From eb912e6aeb2d568ab4527c4ed7c36681c8533c26 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Thu, 14 Mar 2024 07:35:25 -0700 Subject: [PATCH] Automator: update istio.io@ reference docs (#14739) --- .../reference/commands/install-cni/index.html | 46 +- .../reference/commands/istioctl/index.html | 8817 ++++++++++++++++- .../reference/commands/operator/index.html | 679 +- .../reference/commands/pilot-agent/index.html | 45 +- .../commands/pilot-discovery/index.html | 52 +- .../reference/config/annotations/index.html | 304 +- .../config/istio.mesh.v1alpha1/index.html | 308 +- .../docs/reference/config/labels/index.html | 53 +- .../networking/destination-rule/index.html | 257 +- .../config/networking/gateway/index.html | 228 +- .../networking/service-entry/index.html | 339 - .../config/networking/sidecar/index.html | 204 +- .../networking/virtual-service/index.html | 555 -- .../networking/workload-entry/index.html | 106 - .../networking/workload-group/index.html | 36 - .../security/authorization-policy/index.html | 175 - .../reference/config/security/jwt/index.html | 12 + .../security/peer_authentication/index.html | 16 +- .../request_authentication/index.html | 183 - .../config/type/workload-selector/index.html | 4 - .../reference/commands/install-cni/index.html | 46 +- .../reference/commands/istioctl/index.html | 8817 ++++++++++++++++- .../reference/commands/operator/index.html | 679 +- .../reference/commands/pilot-agent/index.html | 45 +- .../commands/pilot-discovery/index.html | 52 +- .../reference/config/annotations/index.html | 304 +- .../config/istio.mesh.v1alpha1/index.html | 308 +- .../docs/reference/config/labels/index.html | 53 +- .../networking/destination-rule/index.html | 257 +- .../config/networking/gateway/index.html | 228 +- .../networking/service-entry/index.html | 339 - .../config/networking/sidecar/index.html | 204 +- .../networking/virtual-service/index.html | 555 -- .../networking/workload-entry/index.html | 106 - .../networking/workload-group/index.html | 36 - .../security/authorization-policy/index.html | 175 - .../reference/config/security/jwt/index.html | 12 + .../security/peer_authentication/index.html | 16 +- .../request_authentication/index.html | 183 - .../config/type/workload-selector/index.html | 4 - data/features.yaml | 1 + 41 files changed, 20239 insertions(+), 4600 deletions(-) diff --git a/content/en/docs/reference/commands/install-cni/index.html b/content/en/docs/reference/commands/install-cni/index.html index 628f5c5c3d..98e0467274 100644 --- a/content/en/docs/reference/commands/install-cni/index.html +++ b/content/en/docs/reference/commands/install-cni/index.html @@ -696,7 +696,7 @@ These environment variables affect the behavior of the install-cni ENABLE_ENHANCED_RESOURCE_SCOPING Boolean -false +true If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution. @@ -778,6 +778,12 @@ These environment variables affect the behavior of the install-cni If enabled, the TLS configuration on Sidecar.ingress will take effect +ENABLE_VTPROTOBUF +Boolean +false +If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf. + + ENVOY_USER String istio-proxy @@ -834,7 +840,7 @@ These environment variables affect the behavior of the install-cni ISTIO_DELTA_XDS Boolean -false +true If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas. @@ -926,12 +932,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected If enabled, istiod will skip verifying the certificate of the JWKS server. -JWT_POLICY -String -third-party-jwt -The JWT validation policy. - - KUBECFG_FILE_NAME String ZZZ-istio-cni-kubeconfig @@ -1016,12 +1016,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely. -NATIVE_METADATA_EXCHANGE -Boolean -true -If set, uses a native implementation of the HTTP metadata exchange filter - - NODE_NAME String @@ -1172,12 +1166,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag. -PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS -Boolean -true -If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods. - - PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES Boolean true @@ -1292,6 +1280,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway +PILOT_GATEWAY_API_CONTROLLER_NAME +String +istio.io/gateway-controller +Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name + + +PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME +String +istio +Name of the default GatewayClass + + PILOT_HTTP10 Boolean false @@ -1430,12 +1430,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected If true, Pilot will collect metrics for XDS cache efficiency. -PILOT_XDS_SEND_TIMEOUT -Time Duration -0s -The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push. - - POD_NAME String diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index 4122c3314b..2ff0e0e644 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio title: istioctl description: Istio control interface. generator: pkg-collateral-docs -number_of_entries: 92 +number_of_entries: 93 max_toc_level: 2 remove_toc_prefix: 'istioctl ' --- @@ -21,11 +21,51 @@ debug and diagnose their Istio mesh. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -36,11 +76,66 @@ debug and diagnose their Istio mesh. Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -64,11 +159,51 @@ debug and diagnose their Istio mesh. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -79,16 +214,71 @@ debug and diagnose their Istio mesh. Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --selector <string> -l label selector (default `app=istiod`) +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -116,6 +306,31 @@ debug and diagnose their Istio mesh. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) @@ -126,6 +341,21 @@ debug and diagnose their Istio mesh. ControlZ port (default `9876`) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -138,7 +368,12 @@ debug and diagnose their Istio mesh. --level <string> -Comma-separated list of output logging level for scopes in format <scope>:<level>[,<scope>:<level>,...]Possible values for <level>: none, error, warn, info, debug (default ``) +Comma-separated list of output logging level for scopes in the format of <scope>:<level>[,<scope>:<level>,...]. Possible values for <level>: none, error, warn, info, debug (default ``) + + +--mode <string> + +The operating mode of the implementation. (default `default`) --namespace <string> @@ -146,11 +381,36 @@ debug and diagnose their Istio mesh. Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --output <string> -o Output format: one of json|yaml|short (default `short`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + --reset Reset levels to default value. (info) @@ -161,14 +421,39 @@ debug and diagnose their Istio mesh. Control plane revision (default ``) +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --selector <string> -l label selector (default `app=istiod`) +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + --stack-trace-level <string> -Comma-separated list of stack trace level for scopes in format <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...] Possible values for <stack-trace-level>: none, error, warn, info, debug (default ``) +Comma-separated list of stack trace level for scopes in the format of <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...]. Possible values for <stack-trace-level>: none, error, warn, info, debug (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) --vklog <Level> @@ -208,26 +493,66 @@ debug and diagnose their Istio mesh. +--all-features + +Whether to enable all supported features for conformance tests + + --all-namespaces -A Analyze all namespaces +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + --color Default true. Disable with '=false' or set $TERM to dumb +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + --failure-threshold <Level> The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warning Error] (default `Error`) +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --ignore-unknown Don't complain about un-parseable input documents, for cases where analyze should run only on k8s compliant inputs. @@ -253,11 +578,31 @@ debug and diagnose their Istio mesh. Overrides the mesh config values to use for analysis. (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --output <string> -o Output format: one of [log json yaml] (default `log`) @@ -268,16 +613,41 @@ debug and diagnose their Istio mesh. The severity level of analysis at which to display messages. Valid values: [Info Warning Error] (default `Info`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + --recursive -R Process directory arguments recursively. Useful when you want to analyze related manifests organized within the same directory. +--report-output <string> + +The file where to write the conformance report (default ``) + + --revision <string> analyze a specific revision deployed. (default `default`) +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --suppress <stringArray> -S Suppress reporting a message code on a specific resource. Values are supplied in the form <code>=<resource> (e.g. '--suppress "IST0102=DestinationRule primary-dr.default"'). Can be repeated. You can include the wildcard character '*' to support a partial match (e.g. '--suppress "IST0102=DestinationRule *.default" ). (default `[]`) @@ -288,6 +658,11 @@ debug and diagnose their Istio mesh. The duration to wait before failing (default `30s`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + --use-kube -k Use live Kubernetes cluster for analysis. Set --use-kube=false to analyze files only. @@ -298,6 +673,11 @@ debug and diagnose their Istio mesh. Enable verbose output +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -344,11 +724,51 @@ debug and diagnose their Istio mesh. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -359,11 +779,66 @@ debug and diagnose their Istio mesh. Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -394,6 +869,31 @@ All names except label and annotation keys support '*' glob matching pat +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Name of the kubeconfig Context to use. (default ``) @@ -404,6 +904,11 @@ All names except label and annotation keys support '*' glob matching pat List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion. (default `[]`) +--debug + +Whether to print debug logs + + --dir <string> Set a specific directory for temporary artifact storage. (default ``) @@ -429,6 +934,11 @@ All names except label and annotation keys support '*' glob matching pat Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples. (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`) +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + --filename <string> -f Path to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics. (default ``) @@ -439,6 +949,11 @@ All names except label and annotation keys support '*' glob matching pat If set, secret contents are included in output. +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --ignore-errs <stringSlice> List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic. (default `[]`) @@ -464,31 +979,86 @@ All names except label and annotation keys support '*' glob matching pat Path to kube config. (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --output-dir <string> Set a specific directory for output archive file. (default ``) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + --rq-concurrency <int> Set the concurrency limit of requests to the Kubernetes API server, defaults to 32. (default `0`) +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + --start-time <string> Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset. (default ``) +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --timeout <duration> Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive. (default `30m0s`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -509,6 +1079,31 @@ All names except label and annotation keys support '*' glob matching pat +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Name of the kubeconfig Context to use. (default ``) @@ -519,6 +1114,11 @@ All names except label and annotation keys support '*' glob matching pat List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion. (default `[]`) +--debug + +Whether to print debug logs + + --dir <string> Set a specific directory for temporary artifact storage. (default ``) @@ -544,6 +1144,11 @@ All names except label and annotation keys support '*' glob matching pat Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples. (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`) +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + --filename <string> -f Path to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics. (default ``) @@ -554,6 +1159,11 @@ All names except label and annotation keys support '*' glob matching pat If set, secret contents are included in output. +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --ignore-errs <stringSlice> List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic. (default `[]`) @@ -579,11 +1189,31 @@ All names except label and annotation keys support '*' glob matching pat Path to kube config. (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --output <string> -o One of 'yaml' or 'json'. (default ``) @@ -594,26 +1224,61 @@ All names except label and annotation keys support '*' glob matching pat Set a specific directory for output archive file. (default ``) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + --rq-concurrency <int> Set the concurrency limit of requests to the Kubernetes API server, defaults to 32. (default `0`) +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --short -s Use --short=false to generate full version information +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + --start-time <string> Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset. (default ``) +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --timeout <duration> Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive. (default `30m0s`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -634,11 +1299,51 @@ See each sub-command's help for details on how to use the generated script. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -649,11 +1354,66 @@ See each sub-command's help for details on how to use the generated script. Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -685,11 +1445,51 @@ If it is not installed already, you can install it via your OS's package man +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -700,16 +1500,71 @@ If it is not installed already, you can install it via your OS's package man Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + --no-descriptions disable completion descriptions +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -736,11 +1591,51 @@ If it is not installed already, you can install it via your OS's package man +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -751,16 +1646,71 @@ If it is not installed already, you can install it via your OS's package man Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + --no-descriptions disable completion descriptions +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -786,11 +1736,51 @@ to your powershell profile. +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -801,16 +1791,71 @@ to your powershell profile. Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + --no-descriptions disable completion descriptions +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -843,11 +1888,51 @@ to enable it. You can execute the following once:

