS_MARSHALING_TO_ANY</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td></td>
</tr>
<tr>
<td><code>PILOT_ENABLE_EDS_DEBOUNCE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_FALLTHROUGH_ROUTE</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. </td>
</tr>
<tr>
<td><code>PILOT_ENABLE_MYSQL_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported</td>
</tr>
<tr>
<td><code>PILOT_ENABLE_REDIS_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.</td>
</tr>
<tr>
<td><code>PILOT_HTTP10</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
</tr>
<tr>
<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>1s</code></td>
<td>Protocol detection timeout for inbound listener</td>
</tr>
<tr>
<td><code>PILOT_INITIAL_FETCH_TIMEOUT</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td>Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.</td>
</tr>
<tr>
<td><code>PILOT_PUSH_THROTTLE</code></td>
<td>Integer</td>
<td><code>100</code></td>
<td>Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes</td>
</tr>
<tr>
<td><code>PILOT_RESPECT_DNS_TTL</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_GATEWAY_TO_NAMESPACE</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.</td>
</tr>
<tr>
<td><code>PILOT_SCOPE_PUSHES</code></td>
<td>Boolean</td>
<td><code>true</code></td>
<td>If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.</td>
</tr>
<tr>
<td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
</tr>
<tr>
<td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy</td>
</tr>
<tr>
<td><code>PILOT_TRACE_SAMPLING</code></td>
<td>Floating-Point</td>
<td><code>100</code></td>
<td>Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.</td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
<td>The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.</td>
</tr>
<tr>
<td><code>USE_ISTIO_JWT_FILTER</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
@ -706,7 +532,6 @@ These environment variables affect the behavior of the <code>galley</code> comma
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>galley_runtime_processor_event_span_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration between each incoming event</td></tr>
<tr><td><code>galley_runtime_processor_events_processed_total</code></td><td><code>Count</code></td><td>The number of events that have been processed</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_events_total</code></td><td><code>Distribution</code></td><td>The number of events per snapshot</td></tr>
@ -738,44 +563,5 @@ These environment variables affect the behavior of the <code>galley</code> comma
<tr><td><code>istio_mcp_request_acks_total</code></td><td><code>Sum</code></td><td>The number of request acks received by the source.</td></tr>
<tr><td><code>istio_mcp_request_nacks_total</code></td><td><code>Sum</code></td><td>The number of request nacks received by the source.</td></tr>
<tr><td><code>istio_mcp_send_failures_total</code></td><td><code>Sum</code></td><td>The number of send failures in the source.</td></tr>
<tr><td><code>mixer_config_adapter_info_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the adapter info configuration.</td></tr>
<tr><td><code>mixer_config_adapter_info_configs_total</code></td><td><code>LastValue</code></td><td>The number of known adapters in the current config.</td></tr>
<tr><td><code>mixer_config_attributes_total</code></td><td><code>LastValue</code></td><td>The number of known attributes in the current config.</td></tr>
<tr><td><code>mixer_config_handler_configs_total</code></td><td><code>LastValue</code></td><td>The number of known handlers in the current config.</td></tr>
<tr><td><code>mixer_config_handler_validation_error_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered because handler validation returned error.</td></tr>
<tr><td><code>mixer_config_instance_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the instance configuration.</td></tr>
<tr><td><code>mixer_config_instance_configs_total</code></td><td><code>LastValue</code></td><td>The number of known instances in the current config.</td></tr>
<tr><td><code>mixer_config_rule_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the rule configuration.</td></tr>
<tr><td><code>mixer_config_rule_config_match_error_total</code></td><td><code>LastValue</code></td><td>The number of rule conditions that was not parseable.</td></tr>
<tr><td><code>mixer_config_rule_configs_total</code></td><td><code>LastValue</code></td><td>The number of known rules in the current config.</td></tr>
<tr><td><code>mixer_config_template_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the template configuration.</td></tr>
<tr><td><code>mixer_config_template_configs_total</code></td><td><code>LastValue</code></td><td>The number of known templates in the current config.</td></tr>
<tr><td><code>mixer_config_unsatisfied_action_handler_total</code></td><td><code>LastValue</code></td><td>The number of actions that failed due to handlers being unavailable.</td></tr>
<tr><td><code>mixer_dispatcher_destinations_per_request</code></td><td><code>Distribution</code></td><td>Number of handlers dispatched per request by Mixer</td></tr>
<tr><td><code>mixer_dispatcher_destinations_per_variety_total</code></td><td><code>LastValue</code></td><td>Number of Mixer adapter destinations by template variety type</td></tr>
<tr><td><code>mixer_dispatcher_instances_per_request</code></td><td><code>Distribution</code></td><td>Number of instances created per request by Mixer</td></tr>
<tr><td><code>mixer_handler_closed_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were closed during config transition.</td></tr>
<tr><td><code>mixer_handler_daemons_total</code></td><td><code>LastValue</code></td><td>The current number of active daemon routines in a given adapter environment.</td></tr>
<tr><td><code>mixer_handler_handler_build_failures_total</code></td><td><code>LastValue</code></td><td>The number of handlers that failed creation during config transition.</td></tr>
<tr><td><code>mixer_handler_handler_close_failures_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered while closing handlers during config transition.</td></tr>
<tr><td><code>mixer_handler_new_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were newly created during config transition.</td></tr>
<tr><td><code>mixer_handler_reused_handlers_total</code></td><td><code>LastValue</code></td><td>The number of handlers that were re-used during config transition.</td></tr>
<tr><td><code>mixer_handler_workers_total</code></td><td><code>LastValue</code></td><td>The current number of active worker routines in a given adapter environment.</td></tr>
<tr><td><code>mixer_runtime_dispatch_duration_seconds</code></td><td><code>Distribution</code></td><td>Duration in seconds for adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>mixer_runtime_dispatches_total</code></td><td><code>Count</code></td><td>Total number of adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
</tbody>
</table>