+--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -858,16 +1943,71 @@ to enable it. You can execute the following once:

Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + --no-descriptions disable completion descriptions +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -888,6 +2028,16 @@ to enable it. You can execute the following once:

+--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + --auth-plugin-config <stringToString> Authenticator plug-in configuration. --auth-type=plugin must be set with this option (default `[]`) @@ -903,6 +2053,21 @@ to enable it. You can execute the following once:

Type of authentication to use. supported values = [bearer-token plugin] (default `bearer-token`) +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) @@ -913,6 +2078,21 @@ to enable it. You can execute the following once:

If true, the service account needed for creating the remote secret will be created if it doesn't exist. +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -926,7 +2106,12 @@ to enable it. You can execute the following once:

--manifests <string> -d Specify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.21.0/manifests). (default ``) +(e.g. ~/Downloads/istio-1.22.0/manifests). (default ``) + + +--mode <string> + +The operating mode of the implementation. (default `default`) --name <string> @@ -939,6 +2124,36 @@ to enable it. You can execute the following once:

Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --secret-name <string> The name of the specific secret to use from the service-account. Needed when there are multiple secrets in the service account. (default ``) @@ -954,11 +2169,31 @@ to enable it. You can execute the following once:

Create a secret with this service account's credentials. Default value is "istio-reader-service-account" if --type is "remote", "istiod" if --type is "config". (default ``) +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --type <SecretType> Type of the generated secret. supported values = [remote config] (default `remote`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -1001,16 +2236,56 @@ istioctl d [flags] Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`) +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + --browser When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -1021,16 +2296,71 @@ istioctl d [flags] Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --port <int> -p Local port to listen to (default `0`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -1056,11 +2386,36 @@ istioctl d [flags] Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`) +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + --browser When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) @@ -1071,6 +2426,21 @@ istioctl d [flags] ControlZ port (default `9876`) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -1081,21 +2451,76 @@ istioctl d [flags] Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --port <int> -p Local port to listen to (default `0`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --selector <string> -l Label selector (default ``) +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -1138,16 +2563,56 @@ istioctl d [flags] Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`) +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + --browser When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -1158,26 +2623,81 @@ istioctl d [flags] Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --port <int> -p Local port to listen to (default `0`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + --selector <string> -l Label selector (default ``) +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --ui-port <int> The component dashboard UI port. (default `15000`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -1215,16 +2735,56 @@ istioctl d [flags] Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`) +--all-features + +Whether to enable all supported features for conformance tests + + +--allow-crds-mismatch + +Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. + + --browser When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. +--cleanup-base-resources + +Whether to cleanup base test resources after the run + + +--conformance-profiles <string> + +Comma-separated list of the conformance profiles to run (default ``) + + +--contact <string> + +Comma-separated list of contact information for the maintainers (default ``) + + --context <string> Kubernetes configuration context (default ``) +--debug + +Whether to print debug logs + + +--exempt-features <string> + +Exempt Features excluded from conformance tests suites (default ``) + + +--gateway-class <string> + +Name of GatewayClass to use for tests (default `gateway-conformance`) + + --istioNamespace <string> -i Istio system namespace (default `istio-system`) @@ -1235,21 +2795,76 @@ istioctl d [flags] Kubernetes configuration file (default ``) +--mode <string> + +The operating mode of the implementation. (default `default`) + + --namespace <string> -n Kubernetes namespace (default ``) +--namespace-annotations <string> + +Comma-separated list of name=value annotations to add to test namespaces (default ``) + + +--namespace-labels <string> + +Comma-separated list of name=value labels to add to test namespaces (default ``) + + +--organization <string> + +Implementation's Organization to issue conformance to (default ``) + + --port <int> -p Local port to listen to (default `0`) +--project <string> + +Implementation's project to issue conformance to (default ``) + + +--report-output <string> + +The file where to write the conformance report (default ``) + + +--run-test <string> + +Name of a single test to run, instead of the whole suite (default ``) + + +--skip-tests <string> + +Comma-separated list of tests to skip (default ``) + + +--supported-features <string> + +Supported features included in conformance tests suites (default ``) + + --ui-port <int> The component dashboard UI port. (default `3000`) +--url <string> + +Implementation's url to issue conformance to (default ``) + + +--version <string> + +Implementation's version to issue conformance to (default ``) + + --vklog <Level> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`) @@ -1263,6 +2878,176 @@ istioctl d [flags] istioctl dash grafana istioctl d grafana +

istioctl dashboard istiod-debug

+

Open the debug web UI for a Istio control plane pod

+
istioctl dashboard istiod-debug [<type>/]<name>[.<namespace>] [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsShorthandDescription
--address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind. (default `localhost`)
--all-featuresWhether to enable all supported features for conformance tests
--allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels.
--browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard.
--cleanup-base-resourcesWhether to cleanup base test resources after the run
--conformance-profiles <string>Comma-separated list of the conformance profiles to run (default ``)
--contact <string>Comma-separated list of contact information for the maintainers (default ``)
--context <string>Kubernetes configuration context (default ``)
--debugWhether to print debug logs
--exempt-features <string>Exempt Features excluded from conformance tests suites (default ``)
--gateway-class <string>Name of GatewayClass to use for tests (default `gateway-conformance`)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--mode <string>The operating mode of the implementation. (default `default`)
--namespace <string>-nKubernetes namespace (default ``)
--namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces (default ``)
--namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces (default ``)
--organization <string>Implementation's Organization to issue conformance to (default ``)
--port <int>-pLocal port to listen to (default `0`)
--project <string>Implementation's project to issue conformance to (default ``)
--report-output <string>The file where to write the conformance report (default ``)
--run-test <string>Name of a single test to run, instead of the whole suite (default ``)
--selector <string>-lLabel selector (default ``)
--skip-tests <string>Comma-separated list of tests to skip (default ``)
--supported-features <string>Supported features included in conformance tests suites (default ``)
--url <string>Implementation's url to issue conformance to (default ``)
--version <string>Implementation's version to issue conformance to (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
+

Examples

+
  # Open Istio debug web UI for the istiod-123-456.istio-system pod
+  istioctl dashboard istiod-debug istiod-123-456.istio-system
+
+  # Open Istio debug web UI for the istiod-56dd66799-jfdvs pod in a custom namespace
+  istioctl dashboard istiod-debug istiod-123-456 -n custom-ns
+
+  # Open Istio debug web UI for any Istiod pod
+  istioctl dashboard istiod-debug deployment/istiod.istio-system
+
+  # with short syntax
+  istioctl dash istiod-debug pilot-123-456.istio-system
+  istioctl d istiod-debug pilot-123-456.istio-system
+
+

istioctl dashboard jaeger

Open Istio's Jaeger dashboard

istioctl dashboard jaeger [flags]
@@ -1282,16 +3067,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1302,21 +3127,76 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `16686`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1349,16 +3229,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1369,21 +3289,76 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `20001`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1416,16 +3391,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1436,21 +3451,76 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `9090`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1483,16 +3553,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1503,26 +3613,81 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --selector <string>
 -l
 Label selector  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `15000`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1566,16 +3731,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1586,21 +3791,76 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `8080`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1633,16 +3893,56 @@ istioctl d [flags]
 Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1653,21 +3953,76 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --ui-port <int>
 
 The component dashboard UI port.  (default `9411`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1693,11 +4048,51 @@ istioctl d [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1708,11 +4103,66 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1732,11 +4182,51 @@ istioctl d [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1747,11 +4237,66 @@ istioctl d [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1776,16 +4321,56 @@ from multiple sources (mesh-level, namespace-level and workload-level).

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 The json file with Envoy config dump to be checked  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1796,11 +4381,66 @@ from multiple sources (mesh-level, namespace-level and workload-level).

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1832,11 +4472,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1852,11 +4532,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 Check namespace and label pairs injection status, split multiple labels by commas  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1889,11 +4624,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1904,11 +4679,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1933,11 +4763,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1948,11 +4818,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -1976,11 +4901,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -1991,11 +4956,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2021,11 +5041,51 @@ the configuration objects that affect that pod.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --ignoreUnmeshed
 
 Suppress warnings for unmeshed pods 
@@ -2041,11 +5101,66 @@ the configuration objects that affect that pod.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2074,11 +5189,51 @@ the configuration objects that affect that service.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --ignoreUnmeshed
 
 Suppress warnings for unmeshed pods 
@@ -2094,11 +5249,66 @@ the configuration objects that affect that service.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2125,11 +5335,51 @@ the configuration objects that affect that service.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2140,14 +5390,64 @@ the configuration objects that affect that service.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
-Output format: one of json|yaml|prom|prom-merged  (default `short`)
+Output format: one of json|yaml|short|prom|prom-merged  (default `short`)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--proxy-admin-port <int>
+
+Envoy proxy admin port  (default `15000`)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
 
 
 --type <string>
@@ -2155,6 +5455,16 @@ the configuration objects that affect that service.

 Where to grab the stats: one of server|clusters  (default `server`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2168,6 +5478,9 @@ the configuration objects that affect that service.

   # Retrieve Envoy server metrics in prometheus format
   istioctl experimental envoy-stats <pod-name[.namespace]> --output prom
 
+  # Retrieve Envoy server metrics in prometheus format with custom proxy admin port
+  istioctl experimental envoy-stats <pod-name[.namespace]> --output prom --proxy-admin-port 15000
+
   # Retrieve Envoy server metrics in prometheus format with merged application metrics
   istioctl experimental envoy-stats <pod-name[.namespace]> --output prom-merged
 
@@ -2189,11 +5502,51 @@ the configuration objects that affect that service.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2204,11 +5557,66 @@ the configuration objects that affect that service.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2232,11 +5640,51 @@ the configuration objects that affect that service.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2247,11 +5695,66 @@ the configuration objects that affect that service.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2284,6 +5787,16 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

 Send the same request to all instances of Istiod. Only applicable for in-cluster deployment. 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
@@ -2294,11 +5807,41 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

 XDS Endpoint certificate directory  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) 
@@ -2314,26 +5857,81 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --plaintext
 
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2409,16 +6007,56 @@ calculated over a time interval of 1 minute.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --duration <duration>
 -d
 Duration of query metrics, default value is 1m.  (default `1m0s`)
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2429,11 +6067,66 @@ calculated over a time interval of 1 minute.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2464,16 +6157,56 @@ calculated over a time interval of 1 minute.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --from-version <string>
 -f
 check changes since the provided version  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2484,11 +6217,31 @@ calculated over a time interval of 1 minute.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of [log json yaml]  (default `log`)
@@ -2499,16 +6252,51 @@ calculated over a time interval of 1 minute.
 The severity level of precheck at which to display messages. Valid values: [Info Warning Error]  (default `Warning`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-controlplane
 
 skip checking the control plane 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2544,6 +6332,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
@@ -2554,16 +6352,46 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 XDS Endpoint certificate directory  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) 
@@ -2579,26 +6407,81 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --plaintext
 
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2632,28 +6515,31 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
Examples

 
  # Retrieve sync status for all Envoys in a mesh
-  istioctl x proxy-status
+  istioctl proxy-status
+
+  # Retrieve sync status for Envoys in a specific namespace
+  istioctl proxy-status --namespace foo
 
   # Retrieve sync diff for a single Envoy and Istiod
-  istioctl x proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
+  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
 
   # SECURITY OPTIONS
 
   # Retrieve proxy status information directly from the control plane, using token security
   # (This is the usual way to get the proxy-status with an out-of-cluster control plane.)
-  istioctl x ps --xds-address istio.cloudprovider.example.com:15012
+  istioctl ps --xds-address istio.cloudprovider.example.com:15012
 
   # Retrieve proxy status information via Kubernetes config, using token security
   # (This is the usual way to get the proxy-status with an in-cluster control plane.)
-  istioctl x proxy-status
+  istioctl proxy-status
 
   # Retrieve proxy status information directly from the control plane, using RSA certificate security
   # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
-  istioctl x ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+  istioctl ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
 
   # Retrieve proxy status information via XDS from specific control plane in multi-control plane in-cluster configuration
   # (Select a specific control plane in an in-cluster canary Istio configuration.)
-  istioctl x ps --xds-label istio.io/rev=default
+  istioctl ps --xds-label istio.io/rev=default
 
 

 
istioctl experimental version

@@ -2670,6 +6556,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
@@ -2680,11 +6576,41 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 XDS Endpoint certificate directory  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) 
@@ -2700,11 +6626,31 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
@@ -2715,26 +6661,61 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --remote
 
 Use --remote=false to suppress control plane check 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2788,16 +6769,56 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --for <string>
 
 Wait condition, must be 'distribution' or 'delete'  (default `distribution`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --generation <string>
 
 Wait for a specific generation of config to become current, rather than using whatever is latest in Kubernetes  (default ``)
@@ -2813,16 +6834,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--proxy <string>
+
+Name of a specific proxy to wait for the condition to be satisfied  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --threshold <float32>
 
 The ratio of distribution required for success  (default `1`)
@@ -2833,6 +6904,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 The duration to wait before failing  (default `30s`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2843,6 +6924,9 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
  # Wait until the bookinfo virtual service has been distributed to all proxies in the mesh
   istioctl experimental wait --for=distribution virtualservice bookinfo.default
 
+  # Wait until the bookinfo virtual service has been distributed to a specific proxy
+  istioctl experimental wait --for=distribution virtualservice bookinfo.default --proxy workload-instance.namespace
+
   # Wait until 99% of the proxies receive the distribution, timing out after 5 minutes
   istioctl experimental wait --for=distribution --threshold=.99 --timeout=300s virtualservice bookinfo.default
 
@@ -2861,11 +6945,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2876,16 +7000,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2919,11 +7098,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -2934,21 +7153,76 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 The revision to label the waypoint with  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -2986,11 +7260,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Delete all waypoints in the namespace 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3001,16 +7315,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3047,11 +7416,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3062,21 +7471,76 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 The revision to label the waypoint with  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3101,16 +7565,56 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
 --all-namespaces
 -A
 List all waypoints in all namespaces 
 
 
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3121,16 +7625,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3156,11 +7715,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3171,11 +7770,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3201,11 +7855,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3216,11 +7910,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3246,6 +7995,16 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --autoregister
 
 Creates a WorkloadEntry upon connection to istiod (if enabled in pilot). 
@@ -3256,16 +8015,41 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 Enables the capture of outgoing DNS packets on port 53, redirecting to istio-agent 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
 --clusterID <string>
 
 The ID used to identify the cluster  (default ``)
 
 
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --externalIP <string>
 
 External IP address of the workload  (default ``)
@@ -3276,6 +8060,11 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 filename of the WorkloadGroup artifact. Leave this field empty if using the API server  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --ingressIP <string>
 