17
content/en/docs/reference/commands/istio_ca/index.html
View File

@ -373,11 +373,18 @@ These environment variables affect the behavior of the <code>istio_ca</code> com
<tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td><code>csr_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when creating the CSR.</td></tr>
<tr><td><code>csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_secret_controller_csr_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when creating the CSR.</td></tr>
<tr><td><code>citadel_secret_controller_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_secret_controller_secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
<tr><td><code>citadel_secret_controller_svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
<tr><td><code>citadel_server_authentication_failure_count</code></td><td><code>Sum</code></td><td>The number of authentication failures.</td></tr>
<tr><td><code>citadel_server_csr_count</code></td><td><code>Sum</code></td><td>The number of CSRs received by Citadel server.</td></tr>
<tr><td><code>citadel_server_csr_parsing_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when parsing the CSR.</td></tr>
<tr><td><code>citadel_server_csr_sign_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when signing the CSR.</td></tr>
<tr><td><code>citadel_server_id_extraction_err_count</code></td><td><code>Sum</code></td><td>The number of errors occurred when extracting the ID from CSR.</td></tr>
<tr><td><code>citadel_server_root_cert_expiry_timestamp</code></td><td><code>LastValue</code></td><td>The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.</td></tr>
<tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>secret_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates recreated due to secret deletion (service account still exists).</td></tr>
<tr><td><code>svc_acc_created_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates created due to service account creation.</td></tr>
<tr><td><code>svc_acc_deleted_cert_count</code></td><td><code>Sum</code></td><td>The number of certificates deleted due to service account deletion.</td></tr>
</tbody>
</table>