 IP address of the ingress gateway  (default ``)
@@ -3301,6 +8090,11 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --name <string>
 
 The name of the workload group  (default ``)
@@ -3311,21 +8105,71 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 The namespace that the workload instances belong to  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output directory for generated files  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --tokenDuration <int>
 
 The token duration in seconds (default: 1 hour)  (default `3600`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3351,11 +8195,51 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3366,11 +8250,66 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3395,16 +8334,56 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --annotations <stringSlice>
 -a
 The annotations to apply to the workload instances  (default `[]`)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3420,6 +8399,11 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 The labels to apply to the workload instances; e.g. -l env=prod,vers=2  (default `[]`)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --name <string>
 
 The name of the workload group  (default ``)
@@ -3430,16 +8414,66 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 The namespace that the workload instances will belong to  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --ports <stringSlice>
 -p
 The incoming ports exposed by the workload instance  (default `[]`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --serviceAccount <string>
 -s
 The service identity to associate with the workload instances  (default `default`)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3466,21 +8500,56 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3492,6 +8561,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3505,30 +8579,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -3537,11 +8646,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3583,6 +8712,16 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
@@ -3593,16 +8732,46 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 XDS Endpoint certificate directory  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <string>
 -f
 Input Kubernetes resource filename  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --injectConfigFile <string>
 
 Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)
@@ -3633,16 +8802,36 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --operatorFileName <string>
 
 Path to file containing IstioOperator custom resources. If configs from files like meshConfigFile, valuesFile are provided, they will be overridden by iop config values.  (default ``)
 
 
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Modified output Kubernetes resource filename  (default ``)
@@ -3653,21 +8842,56 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --valuesFile <string>
 
 Injection values configuration filename.  (default ``)
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3728,16 +8952,56 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3748,11 +9012,66 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3776,11 +9095,41 @@ removed.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --directory
 -r
 Compare directory. 
@@ -3791,6 +9140,16 @@ removed.

 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --ignore <string>
 
 Ignore all listed items during comparison, using the same list format as selectResources.  (default ``)
@@ -3806,11 +9165,36 @@ removed.

 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --rename <string>
 
 Rename resources before comparison.
@@ -3818,6 +9202,16 @@ The format of each renaming pair is A->B, all renaming pairs are comma separa
 e.g. Service:*:istiod->Service:*:istio-control - rename istiod service into istio-control  (default ``)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --select <string>
 
 Constrain the list of resources to compare to only the ones in this list, ignoring all others.
@@ -3827,11 +9221,31 @@ e.g.
     Service:*:istiod - compare Services called "istiod" in all namespaces  (default `::`)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 -v
 Verbose output. 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -3852,11 +9266,26 @@ e.g.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
 --cluster-specific
 
 If enabled, the current cluster will be checked for cluster-specific setting detection. 
@@ -3867,16 +9296,36 @@ e.g.
 Specify which component to generate manifests for.  (default `[]`)
 
 
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3888,6 +9337,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -3901,30 +9355,85 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Manifest output directory path.  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
 
 
 --vklog <Level>
@@ -3964,21 +9473,56 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3990,6 +9534,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4003,30 +9552,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -4035,11 +9619,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4072,11 +9676,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4087,11 +9731,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4112,21 +9811,61 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --hub <string>
 
 The hub for the operator controller image.  (default `unknown`)
@@ -4151,35 +9890,90 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
 
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml  (default `yaml`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --tag <string>
 
 The tag for the operator controller image.  (default `unknown`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4205,27 +9999,67 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <string>
 -f
 Path to file containing IstioOperator custom resource
 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --hub <string>
 
 The hub for the operator controller image.  (default `unknown`)
@@ -4250,30 +10084,85 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
 
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --tag <string>
 
 The tag for the operator controller image.  (default `unknown`)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4299,21 +10188,61 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --force
 
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4324,32 +10253,87 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
 
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --purge
 
 Remove all versions of Istio operator. 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4368,11 +10352,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4383,11 +10407,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4406,16 +10485,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4426,11 +10545,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4455,21 +10629,61 @@ istioctl install --set profile=demo  # Use a profile from the list
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4483,15 +10697,70 @@ istioctl install --set profile=demo  # Use a profile from the list
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4519,32 +10788,72 @@ istioctl install --set profile=demo  # Use a profile from the list
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
 --config-path <string>
 -p
 The path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree  (default ``)
 
 
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4558,20 +10867,75 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|flags  (default `yaml`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4592,21 +10956,61 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4620,15 +11024,70 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4647,11 +11106,51 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4662,21 +11161,76 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4709,16 +11263,51 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Filter listeners by address field  (default ``)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --direction <string>
 
 Filter clusters by Direction field  (default ``)
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump file  (default ``)
@@ -4729,6 +11318,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Filter clusters by substring of Service FQDN field  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4739,6 +11333,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --name <string>
 
 Filter listeners by route name field  (default ``)
@@ -4749,6 +11348,21 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
@@ -4759,26 +11373,61 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Filter clusters and listeners by Port field  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
 --subset <string>
 
 Filter clusters by substring of Subset field  (default ``)
 
 
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --type <string>
 
 Filter listeners by type field  (default ``)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 
 Output more information 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4817,16 +11466,56 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4837,21 +11526,76 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `json`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4888,16 +11632,51 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --direction <string>
 
 Filter clusters by Direction field  (default ``)
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
@@ -4908,6 +11687,11 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 Filter clusters by substring of Service FQDN field  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -4918,11 +11702,31 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
@@ -4933,16 +11737,51 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 Filter clusters by Port field  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
 --subset <string>
 
 Filter clusters by substring of Subset field  (default ``)
 
 
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -4981,16 +11820,56 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5001,21 +11880,76 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5054,21 +11988,61 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 Filter endpoints by address field  (default ``)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
 --cluster <string>
 
 Filter endpoints by cluster name field  (default ``)
 
 
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5079,11 +12053,31 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
@@ -5094,16 +12088,51 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 Filter endpoints by Port field  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
 --status <string>
 
 Filter endpoints by status field  (default ``)
 
 
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5153,16 +12182,56 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 Filter listeners by address field  (default ``)
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5173,11 +12242,31 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
@@ -5188,21 +12277,56 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 Filter listeners by Port field  (default `0`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
 --type <string>
 
 Filter listeners by type field  (default ``)
 
 
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 
 Output more information 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5241,11 +12365,51 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5261,31 +12425,86 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 Comma-separated minimum per-logger level of messages to output, in the form of [<logger>:]<level>,[<logger>:]<level>,... or <level> to change all active loggers, where logger components can be listed by running "istioctl proxy-config log <pod-name[.namespace]>"or referred from https://github.com/envoyproxy/envoy/blob/main/source/common/common/logger.h, and level can be one of [trace, debug, info, warning, error, critical, off]  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --reset
 -r
 Reset levels to default value (warning). 
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --selector <string>
 -l
 Label selector  (default ``)
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5324,11 +12543,51 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5339,21 +12598,76 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5382,16 +12696,56 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5402,6 +12756,11 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --name <string>
 
 Filter listeners by route name field  (default ``)
@@ -5412,21 +12771,71 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 
 Output more information 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5466,16 +12875,56 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5486,21 +12935,76 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5517,8 +13021,8 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 

 
istioctl proxy-status

 

-Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh

-

+Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh
+

 
istioctl proxy-status [<type>/]<name>[.<namespace>] [flags]
 

 

@@ -5534,16 +13038,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--authority <string>
+
+XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
+
+
+--cert-dir <string>
+
+XDS Endpoint certificate directory  (default ``)
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
+--insecure
+
+Skip server certificate and domain verification. (NOT SECURE!) 
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5554,36 +13113,129 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--plaintext
+
+Use plain-text HTTP/2 when connecting to server (no TLS). 
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--timeout <duration>
+
+The duration to wait before failing  (default `30s`)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
+
+--xds-address <string>
+
+XDS Endpoint  (default ``)
+
+
+--xds-label <string>
+
+Istiod pod label selector  (default ``)
+
+
+--xds-port <int>
+
+Istiod pod port  (default `15012`)
+
 
 
 
Examples

 
  # Retrieve sync status for all Envoys in a mesh
   istioctl proxy-status
 
+  # Retrieve sync status for Envoys in a specific namespace
+  istioctl proxy-status --namespace foo
+
   # Retrieve sync diff for a single Envoy and Istiod
   istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
 
-  # Retrieve sync diff between Istiod and one pod under a deployment
-  istioctl proxy-status deployment/productpage-v1
+  # SECURITY OPTIONS
 