377
content/en/docs/reference/commands/istioctl/index.html
View File

@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
title: istioctl
description: Istio control interface.
generator: pkg-collateral-docs
number_of_entries: 59
number_of_entries: 62
---
<p>Istio configuration command line utility for service operators to
debug and diagnose their Istio mesh.
@ -36,7 +36,7 @@ debug and diagnose their Istio mesh.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -76,7 +76,7 @@ debug and diagnose their Istio mesh.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -117,7 +117,7 @@ A group of commands used to interact with Istio authentication policies.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -164,7 +164,7 @@ and check if TLS settings are compatible between them.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -219,7 +219,7 @@ istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -271,7 +271,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -316,7 +316,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -359,7 +359,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -402,7 +402,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -445,7 +445,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -488,7 +488,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -531,7 +531,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -574,7 +574,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -617,7 +617,7 @@ istioctl d [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -659,7 +659,7 @@ istioctl deregister my-svc 172.17.0.2
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -702,7 +702,7 @@ istioctl deregister my-svc 172.17.0.2
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -756,7 +756,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -820,7 +820,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--meshConfigFile &lt;string&gt;</code></td>
@ -846,6 +846,63 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
</table>
<h3 id="istioctl-experimental-add-to-mesh-service Examples">Examples</h3>
<pre class="language-bash"><code>istioctl experimental add-to-mesh service productpage
</code></pre>
<h2 id="istioctl-experimental-analyze">istioctl experimental analyze</h2>
<p>Analyze Istio configuration and print validation messages</p>
<pre class="language-bash"><code>istioctl experimental analyze &lt;file|globpattern&gt;... [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--use-kube</code></td>
<td><code>-k</code></td>
<td>Use live kubernetes cluster for analysis </td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-analyze Examples">Examples</h3>
<pre class="language-bash"><code>
# Analyze yaml files
istioctl experimental analyze a.yaml b.yaml
# Analyze the current live cluster
istioctl experimental analyze -k
# Analyze the current live cluster, simulating the effect of applying additional yaml files
istioctl experimental analyze -k a.yaml b.yaml
</code></pre>
<h2 id="istioctl-experimental-auth">istioctl experimental auth</h2>
<p>Commands to inspect and interact with the authentication (TLS, JWT) and authorization (RBAC) policies in the mesh
@ -879,7 +936,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -945,7 +1002,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1001,7 +1058,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1044,7 +1101,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1053,6 +1110,63 @@ the cluster results of the client pod and the listener results of the server pod
</tr>
</tbody>
</table>
<h2 id="istioctl-experimental-create-remote-secret">istioctl experimental create-remote-secret</h2>
<p>Create a secret with credentials to allow Istio to access remote Kubernetes apiservers</p>
<pre class="language-bash"><code>istioctl experimental create-remote-secret &lt;cluster-name&gt; [flags]
</code></pre>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--service-account &lt;string&gt;</code></td>
<td></td>
<td>create a secret with this service account&#39;s credentials. (default `istio-pilot-service-account`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-experimental-create-remote-secret Examples">Examples</h3>
<pre class="language-bash"><code>
# Create a secret to access cluster c0&#39;s apiserver and install it in cluster c1.
istioctl --kubeconfig=c0.yaml x create-remote-secret c0 \
| kubectl -n istio-system --kubeconfig=c1.yaml apply -f -
# Delete a secret that was previously installed in c1
istioctl --kubeconfig=c0.yaml x create-remote-secret c1 \
| kubectl -n istio-system --kubeconfig=c1.yaml delete -f -
</code></pre>
<h2 id="istioctl-experimental-dashboard">istioctl experimental dashboard</h2>
<p>(dashboard has graduated. Use `istioctl dashboard`)</p>
<pre class="language-bash"><code>istioctl experimental dashboard [flags]
@ -1084,7 +1198,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1127,7 +1241,7 @@ the cluster results of the client pod and the listener results of the server pod
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1175,7 +1289,7 @@ the configuration objects that affect that pod.</p>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1226,7 +1340,7 @@ also provides the inverse of &#34;istioctl kube-inject -f&#34;.</p>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1253,7 +1367,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
</code></pre>
<h2 id="istioctl-experimental-manifest">istioctl experimental manifest</h2>
<p>The manifest subcommand is used to generate, apply, diff or migrate Istio manifests.</p>
<p>The manifest subcommand generates, applies, diffs or migrates Istio manifests.</p>
<table class="command-flags">
<thead>
<tr>
@ -1286,7 +1400,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1306,7 +1420,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
</tbody>
</table>
<h2 id="istioctl-experimental-manifest-apply">istioctl experimental manifest apply</h2>
<p>The apply subcommand is used to generate an Istio install manifest and apply it to a cluster.</p>
<p>The apply subcommand generates an Istio install manifest and applies it to a cluster.</p>
<pre class="language-bash"><code>istioctl experimental manifest apply [flags]
</code></pre>
<table class="command-flags">
@ -1346,7 +1460,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1361,7 +1475,7 @@ kubectl get deployment -o yaml | istioctl experimental kube-uninject -f - | kube
<tr>
<td><code>--readiness-timeout &lt;duration&gt;</code></td>
<td></td>
<td>Maximum time to wait for all Istio resources to be ready.--wait must be set for this flag to apply. (default `5m0s`)</td>
<td>Maximum seconds to wait for all Istio resources to be ready. The --wait flag must be set for this flag to apply. (default `5m0s`)</td>
</tr>
<tr>
<td><code>--set &lt;stringSlice&gt;</code></td>
@ -1383,7 +1497,7 @@ customization file. (default `[]`)</td>
</tbody>
</table>
<h2 id="istioctl-experimental-manifest-diff">istioctl experimental manifest diff</h2>
<p>The diff-manifest subcommand is used to compare manifest from two files or directories.</p>
<p>The diff subcommand compares manifests from two files or directories.</p>
<pre class="language-bash"><code>istioctl experimental manifest diff [flags]
</code></pre>
<table class="command-flags">
@ -1428,7 +1542,7 @@ customization file. (default `[]`)</td>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1457,7 +1571,7 @@ e.g.
</tbody>
</table>
<h2 id="istioctl-experimental-manifest-generate">istioctl experimental manifest generate</h2>
<p>The generate subcommand is used to generate an Istio install manifest.</p>
<p>The generate subcommand generates an Istio install manifest and outputs to the console by default.</p>
<pre class="language-bash"><code>istioctl experimental manifest generate [flags]
</code></pre>
<table class="command-flags">
@ -1497,7 +1611,7 @@ e.g.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1529,7 +1643,7 @@ customization file. (default `[]`)</td>
</tbody>
</table>
<h2 id="istioctl-experimental-manifest-migrate">istioctl experimental manifest migrate</h2>
<p>The migrate subcommand is used to migrate a configuration in Helm values format to IstioControlPlane format.</p>
<p>The migrate subcommand migrates a configuration from Helm values format to IstioControlPlane format.</p>
<pre class="language-bash"><code>istioctl experimental manifest migrate [flags]
</code></pre>
<table class="command-flags">
@ -1564,7 +1678,7 @@ customization file. (default `[]`)</td>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1619,7 +1733,7 @@ customization file. (default `[]`)</td>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1688,7 +1802,7 @@ calculated over a time interval of 1 minute.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -1707,7 +1821,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
</code></pre>
<h2 id="istioctl-experimental-profile">istioctl experimental profile</h2>
<p>The profile subcommand is list, dump or diff Istio configuration profiles.</p>
<p>The profile subcommand lists, dumps or diffs Istio configuration profiles.</p>
<table class="command-flags">
<thead>
<tr>
@ -1740,7 +1854,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1760,7 +1874,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
</tbody>
</table>
<h2 id="istioctl-experimental-profile-diff">istioctl experimental profile diff</h2>
<p>The diff subcommand is used to display the difference between two Istio configuration profiles.</p>
<p>The diff subcommand displays the differences between two Istio configuration profiles.</p>
<pre class="language-bash"><code>istioctl experimental profile diff [flags]
</code></pre>
<table class="command-flags">
@ -1795,7 +1909,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1815,7 +1929,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
</tbody>
</table>
<h2 id="istioctl-experimental-profile-dump">istioctl experimental profile dump</h2>
<p>The dump subcommand is used to dump the values in an Istio configuration profile.</p>
<p>The dump subcommand dumps the values in an Istio configuration profile.</p>
<pre class="language-bash"><code>istioctl experimental profile dump [flags]
</code></pre>
<table class="command-flags">
@ -1865,7 +1979,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1885,7 +1999,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
</tbody>
</table>
<h2 id="istioctl-experimental-profile-list">istioctl experimental profile list</h2>
<p>The list subcommand is used to list available Istio configuration profiles.</p>
<p>The list subcommand lists the available Istio configuration profiles.</p>
<pre class="language-bash"><code>istioctl experimental profile list [flags]
</code></pre>
<table class="command-flags">
@ -1920,7 +2034,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--logtostderr</code></td>
@ -1944,7 +2058,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<pre class="language-bash"><code>istioctl experimental remove-from-mesh [flags]
</code></pre>
<div class="aliases">
<pre class="language-bash"><code>istioctl experimental remove [flags]
<pre class="language-bash"><code>istioctl experimental rm [flags]
</code></pre></div>
<table class="command-flags">
<thead>
@ -1973,7 +2087,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2017,7 +2131,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2062,7 +2176,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2133,7 +2247,7 @@ kube-inject on deployments to get the most up-to-date changes.
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--meshConfigFile &lt;string&gt;</code></td>
@ -2214,7 +2328,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2266,7 +2380,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2330,7 +2444,7 @@ istioctl proxy-config c &lt;pod-name[.namespace]&gt; [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2410,7 +2524,7 @@ istioctl proxy-config ep &lt;pod-name[.namespace]&gt; [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2490,7 +2604,7 @@ istioctl proxy-config l &lt;pod-name[.namespace]&gt; [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2560,7 +2674,7 @@ istioctl proxy-config r &lt;pod-name[.namespace]&gt; [flags]
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--name &lt;string&gt;</code></td>
@ -2589,6 +2703,61 @@ istioctl proxy-config r &lt;pod-name[.namespace]&gt; [flags]
# Retrieve full route dump for route 9080
istioctl proxy-config route &lt;pod-name[.namespace]&gt; --name 9080 -o json
</code></pre>
<h2 id="istioctl-proxy-config-secret">istioctl proxy-config secret</h2>
<p>(experimental) Retrieve information about secret configuration for the Envoy instance in the specified pod.</p>
<pre class="language-bash"><code>istioctl proxy-config secret &lt;pod-name[.namespace]&gt; [flags]
</code></pre>
<div class="aliases">
<pre class="language-bash"><code>istioctl proxy-config s &lt;pod-name[.namespace]&gt; [flags]
</code></pre></div>
<table class="command-flags">
<thead>
<tr>
<th>Flags</th>
<th>Shorthand</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--context &lt;string&gt;</code></td>
<td></td>
<td>The name of the kubeconfig context to use (default ``)</td>
</tr>
<tr>
<td><code>--istioNamespace &lt;string&gt;</code></td>
<td><code>-i</code></td>
<td>Istio system namespace (default `istio-system`)</td>
</tr>
<tr>
<td><code>--kubeconfig &lt;string&gt;</code></td>
<td><code>-c</code></td>
<td>Kubernetes configuration file (default ``)</td>
</tr>
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--output &lt;string&gt;</code></td>
<td><code>-o</code></td>
<td>Output format: one of json|short (default `short`)</td>
</tr>
</tbody>
</table>
<h3 id="istioctl-proxy-config-secret Examples">Examples</h3>
<pre class="language-bash"><code> # Retrieve full secret configuration for a given pod from Envoy.
istioctl proxy-config secret &lt;pod-name[.namespace]&gt;
THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
</code></pre>
<h2 id="istioctl-proxy-status">istioctl proxy-status</h2>
<p>
@ -2626,13 +2795,23 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
<td><code>-n</code></td>
<td>Config namespace (default ``)</td>
</tr>
<tr>
<td><code>--sds</code></td>
<td><code>-s</code></td>
<td>(experimental) Retrieve synchronization between active secrets on Envoy instance with those on corresponding node agents </td>
</tr>
<tr>
<td><code>--sds-json</code></td>
<td></td>
<td>Determines whether SDS dump outputs JSON </td>
</tr>
</tbody>
</table>
<h3 id="istioctl-proxy-status Examples">Examples</h3>
@ -2684,7 +2863,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2734,7 +2913,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2808,7 +2987,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2865,7 +3044,7 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
<tr>
<td><code>--log_output_level &lt;string&gt;</code></td>
<td></td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, attributes, authn, default, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, rbac, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, all, analysis, attributes, authn, cacheLog, citadelClientLog, default, googleCAClientLog, grpcAdapter, kube-converter, mcp, meshconfig, model, name, patch, processing, rbac, resource, runtime, sdsServiceLog, secretFetcherLog, source, stsClientLog, tpath, translator, util, validation, vaultClientLog] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)</td>
</tr>
<tr>
<td><code>--namespace &lt;string&gt;</code></td>
@ -2908,6 +3087,24 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td>Whether or not to validate SANs for out-of-process adapters auth.</td>
</tr>
<tr>
<td><code>GKE_CLUSTER_URL</code></td>
<td>String</td>
<td><code></code></td>
<td>The url of GKE cluster</td>
</tr>
<tr>
<td><code>INGRESS_GATEWAY_FALLBACK_SECRET</code></td>
<td>String</td>
<td><code>gateway-fallback</code></td>
<td></td>
</tr>
<tr>
<td><code>INGRESS_GATEWAY_NAMESPACE</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
@ -2917,7 +3114,7 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td><code>ISTIO_LANG</code></td>
<td>String</td>
<td><code></code></td>
<td>Selects the attribute expression langauge runtime for Mixer.</td>
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>K8S_INGRESS_NS</code></td>
@ -2926,6 +3123,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td></td>
</tr>
<tr>
<td><code>NAMESPACE</code></td>
<td>String</td>
<td><code>istio-system</code></td>
<td>namespace that nodeagent/citadel run in</td>
</tr>
<tr>
<td><code>PILOT_CERT_DIR</code></td>
<td>String</td>
<td><code></code></td>
@ -2970,7 +3173,7 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. </td>
</tr>
<tr>
@ -3070,6 +3273,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td></td>
</tr>
<tr>
<td><code>SECRET_WATCHER_RESYNC_PERIOD</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>TERMINATION_DRAIN_DURATION_SECONDS</code></td>
<td>Integer</td>
<td><code>5</code></td>
@ -3081,12 +3290,6 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>
@ -3096,7 +3299,28 @@ These environment variables affect the behavior of the <code>istioctl</code> com
</thead>
<tbody>
<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
<tr><td><code>galley_runtime_processor_event_span_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration between each incoming event</td></tr>
<tr><td><code>galley_runtime_processor_events_processed_total</code></td><td><code>Count</code></td><td>The number of events that have been processed</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_events_total</code></td><td><code>Distribution</code></td><td>The number of events per snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshot_lifetime_duration_milliseconds</code></td><td><code>Distribution</code></td><td>The duration of each snapshot</td></tr>
<tr><td><code>galley_runtime_processor_snapshots_published_total</code></td><td><code>Count</code></td><td>The number of snapshots that have been published</td></tr>
<tr><td><code>galley_runtime_state_type_instances_total</code></td><td><code>LastValue</code></td><td>The number of type instances per type URL</td></tr>
<tr><td><code>galley_runtime_strategy_on_change_total</code></td><td><code>Count</code></td><td>The number of times the strategy's onChange has been called</td></tr>
<tr><td><code>galley_runtime_strategy_timer_max_time_reached_total</code></td><td><code>Count</code></td><td>The number of times the max time has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_quiesce_reached_total</code></td><td><code>Count</code></td><td>The number of times a quiesce has been reached</td></tr>
<tr><td><code>galley_runtime_strategy_timer_resets_total</code></td><td><code>Count</code></td><td>The number of times the timer has been reset</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_failure_total</code></td><td><code>Count</code></td><td>The number of times a dynamnic kubernetes source failed converting a resources</td></tr>
<tr><td><code>galley_source_kube_dynamic_converter_success_total</code></td><td><code>Count</code></td><td>The number of times a dynamic kubernetes source successfully converted a resource</td></tr>
<tr><td><code>galley_source_kube_event_error_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source encountered errored while handling an event</td></tr>
<tr><td><code>galley_source_kube_event_success_total</code></td><td><code>Count</code></td><td>The number of times a kubernetes source successfully handled an event</td></tr>
<tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
<tr><td><code>istio_mcp_clients_total</code></td><td><code>LastValue</code></td><td>The number of streams currently connected.</td></tr>
<tr><td><code>istio_mcp_message_sizes_bytes</code></td><td><code>Distribution</code></td><td>Size of messages received from clients.</td></tr>
<tr><td><code>istio_mcp_reconnections</code></td><td><code>Sum</code></td><td>The number of times the sink has reconnected.</td></tr>
<tr><td><code>istio_mcp_recv_failures_total</code></td><td><code>Sum</code></td><td>The number of recv failures in the source.</td></tr>
<tr><td><code>istio_mcp_request_acks_total</code></td><td><code>Sum</code></td><td>The number of request acks received by the source.</td></tr>
<tr><td><code>istio_mcp_request_nacks_total</code></td><td><code>Sum</code></td><td>The number of request nacks received by the source.</td></tr>
<tr><td><code>istio_mcp_send_failures_total</code></td><td><code>Sum</code></td><td>The number of send failures in the source.</td></tr>
<tr><td><code>mixer_config_adapter_info_config_errors_total</code></td><td><code>LastValue</code></td><td>The number of errors encountered during processing of the adapter info configuration.</td></tr>
<tr><td><code>mixer_config_adapter_info_configs_total</code></td><td><code>LastValue</code></td><td>The number of known adapters in the current config.</td></tr>
<tr><td><code>mixer_config_attributes_total</code></td><td><code>LastValue</code></td><td>The number of known attributes in the current config.</td></tr>
@ -3122,6 +3346,10 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<tr><td><code>mixer_handler_workers_total</code></td><td><code>LastValue</code></td><td>The current number of active worker routines in a given adapter environment.</td></tr>
<tr><td><code>mixer_runtime_dispatch_duration_seconds</code></td><td><code>Distribution</code></td><td>Duration in seconds for adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>mixer_runtime_dispatches_total</code></td><td><code>Count</code></td><td>Total number of adapter dispatches handled by Mixer.</td></tr>
<tr><td><code>num_failed_outgoing_requests</code></td><td><code>Sum</code></td><td>Number of failed outgoing requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>num_outgoing_requests</code></td><td><code>Sum</code></td><td>Number of total outgoing requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>num_outgoing_retries</code></td><td><code>Sum</code></td><td>Number of outgoing retry requests (e.g. to a token exchange server, CA, etc.)</td></tr>
<tr><td><code>outgoing_latency</code></td><td><code>Sum</code></td><td>The latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.</td></tr>
<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
@ -3160,5 +3388,10 @@ These environment variables affect the behavior of the <code>istioctl</code> com
<tr><td><code>sidecar_injection_requests_total</code></td><td><code>Sum</code></td><td>Total number of Side car injection requests.</td></tr>
<tr><td><code>sidecar_injection_skip_total</code></td><td><code>Sum</code></td><td>Total number of skipped injection requests.</td></tr>
<tr><td><code>sidecar_injection_success_total</code></td><td><code>Sum</code></td><td>Total number of successful Side car injection requests.</td></tr>
<tr><td><code>total_active_connections</code></td><td><code>Sum</code></td><td>The total number of active SDS connections.</td></tr>
<tr><td><code>total_push_errors</code></td><td><code>Sum</code></td><td>The total number of failed SDS pushes.</td></tr>
<tr><td><code>total_pushes</code></td><td><code>Sum</code></td><td>The total number of SDS pushes.</td></tr>
<tr><td><code>total_secret_update_failures</code></td><td><code>Sum</code></td><td>The total number of dynamic secret update failures reported by proxy.</td></tr>
<tr><td><code>total_stale_connections</code></td><td><code>Sum</code></td><td>The total number of stale SDS connections.</td></tr>
</tbody>
</table>