-  # Write proxy config-dump to file, and compare to Istio control plane
-  kubectl port-forward -n istio-system istio-egressgateway-59585c5b9c-ndc59 15000 &
-  curl localhost:15000/config_dump > cd.json
-  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system --file cd.json
+  # Retrieve proxy status information directly from the control plane, using token security
+  # (This is the usual way to get the proxy-status with an out-of-cluster control plane.)
+  istioctl ps --xds-address istio.cloudprovider.example.com:15012
+
+  # Retrieve proxy status information via Kubernetes config, using token security
+  # (This is the usual way to get the proxy-status with an in-cluster control plane.)
+  istioctl proxy-status
+
+  # Retrieve proxy status information directly from the control plane, using RSA certificate security
+  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+  istioctl ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+  # Retrieve proxy status information via XDS from specific control plane in multi-control plane in-cluster configuration
+  # (Select a specific control plane in an in-cluster canary Istio configuration.)
+  istioctl ps --xds-label istio.io/rev=default
 
 

 
istioctl remote-clusters

@@ -5600,11 +13252,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5615,16 +13307,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5653,11 +13400,51 @@ without manual relabeling of the "istio.io/rev" tag.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5668,11 +13455,66 @@ without manual relabeling of the "istio.io/rev" tag.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5694,16 +13536,56 @@ injection labels.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --auto-inject-namespaces
 
 If set to true, the sidecars should be automatically injected into all namespaces by default 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5717,7 +13599,12 @@ injection labels.

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -5725,23 +13612,73 @@ injection labels.

 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --overwrite
 
 If true, allow revision tags to be overwritten, otherwise reject revision tag updates that
 overwrite existing revision tags. 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision to reference from a given revision tag  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5784,11 +13721,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5799,16 +13776,71 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format for tag description (available formats: table,json)  (default `table`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5839,11 +13871,51 @@ revision tag before removing using the "istioctl tag list" command.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5854,17 +13926,72 @@ revision tag before removing using the "istioctl tag list" command.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5891,16 +14018,56 @@ injection labels.

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --auto-inject-namespaces
 
 If set to true, the sidecars should be automatically injected into all namespaces by default 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5914,7 +14081,12 @@ injection labels.

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -5922,23 +14094,73 @@ injection labels.

 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --overwrite
 
 If true, allow revision tags to be overwritten, otherwise reject revision tag updates that
 overwrite existing revision tags. 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision to reference from a given revision tag  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5982,16 +14204,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <string>
 -f
 The filename of the IstioOperator CR.  (default ``)
@@ -6002,6 +14259,11 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6015,30 +14277,65 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --purge
 
 Delete all Istio related sources for all versions 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6047,11 +14344,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 -v
 Verbose output. 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6082,21 +14399,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -6108,6 +14460,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6121,30 +14478,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6153,11 +14545,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6181,16 +14593,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Inputs of files to validate  (default `[]`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6201,11 +14653,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6255,16 +14762,56 @@ istioctl experimental precheck.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Istio YAML installation file.  (default `[]`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6278,7 +14825,12 @@ istioctl experimental precheck.
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -6286,11 +14838,61 @@ istioctl experimental precheck.
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6324,11 +14926,51 @@ istioctl experimental precheck.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6339,31 +14981,86 @@ istioctl experimental precheck.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --remote
 
 Use --remote=false to suppress control plane check 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6439,7 +15136,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -6527,6 +15224,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_ISTIOD
 Boolean
 false
@@ -6631,7 +15334,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -6735,12 +15438,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 K_REVISION
 String
 
@@ -6789,12 +15486,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -6939,12 +15630,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -7059,6 +15744,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -7197,12 +15894,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index 2a33f28df3..84ceee4837 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -18,10 +18,86 @@ remove_toc_prefix: 'operator '
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -40,10 +116,86 @@ See each sub-command's help for details on how to use the generated script.
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -73,14 +225,90 @@ If it is not installed already, you can install it via your OS's package man
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -105,14 +333,90 @@ If it is not installed already, you can install it via your OS's package man
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -136,14 +440,90 @@ to your powershell profile.
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -174,14 +554,90 @@ to enable it.  You can execute the following once:

 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -200,6 +656,26 @@ to enable it.  You can execute the following once:

 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --ctrlz_address <string>
 The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
 
@@ -208,10 +684,22 @@ to enable it.  You can execute the following once:

 The IP port to use for the ControlZ introspection facility  (default `9876`)
 
 
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --force
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
@@ -221,11 +709,11 @@ to enable it.  You can execute the following once:

 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -245,7 +733,7 @@ to enable it.  You can execute the following once:

 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -256,6 +744,10 @@ to enable it.  You can execute the following once:

 Defines the concurrency limit for operator to reconcile IstioOperatorSpec in parallel. Default value is 1.  (default `1`)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
 --monitoring-host <string>
 HTTP host to use for operator's self-monitoring information  (default `0.0.0.0`)
 
@@ -264,6 +756,46 @@ to enable it.  You can execute the following once:

 HTTP port to use for operator's self-monitoring information  (default `8383`)
 
 
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -283,21 +815,116 @@ to enable it.  You can execute the following once:

 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -373,7 +1000,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -461,6 +1088,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_ISTIOD
 Boolean
 false
@@ -511,7 +1144,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -615,12 +1248,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 K_REVISION
 String
 
@@ -669,12 +1296,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -819,12 +1440,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -939,6 +1554,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1077,12 +1704,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index fb83f69191..b23f1aec0d 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -543,11 +543,6 @@ to enable it.  You can execute the following once:

 Insert tracing logs for each iptables rules, using the LOG chain. 
 
 
---iptables-version <string>
-
-version of iptables command. If not set, this is automatically detected.  (default ``)
-
-
 --istio-exclude-interfaces <string>
 -c
 Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured.  (default ``)
@@ -1136,7 +1131,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -1224,6 +1219,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 ENVOY_PROMETHEUS_PORT
 Integer
 15090
@@ -1376,7 +1377,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -1576,12 +1577,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 OUTPUT_CERTS
 String
 
@@ -1738,12 +1733,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -1858,6 +1847,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1996,12 +1997,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PKCS8_KEY
 Boolean
 false
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index e3485865b2..3ba1c0516d 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -269,12 +269,12 @@ to enable it.  You can execute the following once:

 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -299,7 +299,7 @@ to enable it.  You can execute the following once:

 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -535,7 +535,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -623,6 +623,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_CA
 String
 
@@ -709,7 +715,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -813,12 +819,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 JWT_RULE
 String
 
@@ -897,12 +897,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -1047,12 +1041,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -1167,6 +1155,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1305,12 +1305,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html
index 4822b90cd3..253c204477 100644
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@@ -28,7 +28,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed.
+      
A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation ‘galley.istio.io/analyze-suppress=IST0108,IST0103’. If the value is ‘*’, then all configuration analysis messages are suppressed.

+
     
   
 
@@ -49,7 +50,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.
+      
The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.

+
     
   
 
@@ -70,7 +72,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the name of the chart used to create this resource.
+      
Represents the name of the chart used to create this resource.

+
     
   
 
@@ -91,7 +94,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the generation to which the resource was last reconciled.
+      
Represents the generation to which the resource was last reconciled.

+
     
   
 
@@ -112,7 +116,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the Istio version associated with the resource
+      
Represents the Istio version associated with the resource

+
     
   
 
@@ -133,7 +138,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.
+      
Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.

+
     
   
 
@@ -154,7 +160,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.
+      
Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.

+
     
   
 
@@ -175,7 +182,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Annotation on an Ingress resources denoting the class of controllers responsible for it.
+      
Annotation on an Ingress resources denoting the class of controllers responsible for it.

+
     
   
 
@@ -196,7 +204,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace.
+      
Specifies the namespaces to which this service should be exported to. A value of ‘*’ indicates it is reachable within the mesh ‘.’ indicates it is reachable within its namespace.

+
     
   
 
@@ -217,7 +226,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
+      
Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.

+
     
   
 
@@ -238,7 +248,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.
+      
Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.

+
     
   
 
@@ -259,7 +270,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.
+      
Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.

+
     
   
 
@@ -280,7 +292,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the failure threshold for the Envoy sidecar readiness probe.
+      
Specifies the failure threshold for the Envoy sidecar readiness probe.

+
     
   
 
@@ -301,7 +314,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.
+      
Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.

+
     
   
 
@@ -322,7 +336,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the period (in seconds) for the Envoy sidecar readiness probe.
+      
Specifies the period (in seconds) for the Envoy sidecar readiness probe.

+
     
   
 
@@ -343,7 +358,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the log output level for pilot-agent.
+      
Specifies the log output level for pilot-agent.

+
     
   
 
@@ -364,7 +380,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies an alternative Envoy bootstrap configuration file.
+      
Specifies an alternative Envoy bootstrap configuration file.

+
     
   
 
@@ -385,7 +402,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the component log level for Envoy.
+      
Specifies the component log level for Envoy.

+
     
   
 
@@ -406,7 +424,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.
+      
Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.

+
     
   
 
@@ -427,7 +446,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the XDS discovery address to be used by the Envoy sidecar.
+      
Specifies the XDS discovery address to be used by the Envoy sidecar.

+
     
   
 
@@ -448,7 +468,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should enable core dump.
+      
Specifies whether or not an Envoy sidecar should enable core dump.

+
     
   
 
@@ -469,7 +490,8 @@ Istio supports to control its behavior.
     
     
       Description
-      An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.
+      
An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.

+
     
   
 
@@ -490,7 +512,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label.
+      
Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of sidecar.istio.io/inject label.

+
     
   
 
@@ -511,7 +534,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).
+      
Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).

+
     
   
 
@@ -532,7 +556,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the log level for Envoy.
+      
Specifies the log level for Envoy.

+
     
   
 
@@ -553,7 +578,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the requested CPU setting for the Envoy sidecar.
+      
Specifies the requested CPU setting for the Envoy sidecar.

+
     
   
 
@@ -574,7 +600,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the CPU limit for the Envoy sidecar.
+      
Specifies the CPU limit for the Envoy sidecar.

+
     
   
 
@@ -595,7 +622,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the Docker image to be used by the Envoy sidecar.
+      
Specifies the Docker image to be used by the Envoy sidecar.

+
     
   
 
@@ -616,7 +644,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.
+      
Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.

+
     
   
 
@@ -637,7 +666,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the requested memory setting for the Envoy sidecar.
+      
Specifies the requested memory setting for the Envoy sidecar.

+
     
   
 
@@ -658,7 +688,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the memory limit for the Envoy sidecar.
+      
Specifies the memory limit for the Envoy sidecar.

+
     
   
 
@@ -679,7 +710,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.
+      
Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.

+
     
   
 
@@ -700,7 +732,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`.
+      
Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. {"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}. Default buckets are [0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000].

+
     
   
 
@@ -721,7 +754,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.
+      
Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.

+
     
   
 
@@ -742,7 +776,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.
+      
Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.

+
     
   
 
@@ -763,7 +798,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.
+      
Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.

+
     
   
 
@@ -784,7 +820,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.
+      
Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.

+
     
   
 
@@ -805,7 +842,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.
+      
Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.

+
     
   
 
@@ -826,7 +864,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.
+      
Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.

+
     
   
 
@@ -847,7 +886,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.
+      
Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.

+
     
   
 
@@ -868,7 +908,162 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.
+      
A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.

+
+    
+  
+
+
traffic.istio.io/excludeInboundPorts

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/excludeInboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

+

+
traffic.istio.io/excludeInterfaces

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/excludeInterfaces
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of interfaces to be excluded from Istio traffic capture

+

+
traffic.istio.io/excludeOutboundIPRanges

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/excludeOutboundIPRanges
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

+

+
traffic.istio.io/excludeOutboundPorts

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/excludeOutboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of outbound ports to be excluded from redirection to Envoy.

+

+
traffic.istio.io/includeInboundPorts

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/includeInboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

+

+
traffic.istio.io/includeOutboundIPRanges

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Nametraffic.istio.io/includeOutboundIPRanges
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

+

+
traffic.istio.io/includeOutboundPorts

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
Nametraffic.istio.io/includeOutboundPorts
Feature StatusAlpha
Resource Types[Pod]
Description
A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

+		
     

   
 

@@ -889,7 +1084,8 @@ Istio supports to control its behavior.
     
     
       Description
-      This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.
+      
This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.

+
     
   
 
@@ -910,7 +1106,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected.
+      
A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.

+
     
   
 
@@ -931,7 +1128,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of interfaces to be excluded from Istio traffic capture
+      
A comma separated list of interfaces to be excluded from Istio traffic capture

+
     
   
 
@@ -952,7 +1150,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected.
+      
A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.

+
     
   
 
@@ -973,7 +1172,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of outbound ports to be excluded from redirection to Envoy.
+      
A comma separated list of outbound ports to be excluded from redirection to Envoy.

+
     
   
 
@@ -994,7 +1194,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
+      
A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.

+
     
   
 
@@ -1015,7 +1216,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
+      
A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.

+
     
   
 
@@ -1036,7 +1238,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
+      
A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.

+
     
   
 
@@ -1057,7 +1260,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.
+      
A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.

+
     
   
 
\ No newline at end of file
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 9b0624b2e5..5a0c277d4d 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 66
+number_of_entries: 73
 ---
 
Configuration affecting the service mesh as a whole.

 
@@ -243,6 +243,19 @@ monitored. Can be overridden at a Sidecar level by setting the
 API.
 Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.

 
+
+
+No
+
+
+
+inboundTrafficPolicy
+InboundTrafficPolicy
+
+
Set the default behavior of the sidecar for handling inbound
+traffic to the application.  If your application listens on
+localhost, you will need to set this to LOCALHOST.

+
 
 
 No
@@ -725,6 +738,30 @@ No
 
 
 
+
MeshConfig.InboundTrafficPolicy

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
modeMode
+
+No
+

+

 
MeshConfig.CertificateData

 

 
@@ -1352,17 +1389,6 @@ No
 
Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is “403” (HTTP Forbidden).

 
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

-No
-
includeHeadersInCheckstring[]
-
DEPRECATED. Use include_request_headers_in_check instead.

-
 		
 
 No
@@ -1482,6 +1508,17 @@ except the presence match):

 
  • Suffix match: “*abc” will match on value “abc” and “xabc”.
    • 
 
 
+    		
+No
+
    includeHeadersInCheckstring[]
+
    DEPRECATED. Use include_request_headers_in_check instead.
    
+
     		
 
 No
@@ -2280,6 +2317,208 @@ No
 
    Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
    
 
+    		
+No
+
    httpHttpService
+
    Optional. Specifies the configuration for exporting OTLP traces via HTTP.
+When empty, traces will be exported via gRPC.
    
+
    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:
    
+
      
+
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. 
+
    
+
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    http:
+      path: "/api/otlp/traces"
+      timeout: 10s
+      headers:
+      - name: "my-custom-header"
+        value: "some value"
+
    
+
      
+
    1. Deploy a ServiceEntry for the observability back-end
      2. 
+
    
+
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: my-olly-backend
+spec:
+  hosts:
+  - my.olly-backend.com
+  ports:
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: my-olly-backend
+spec:
+  host: my.olly-backend.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 443
+      tls:
+        mode: SIMPLE
+
    
+
+    		
+No
+
    resourceDetectorsResourceDetectors
+
    Optional. Specifies Resource Detectors
+to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
+according to the OpenTelemetry Resource specification.
    
+
    The following example shows how to configure the Environment Resource Detector, that will
+read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:
    
+
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    resource_detectors:
+      environment: {}
+
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.HttpService
    
+
    
+
    Defines configuration for an HTTP service that can be used by an Extension Provider.
+that does communication via HTTP.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    pathstring
+
    REQUIRED. Specifies the path on the service.
    
+
+    		
+No
+
    timeoutDuration
+
    Optional. Specifies the timeout for the HTTP request.
+If not specified, the default is 3s.
    
+
+    		
+No
+
    headersHttpHeader[]
+
    Optional. Allows specifying custom HTTP headers that will be added
+to each HTTP request sent.
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.HttpHeader
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    REQUIRED. The HTTP header name.
    
+
+    		
+No
+
    valuestring
+
    REQUIRED. The HTTP header value.
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    environmentEnvironmentResourceDetector
+
+No
+
    dynatraceDynatraceResourceDetector
 
 
 No
@@ -2422,6 +2661,22 @@ No
 
    
     
 
    
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors.EnvironmentResourceDetector
    
+
    
+
    OpenTelemetry Environment Resource Detector.
+The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES
+and adds them to the OpenTelemetry resource.
    
+
    See: Resource specification
    
+
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors.DynatraceResourceDetector
    
+
    
+
    Dynatrace Resource Detector.
+The resource detector reads from the Dynatrace enrichment files
+and adds host/process related attributes to the OpenTelemetry resource.
    
+
    See: Enrich ingested data with Dynatrace-specific dimensions
    
+
 
    
 
    k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
    
 
    
@@ -3958,6 +4213,35 @@ service registry as well as those defined through ServiceEntries
    
 
    outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntries for the destination port
    
 
+
+
+
+
+
    
+
    MeshConfig.InboundTrafficPolicy.Mode
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/content/en/docs/reference/config/labels/index.html b/content/en/docs/reference/config/labels/index.html
index d492883f2b..23f1dd1d7e 100644
--- a/content/en/docs/reference/config/labels/index.html
+++ b/content/en/docs/reference/config/labels/index.html
@@ -28,7 +28,8 @@ Istio supports to control its behavior.
     