2
content/en/docs/reference/commands/mixs/index.html
View File

@ -343,7 +343,7 @@ These environment variables affect the behavior of the <code>mixs</code> command
<td><code>ISTIO_LANG</code></td>
<td>String</td>
<td><code></code></td>
<td>Selects the attribute expression langauge runtime for Mixer.</td>
<td>Selects the attribute expression language runtime for Mixer.</td>
</tr>
<tr>
<td><code>KUBECONFIG</code></td>

8
content/en/docs/reference/commands/pilot-agent/index.html
View File

@ -492,7 +492,7 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. </td>
</tr>
<tr>
@ -621,12 +621,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>

20
content/en/docs/reference/commands/pilot-discovery/index.html
View File

@ -456,18 +456,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
</thead>
<tbody>
<tr>
<td><code>ISTIO_BOOTSTRAP</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>ISTIO_BOOTSTRAP_OVERRIDE</code></td>
<td>String</td>
<td><code></code></td>
<td></td>
</tr>
<tr>
<td><code>ISTIO_GPRC_MAXSTREAMS</code></td>
<td>Integer</td>
<td><code>100000</code></td>
@ -524,7 +512,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. </td>
</tr>
<tr>
@ -641,12 +629,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>

8
content/en/docs/reference/commands/sidecar-injector/index.html
View File

@ -415,7 +415,7 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<tr>
<td><code>PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS</code></td>
<td>Boolean</td>
<td><code>false</code></td>
<td><code>true</code></td>
<td>If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. </td>
</tr>
<tr>
@ -520,12 +520,6 @@ These environment variables affect the behavior of the <code>sidecar-injector</c
<td><code>false</code></td>
<td>Use the Istio JWT filter for JWT token verification.</td>
</tr>
<tr>
<td><code>V2_REFRESH</code></td>
<td>Time Duration</td>
<td><code>0s</code></td>
<td></td>
</tr>
</tbody>
</table>
<h2 id="metrics">Exported metrics</h2>

12
content/en/docs/reference/config/authorization/istio.rbac.v1alpha1/index.html
View File

@ -16,7 +16,7 @@ the following standard fields:</p>
<ul>
<li>services: a list of services.</li>
<li>methods: A list of HTTP methods. You can set the value to <code>*</code> to include all HTTP methods.
<li>methods: A list of HTTP methods. You can set the value to <code>\*</code> to include all HTTP methods.
This field should not be set for TCP services. The policy will be ignored.
For gRPC services, only <code>POST</code> is allowed; other methods will result in denying services.</li>
<li>paths: HTTP paths or gRPC methods. Note that gRPC methods should be
@ -97,9 +97,9 @@ spec:
<p>Required. A list of service names.
Exact match, prefix match, and suffix match are supported for service names.
For example, the service name &ldquo;bookstore.mtv.cluster.local&rdquo; matches
&ldquo;bookstore.mtv.cluster.local&rdquo; (exact match), or &ldquo;bookstore<em>&rdquo; (prefix match),
or &ldquo;</em>.mtv.cluster.local&rdquo; (suffix match).
If set to [&ldquo;*&rdquo;], it refers to all services in the namespace.</p>
&ldquo;bookstore.mtv.cluster.local&rdquo; (exact match), or &ldquo;bookstore*&rdquo; (prefix match),
or &ldquo;*.mtv.cluster.local&rdquo; (suffix match).
If set to [&rdquo;*&rdquo;], it refers to all services in the namespace.</p>
</td>
</tr>
@ -112,7 +112,7 @@ gRPC methods must be presented as fully-qualified name in the form of
&ldquo;/packageName.serviceName/methodName&rdquo; and are case sensitive.
Exact match, prefix match, and suffix match are supported. For example,
the path &ldquo;/books/review&rdquo; matches &ldquo;/books/review&rdquo; (exact match),
or &ldquo;/books/<em>&rdquo; (prefix match), or &ldquo;</em>/review&rdquo; (suffix match).
or &ldquo;/books/*&rdquo; (prefix match), or &ldquo;*/review&rdquo; (suffix match).
If not specified, it matches to any path.
This field should not be set for TCP services. The policy will be ignored.</p>
@ -168,7 +168,7 @@ For gRPC services, only <code>POST</code> is allowed; other methods will result
<p>List of valid values for the constraint.
Exact match, prefix match, and suffix match are supported.
For example, the value &ldquo;v1alpha2&rdquo; matches &ldquo;v1alpha2&rdquo; (exact match),
or &ldquo;v1<em>&rdquo; (prefix match), or &ldquo;</em>alpha2&rdquo; (suffix match).</p>
or &ldquo;v1*&rdquo; (prefix match), or &ldquo;*alpha2&rdquo; (suffix match).</p>
</td>
</tr>

61
content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
View File

@ -496,6 +496,24 @@ Use secret-mount files instead of SDS if set to empty.</p>
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.</p>
</td>
</tr>
<tr id="MeshConfig-enable_auto_mtls">
<td><code>enableAutoMtls</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">google.protobuf.BoolValue</a></code></td>
<td>
<p>This flag is used to enable mutual TLS automatically for service to service communication
within the mesh, default false.
If set to true, and a given service does not have a corresponding DestinationRule configured,
or its DestinationRule does not have TLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
for mutual TLS to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual TLS when server sides are capable of accepting mutual TLS traffic.
If service DestinationRule exists and has TLSSettings specified, that is always used instead.</p>
</td>
</tr>
<tr id="MeshConfig-trust_domain">
@ -503,7 +521,7 @@ can be configured for a single control plane.</p>
<td><code>string</code></td>
<td>
<p>The trust domain corresponds to the trust root of a system.
Refer to <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain">SPIFEE-ID</a>
Refer to <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain">SPIFFE-ID</a>
Fallback to old identity format(without trust domain) if not set.</p>
</td>
@ -635,6 +653,47 @@ if sidecar is installed on all pods in the mesh, then this should be set to UPGR
If one or more services or namespaces do not have sidecar(s), then this should be set to DO<em>NOT</em>UPGRADE.
It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.</p>
</td>
</tr>
<tr id="MeshConfig-inbound_cluster_stat_name">
<td><code>inboundClusterStatName</code></td>
<td><code>string</code></td>
<td>
<p>Name to be used while emitting statistics for inbound clusters.
By default, Istio emits statistics with the pattern inbound|&lt;port&gt;|&lt;port-name&gt;|&lt;service-FQDN&gt;.
For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.
%SERVICE% - Will be substituted with name of the service.
%SERVICE<em>FQDN% - Will be substituted with FQDN of the service.
%SERVICE</em>PORT% - Will be substituted with port of the service.
%SERVICE<em>PORT</em>NAME% - Will be substituted with port name of the service.</p>
<p>Following are some examples of supported patterns for reviews.
%SERVICE<em>FQDN%</em>%SERVICE<em>PORT% will use reviews.prod.svc.cluster.local</em>7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.</p>
</td>
</tr>
<tr id="MeshConfig-outbound_cluster_stat_name">
<td><code>outboundClusterStatName</code></td>
<td><code>string</code></td>
<td>
<p>Name to be used while emitting statistics for outbound clusters.
By default, Istio emits statistics with the pattern outbound|&lt;port&gt;|&lt;subsetname&gt;|&lt;service-FQDN&gt;.
For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.</p>
<p>A Pattern can be composed of various pre-defined variables. The following variables are supported.
%SERVICE% - Will be substituted with name of the service.
%SERVICE<em>FQDN% - Will be substituted with FQDN of the service.
%SERVICE</em>PORT% - Will be substituted with port of the service.
%SERVICE<em>PORT</em>NAME% - Will be substituted with port name of the service.
%SUBSET_NAME% - Will be substituted with subset.</p>
<p>Following are some examples of supported patterns for reviews.
%SERVICE<em>FQDN%</em>%SERVICE<em>PORT% will use reviews.prod.svc.cluster.local</em>7443 as the stats name.
%SERVICE% will use reviews.prod as the stats name.</p>
</td>
</tr>
</tbody>

2298
content/en/docs/reference/config/istio.operator.v1alpha12.pb/index.html Normal file
View File

File diff suppressed because it is too large Load Diff

2
content/en/docs/reference/config/networking/v1alpha3/service-entry/index.html
View File