-      
+      
    NameDescription
    PASSTHROUGH
+
    inbound traffic will be passed through to the destination listening
+on Pod IP. This matches the behavior without Istio enabled at all
+allowing proxy to be transparent.
    
+
+
    LOCALHOST
+
    inbound traffic will be sent to the destinations listening on localhost.
    
+
     		
 
    
     
     
    
       DescriptionIstio control plane revision associated with the resource; e.g. `canary`
    Istio control plane revision associated with the resource; e.g. canary
    
+    		
     
    
       
 
    
@@ -49,7 +50,8 @@ Istio supports to control its behavior.
     
     
       Description
-      IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway's port
+      
    IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway’s port
    
+
     
   
 
@@ -70,7 +72,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of the canonical service a workload belongs to
+      
    The name of the canonical service a workload belongs to
    
+
     
   
 
@@ -91,7 +94,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of a revision within a canonical service that the workload belongs to
+      
    The name of a revision within a canonical service that the workload belongs to
    
+
     
   
 
@@ -112,7 +116,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should be automatically injected into the workload.
+      
    Specifies whether or not an Envoy sidecar should be automatically injected into the workload.
    
+
     
   
 
@@ -133,7 +138,8 @@ Istio supports to control its behavior.
     
     
       Description
-      This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via `values.global.multiCluster.clusterName`. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently.
+      
    This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via values.global.multiCluster.clusterName. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently.
    
+
     
   
 
@@ -154,7 +160,37 @@ Istio supports to control its behavior.
     
     
       Description
-      A label used to identify the network for one or more pods. This is used
    internally by Istio to group pods resident in the same L3 domain/network.
    Istio assumes that pods in the same network are directly reachable from
    one another. When pods are in different networks, an Istio Gateway
    (e.g. east-west gateway) is typically used to establish connectivity
    (with AUTO_PASSTHROUGH mode). This label can be applied to the following
    resources to help automate Istio's multi-network configuration.

    * Istio System Namespace: Applying this label to the system namespace
      establishes a default network for pods managed by the control plane.
      This is typically configured during control plane installation using an
      admin-specified value.

    * Pod: Applying this label to a pod allows overriding the default network
      on a per-pod basis. This is typically applied to the pod via webhook
      injection, but can also be manually specified on the pod by the service
      owner. The Istio installation in each cluster configures webhook injection
      using an admin-specified value.

    * Gateway Service: Applying this label to the Service for an Istio Gateway,
      indicates that Istio should use this service as the gateway for the
      network, when configuring cross-network traffic. Istio will configure
      pods residing outside of the network to access the Gateway service
      via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
      of a NodePort service, the Node's address. The label is configured when
      installing the gateway (e.g. east-west gateway) and should match either
      the default network for the control plane (as specified by the Istio System
      Namespace label) or the network of the targeted pods.
+      
    A label used to identify the network for one or more pods. This is used
+internally by Istio to group pods resident in the same L3 domain/network.
+Istio assumes that pods in the same network are directly reachable from
+one another. When pods are in different networks, an Istio Gateway
+(e.g. east-west gateway) is typically used to establish connectivity
+(with AUTO_PASSTHROUGH mode). This label can be applied to the following
+resources to help automate Istio’s multi-network configuration.
    
+
+
      
+
    • Istio System Namespace: Applying this label to the system namespace
+establishes a default network for pods managed by the control plane.
+This is typically configured during control plane installation using an
+admin-specified value.
      • 
+
+
    • Pod: Applying this label to a pod allows overriding the default network
+on a per-pod basis. This is typically applied to the pod via webhook
+injection, but can also be manually specified on the pod by the service
+owner. The Istio installation in each cluster configures webhook injection
+using an admin-specified value.
      • 
+
+
    • Gateway Service: Applying this label to the Service for an Istio Gateway,
+indicates that Istio should use this service as the gateway for the
+network, when configuring cross-network traffic. Istio will configure
+pods residing outside of the network to access the Gateway service
+via spec.externalIPs, status.loadBalancer.ingress[].ip, or in the case
+of a NodePort service, the Node’s address. The label is configured when
+installing the gateway (e.g. east-west gateway) and should match either
+the default network for the control plane (as specified by the Istio System
+Namespace label) or the network of the targeted pods.
      • 
+
    
+
     
   
 
@@ -175,7 +211,8 @@ Istio supports to control its behavior.
     
     
       Description
-      User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones.
+      
    User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones.
    
+
     
   
 
\ No newline at end of file
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index 6cf19e4e8c..b0118f9598 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -16,20 +16,6 @@ for load balancing, connection pool size from the sidecar, and outlier
 detection settings to detect and evict unhealthy hosts from the load
 balancing pool. For example, a simple load balancing policy for the
 ratings service would look as follows:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -40,34 +26,11 @@ spec:
     loadBalancer:
       simple: LEAST_REQUEST
 
    
-
    {{}}
-{{}}
    
 
    Version specific policies can be specified by defining a named
 subset and overriding the settings specified at the service level. The
 following rule uses a round robin load balancing policy for all traffic
 going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -85,35 +48,12 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
    
 
    Traffic policies can be customized to specific ports as well. The
 following rule uses the least connection load balancing policy for all
 traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings-port
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy: # Apply to all ports
-    portLevelSettings:
-    - port:
-        number: 80
-      loadBalancer:
-        simple: LEAST_REQUEST
-    - port:
-        number: 9080
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -131,34 +71,9 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Destination Rules can be customized to specific workloads as well.
 The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: configure-client-mtls-dr-with-workloadselector
-spec:
-  host: example.com
-  workloadSelector:
-    matchLabels:
-      app: ratings
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-    portLevelSettings:
-    - port:
-        number: 31443
-      tls:
-        credentialName: client-credential
-        mode: MUTUAL
-
    
-
    {{}}
-{{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -178,8 +93,6 @@ spec:
         credentialName: client-credential
         mode: MUTUAL
 
    
-
    {{}}
-{{}}
    
 
 
    DestinationRule
    
 
    
@@ -398,27 +311,6 @@ service-level can be overridden at a subset-level. The following rule
 uses a round robin load balancing policy for all traffic going to a
 subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -436,8 +328,6 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
    
 
    One or more labels are typically required to identify the subset destination,
@@ -505,20 +395,6 @@ load balancing
 for more details.
    
 
    For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -529,28 +405,9 @@ spec:
     loadBalancer:
       simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    The following example sets up sticky sessions for the ratings service
 hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      consistentHash:
-        httpCookie:
-          name: user
-          ttl: 0s
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -564,8 +421,6 @@ spec:
           name: user
           ttl: 0s
 
    
-
    {{}}
-{{}}
    
 
 
@@ -637,25 +492,6 @@ for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
    For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-redis
-spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -671,8 +507,6 @@ spec:
           time: 7200s
           interval: 75s
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
    
@@ -725,28 +559,6 @@ with no more than 10 req/connection to the “reviews” service. In add
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutive5xxErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -765,8 +577,6 @@ spec:
       interval: 5m
       baseEjectionTime: 15m
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -918,23 +728,6 @@ context
 for more details. These settings are common to both HTTP and TCP upstreams.
    For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -948,24 +741,8 @@ spec:
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
    {{}}
-{{}}
    The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -976,24 +753,8 @@ spec:
     tls:
       mode: SIMPLE
 
    
-
    {{}}
-{{}}
    The following rule configures a client to use Istio mutual TLS when talking
 to rating services.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1004,8 +765,6 @@ spec:
     tls:
       mode: ISTIO_MUTUAL
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
 
 
 
 
    
@@ -1145,6 +904,21 @@ SAN will be skipped.
    
 be true by default in a later version where, going forward, it will be
 enabled by default.
    