@ -285,7 +285,7 @@ be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
<p>The following example illustrates the usage of a <code>ServiceEntry</code>
containing a subject alternate name
whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">SPIFEE standard</a>:</p>
whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">SPIFFE standard</a>:</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry

4
content/en/docs/reference/config/networking/v1alpha3/sidecar/index.html
View File

@ -97,14 +97,14 @@ spec:
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- hosts:
- &quot;istio-system/*&quot;
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- &quot;prod-us1/*&quot;
- hosts:
- &quot;istio-system/*&quot;
</code></pre>
<p>If the workload is deployed without IPTables based traffic capture, the

452
content/en/docs/reference/config/security/v1beta1/authorization-policy/index.html Normal file
View File

@ -0,0 +1,452 @@
---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: Authorization Policy
description: Configuration for access control on workloads.
location: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 8
---
<p>Istio Authorization Policy enables access control on workloads in the mesh.</p>
<p>For example, the following authorization policy applies to workloads matched with
label selector &ldquo;app: httpbin, version: v1&rdquo;.</p>
<p>It allows requests from:
- service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or
- namespace &ldquo;test&rdquo;
to access the workload with:
- &ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,
- &ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.
when the request has a valid JWT token issued by &ldquo;https://accounts.google.com&rdquo;.</p>
<p>Any other requests will be rejected.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&quot;cluster.local/ns/default/sa/sleep&quot;]
- source:
namespaces: [&quot;test&quot;]
to:
- operation:
methods: [&quot;GET&quot;]
paths: [&quot;/info*&quot;]
- operation:
methods: [&quot;POST&quot;]
paths: [&quot;/data&quot;]
when:
- key: request.auth.claims[iss]
values: [&quot;https://accounts.google.com&quot;]
</code></pre>
<p>Access control is enabled on a workload if there is any authorization policies selecting
the workload. When access control is enabled, the default behavior is deny (deny-by-default)
which means requests to the workload will be rejected if the request is not allowed by any of
the authorization policies selecting the workload.</p>
<p>Currently AuthorizationPolicy only supports &ldquo;ALLOW&rdquo; action. This means that
if multiple authorization policies apply to the same workload, the effect is additive.</p>
<p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
an optional &ldquo;selector&rdquo;.
- &ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
namespace, the policy applies to all namespaces in a mesh.
- workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</p>
<p>For example,</p>
<p>The following authorization policy applies to workloads containing label
&ldquo;app: httpbin&rdquo; in namespace bar.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bar
spec:
selector:
matchLabels:
app: httpbin
</code></pre>
<p>The following authorization policy applies to all workloads in namespace foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: foo
spec:
</code></pre>
<p>The following authorization policy applies to workloads containing label
&ldquo;version: v1&rdquo; in all namespaces in the mesh. (Assuming the root namespace is
configured to &ldquo;istio-config&rdquo;).</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: istio-config
spec:
selector:
matchLabels:
version: v1
</code></pre>
<h2 id="AuthorizationPolicy">AuthorizationPolicy</h2>
<section>
<p>AuthorizationPolicy enables access control on workloads.</p>
<p>For example, the following authorization policy denies all requests to workloads
in namespace foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: foo
spec:
</code></pre>
<p>The following authorization policy allows all requests to workloads in namespace
foo.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: foo
spec:
rules:
- &lbrace;}
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="AuthorizationPolicy-selector">
<td><code>selector</code></td>
<td><code><a href="/docs/reference/config/type/v1beta1/workload-selector.html#WorkloadSelector">istio.type.v1beta1.WorkloadSelector</a></code></td>
<td>
<p>Optional. Workload selector decides where to apply the authorization policy.
If not set, the authorization policy will be applied to all workloads in the
same namespace as the authorization policy.</p>
</td>
</tr>
<tr id="AuthorizationPolicy-rules">
<td><code>rules</code></td>
<td><code><a href="#Rule">Rule[]</a></code></td>
<td>
<p>Optional. A list of rules to specify the allowed access to the workload.</p>
<p>If not set, access is denied unless explicitly allowed by other authorization policy.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Condition">Condition</h2>
<section>
<p>Condition specifies additional required attributes.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Condition-key">
<td><code>key</code></td>
<td><code>string</code></td>
<td>
<p>Required. The name of an Istio attribute.
Note: Check https://istio.io/docs/reference/config/ for the list of supported
attribute name.</p>
</td>
</tr>
<tr id="Condition-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>Required. The allowed values for the attribute.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Operation">Operation</h2>
<section>
<p>Operation specifies the operations of a request.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Operation-hosts">
<td><code>hosts</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of hosts, which matches to the &ldquo;request.host&rdquo; attribute.</p>
<p>If not set, any host is allowed. Must be used only with HTTP.</p>
</td>
</tr>
<tr id="Operation-ports">
<td><code>ports</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of ports, which matches to the &ldquo;destination.port&rdquo; attribute.</p>
<p>If not set, any port is allowed.</p>
</td>
</tr>
<tr id="Operation-methods">
<td><code>methods</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of methods, which matches to the &ldquo;request.method&rdquo; attribute.
For gRPC service, this should be the fully-qualified name in the form of
&ldquo;/package.service/method&rdquo;</p>
<p>If not set, any method is allowed. Must be used only with HTTP or gRPC.</p>
</td>
</tr>
<tr id="Operation-paths">
<td><code>paths</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of paths, which matches to the &ldquo;request.url_path&rdquo; attribute.</p>
<p>If not set, any path is allowed. Must be used only with HTTP.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>Rule allows access from a list of sources to perform a list of operations when
the condition is matched.</p>
<p>Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.
- Prefix match: &ldquo;abc<em>&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.
- Suffix match: &ldquo;</em>abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.
- Presence match: &ldquo;*&rdquo; will match when value is not empty.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-from">
<td><code>from</code></td>
<td><code><a href="#Rule-From">Rule.From[]</a></code></td>
<td>
<p>Optional. from specifies the source of a request.</p>
<p>If not set, any source is allowed.</p>
</td>
</tr>
<tr id="Rule-to">
<td><code>to</code></td>
<td><code><a href="#Rule-To">Rule.To[]</a></code></td>
<td>
<p>Optional. to specifies the operation of a request.</p>
<p>If not set, any operation is allowed.</p>
</td>
</tr>
<tr id="Rule-when">
<td><code>when</code></td>
<td><code><a href="#Condition">Condition[]</a></code></td>
<td>
<p>Optional. when specifies a list of additional conditions of a request.</p>
<p>If not set, any condition is allowed.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-From">Rule.From</h2>
<section>
<p>From includes a list or sources.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-From-source">
<td><code>source</code></td>
<td><code><a href="#Source">Source</a></code></td>
<td>
<p>Source specifies the source of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-To">Rule.To</h2>
<section>
<p>To includes a list or operations.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-To-operation">
<td><code>operation</code></td>
<td><code><a href="#Operation">Operation</a></code></td>
<td>
<p>Operation specifies the operation of a request.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Source">Source</h2>
<section>
<p>Source specifies the source identities of a request.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Source-principals">
<td><code>principals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of source peer identities (i.e. service account), which
matches to the &ldquo;source.principal&rdquo; attribute.</p>
<p>If not set, any principal is allowed.</p>
</td>
</tr>
<tr id="Source-request_principals">
<td><code>requestPrincipals</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of request identities (i.e. &ldquo;iss/sub&rdquo; claims), which
matches to the &ldquo;request.auth.principal&rdquo; attribute.</p>
<p>If not set, any request principal is allowed.</p>
</td>
</tr>
<tr id="Source-namespaces">
<td><code>namespaces</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of namespaces, which matches to the &ldquo;source.namespace&rdquo;
attribute.</p>
<p>If not set, any namespace is allowed.</p>
</td>
</tr>
<tr id="Source-ip_blocks">
<td><code>ipBlocks</code></td>
<td><code>string[]</code></td>
<td>
<p>Optional. A list of IP blocks, which matches to the &ldquo;source.ip&rdquo; attribute.
Single IP (e.g. &ldquo;1.2.3.4&rdquo;) and CIDR (e.g. &ldquo;1.2.3.0/24&rdquo;) are supported.</p>
<p>If not set, any IP is allowed.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="istio-type-v1beta1-WorkloadSelector">istio.type.v1beta1.WorkloadSelector</h2>
<section>
<p>WorkloadSelector specifies the criteria used to determine if a policy can be applied
to a proxy. The matching criteria includes the metadata associated with a proxy,
workload instance info such as labels attached to the pod/VM, or any other info
that the proxy provides to Istio during the initial handshake. If multiple conditions are
specified, all conditions need to match in order for the workload instance to be
selected. Currently, only label based selection mechanism is supported.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="istio-type-v1beta1-WorkloadSelector-match_labels">
<td><code>matchLabels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>REQUIRED: One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present.</p>
</td>
</tr>
</tbody>
</table>
</section>

2
data/args.yml
View File

@ -25,7 +25,7 @@ archive_date: YYYY-MM-DD
archive_search_refinement: "V1.1"
# GitHub branch names used when the docs have links to GitHub
source_branch_name: release-1.3
source_branch_name: master
doc_branch_name: master
# The list of supported versions described by the docs

24
scripts/grab_reference_docs.sh
View File

@ -25,9 +25,9 @@
# The repos to mine for docs, just add new entries here to pull in more repos.
REPOS=(
https://github.com/istio/istio.git@release-1.3
https://github.com/istio/api.git@release-1.3
https://github.com/istio/operator.git@release-1.3
https://github.com/istio/istio.git@master
https://github.com/istio/api.git@master
https://github.com/istio/operator.git@master
https://github.com/apigee/istio-mixer-adapter.git@master
https://github.com/osswangxining/alicloud-istio-grpcadapter.git@master
https://github.com/vmware/wavefront-adapter-for-istio.git@master
@ -37,15 +37,15 @@ REPOS=(
# The components to build and extract usage docs from.
COMPONENTS=(
https://github.com/istio/istio.git@release-1.3@mixer/cmd/mixs@mixs
https://github.com/istio/istio.git@release-1.3@istioctl/cmd/istioctl@istioctl
https://github.com/istio/istio.git@release-1.3@pilot/cmd/pilot-agent@pilot-agent
https://github.com/istio/istio.git@release-1.3@pilot/cmd/pilot-discovery@pilot-discovery
https://github.com/istio/istio.git@release-1.3@pilot/cmd/sidecar-injector@sidecar-injector
https://github.com/istio/istio.git@release-1.3@security/cmd/istio_ca@istio_ca
https://github.com/istio/istio.git@release-1.3@security/cmd/node_agent@node_agent
https://github.com/istio/istio.git@release-1.3@galley/cmd/galley@galley
https://github.com/istio/operator.git@release-1.3@cmd/manager@operator
https://github.com/istio/istio.git@master@mixer/cmd/mixs@mixs
https://github.com/istio/istio.git@master@istioctl/cmd/istioctl@istioctl
https://github.com/istio/istio.git@master@pilot/cmd/pilot-agent@pilot-agent
https://github.com/istio/istio.git@master@pilot/cmd/pilot-discovery@pilot-discovery
https://github.com/istio/istio.git@master@sidecar-injector/cmd/sidecar-injector@sidecar-injector
https://github.com/istio/istio.git@master@security/cmd/istio_ca@istio_ca
https://github.com/istio/istio.git@master@security/cmd/node_agent@node_agent
https://github.com/istio/istio.git@master@galley/cmd/galley@galley
https://github.com/istio/operator.git@master@cmd/manager@operator
)
SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

2
scripts/tablegen.py
View File

@ -41,7 +41,7 @@ ISTIO_CONFIG_DIR = "install/kubernetes/helm/istio"
YAML_CONFIG_DIR = ISTIO_CONFIG_DIR + "/charts"
VALUES_YAML = "values.yaml"
CONFIG_INDEX_DIR = "content/en/docs/reference/config/installation-options/index.md"
ISTIO_REPO = "https://github.com/istio/istio.git@release-1.3"
ISTIO_REPO = "https://github.com/istio/istio.git@master"
ISTIO_LOCAL_REPO = "istio-repo"