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2680,11 +6576,41 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2700,11 +6626,31 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2715,26 +6661,61 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2788,16 +6769,56 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2813,16 +6834,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2833,6 +6904,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
@@ -2843,6 +6924,9 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
      # Wait until the bookinfo virtual service has been distributed to all proxies in the mesh
   istioctl experimental wait --for=distribution virtualservice bookinfo.default
 
+  # Wait until the bookinfo virtual service has been distributed to a specific proxy
+  istioctl experimental wait --for=distribution virtualservice bookinfo.default --proxy workload-instance.namespace
+
   # Wait until 99% of the proxies receive the distribution, timing out after 5 minutes
   istioctl experimental wait --for=distribution --threshold=.99 --timeout=300s virtualservice bookinfo.default
 
@@ -2861,11 +6945,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2876,16 +7000,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2919,11 +7098,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2934,21 +7153,76 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2986,11 +7260,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3001,16 +7315,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3047,11 +7416,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3062,21 +7471,76 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3101,16 +7565,56 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3121,16 +7625,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3156,11 +7715,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3171,11 +7770,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3201,11 +7855,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3216,11 +7910,66 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3246,6 +7995,16 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
 
+
+
+
+
+
+
+
+
+
+
@@ -3256,16 +8015,41 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3276,6 +8060,11 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
+
+
+
+
+
@@ -3301,6 +8090,11 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
+
+
+
+
+
@@ -3311,21 +8105,71 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3351,11 +8195,51 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3366,11 +8250,66 @@ Configure requires either the WorkloadGroup artifact path or its location on the
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3395,16 +8334,56 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3420,6 +8399,11 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
+
+
+
+
+
@@ -3430,16 +8414,66 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3466,21 +8500,56 @@ The default output is serialized YAML, which can be piped into 'kubectl appl
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3505,30 +8579,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
@@ -3537,11 +8646,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3583,6 +8712,16 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
 
+
+
+
+
+
+
+
+
+
+
@@ -3593,16 +8732,46 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3633,16 +8802,36 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3653,21 +8842,56 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3728,16 +8952,56 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3748,11 +9012,66 @@ doubt re-run istioctl kube-inject on deployments to get the most up-to-date chan
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3776,11 +9095,41 @@ removed.
    
 
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3791,6 +9140,16 @@ removed.
    
     
+
+
+
+
+
+
+
+
+
+
@@ -3806,11 +9165,36 @@ removed.
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3852,11 +9266,26 @@ e.g.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3867,16 +9296,36 @@ e.g.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3901,30 +9355,85 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3964,21 +9473,56 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4003,30 +9552,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
@@ -4035,11 +9619,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4072,11 +9676,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4087,11 +9731,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4112,21 +9811,61 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4151,35 +9890,90 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4205,27 +9999,67 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4250,30 +10084,85 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4299,21 +10188,61 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4324,32 +10253,87 @@ could be secret list separated by comma, eg. '--imagePullSecrets imagePullSe
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4368,11 +10352,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4383,11 +10407,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4406,16 +10485,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4426,11 +10545,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4455,21 +10629,61 @@ istioctl install --set profile=demo  # Use a profile from the list
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4483,15 +10697,70 @@ istioctl install --set profile=demo  # Use a profile from the list
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4519,32 +10788,72 @@ istioctl install --set profile=demo  # Use a profile from the list
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4558,20 +10867,75 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4592,21 +10956,61 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4620,15 +11024,70 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4647,11 +11106,51 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4662,21 +11161,76 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4709,16 +11263,51 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4729,6 +11318,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
@@ -4739,6 +11333,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
@@ -4749,6 +11348,21 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4759,26 +11373,61 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4817,16 +11466,56 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4837,21 +11526,76 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4888,16 +11632,51 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4908,6 +11687,11 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
@@ -4918,11 +11702,31 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4933,16 +11737,51 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4981,16 +11820,56 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5001,21 +11880,76 @@ istioctl proxy-config c [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5054,21 +11988,61 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5079,11 +12053,31 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5094,16 +12088,51 @@ istioctl proxy-config ep [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5153,16 +12182,56 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5173,11 +12242,31 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5188,21 +12277,56 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5241,11 +12365,51 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5261,31 +12425,86 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5324,11 +12543,51 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5339,21 +12598,76 @@ istioctl proxy-config l [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5382,16 +12696,56 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5402,6 +12756,11 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
@@ -5412,21 +12771,71 @@ istioctl proxy-config r [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5466,16 +12875,56 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5486,21 +12935,76 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5517,8 +13021,8 @@ istioctl proxy-config s [<type>/]<name>[.<namespace>] [flags]
 
    istioctl proxy-status
    
-Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh
    
-
    
+Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in the mesh
+
    istioctl proxy-status [<type>/]<name>[.<namespace>] [flags]
 
    
@@ -5534,16 +13038,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -5554,36 +13113,129 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
    
+No
+
    caCrlstring
+
    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+to use in verifying a presented server certificate. CRL is a list of certificates
+that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+If omitted, the proxy will not verify the certificate against the crl.
    
+
     		
 
 No
@@ -1272,6 +1046,7 @@ The following labels which have special semantic meaning are also supported:
    
 
  • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
    • 
 
  • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
    • 
 
  • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
    • 
+
  • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
    • 
 
 
    The below topology config indicates the following priority levels:
    
 
    failoverPriority:
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 52847bc962..3b813daf31 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -20,61 +20,6 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https),
 applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
 on these ports, it is the responsibility of the user to ensure that
 external traffic to these ports are allowed into the mesh.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-gateway
-  namespace: some-config-namespace
-spec:
-  selector:
-    app: my-gateway-controller
-  servers:
-  - port:
-      number: 80
-      name: http
-      protocol: HTTP
-    hosts:
-    - uk.bookinfo.com
-    - eu.bookinfo.com
-    tls:
-      httpsRedirect: true # sends 301 redirect for http requests
-  - port:
-      number: 443
-      name: https-443
-      protocol: HTTPS
-    hosts:
-    - uk.bookinfo.com
-    - eu.bookinfo.com
-    tls:
-      mode: SIMPLE # enables HTTPS on this port
-      serverCertificate: /etc/certs/servercert.pem
-      privateKey: /etc/certs/privatekey.pem
-  - port:
-      number: 9443
-      name: https-9443
-      protocol: HTTPS
-    hosts:
-    - "bookinfo-namespace/*.bookinfo.com"
-    tls:
-      mode: SIMPLE # enables HTTPS on this port
-      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
-  - port:
-      number: 9080
-      name: http-wildcard
-      protocol: HTTP
-    hosts:
-    - "*"
-  - port:
-      number: 2379 # to expose internal service via external port 2379
-      name: mongo
-      protocol: MONGO
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -126,8 +71,6 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    The Gateway specification above describes the L4-L6 properties of a load
 balancer. A VirtualService can then be bound to a gateway to control
 the forwarding of traffic arriving at a particular host or gateway port.
    
@@ -141,46 +84,6 @@ in the qa version. The same rule is also applicable inside the mesh for
 requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-rule
-  namespace: bookinfo-namespace
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  - uk.bookinfo.com
-  - eu.bookinfo.com
-  gateways:
-  - some-config-namespace/my-gateway
-  - mesh # applies to all the sidecars in the mesh
-  http:
-  - match:
-    - headers:
-        cookie:
-          exact: "user=dev-123"
-    route:
-    - destination:
-        port:
-          number: 7777
-        host: reviews.qa.svc.cluster.local
-  - match:
-    - uri:
-        prefix: /reviews/
-    route:
-    - destination:
-        port:
-          number: 9080 # can be omitted if it's the only port for reviews
-        host: reviews.prod.svc.cluster.local
-      weight: 80
-    - destination:
-        host: reviews.qa.svc.cluster.local
-      weight: 20
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -217,35 +120,10 @@ spec:
         host: reviews.qa.svc.cluster.local
       weight: 20
 
    
-
    {{}}
-{{}}
    
 
    The following VirtualService forwards traffic arriving at (external)
 port 27017 to internal Mongo server on port 5555. This rule is not
 applicable internally in the mesh as the gateway list omits the
 reserved name mesh.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-mongo
-  namespace: bookinfo-namespace
-spec:
-  hosts:
-  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
-  gateways:
-  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
-  tcp:
-  - match:
-    - port: 27017
-    route:
-    - destination:
-        host: mongo.prod.svc.cluster.local
-        port:
-          number: 5555
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -265,34 +143,11 @@ spec:
         port:
           number: 5555
 
    
-
    {{}}
-{{}}
    
 
    It is possible to restrict the set of virtual services that can bind to
 a gateway server using the namespace/hostname syntax in the hosts field.
 For example, the following Gateway allows any virtual service in the ns1
 namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-gateway
-  namespace: some-config-namespace
-spec:
-  selector:
-    app: my-gateway-controller
-  servers:
-  - port:
-      number: 80
-      name: http
-      protocol: HTTP
-    hosts:
-    - "ns1/*"
-    - "ns2/foo.bar.com"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -310,8 +165,6 @@ spec:
     - "ns1/*"
     - "ns2/foo.bar.com"
 
    
-
    {{}}
-{{}}
    
 
 
    Gateway
    
 
    
@@ -368,25 +221,6 @@ No
 
    
 
    Server describes the properties of the proxy on a given load balancer
 port. For example,
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-ingress
-spec:
-  selector:
-    app: my-ingressgateway
-  servers:
-  - port:
-      number: 80
-      name: http2
-      protocol: HTTP2
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -402,28 +236,7 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    Another example
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-tcp-ingress
-spec:
-  selector:
-    app: my-tcp-ingressgateway
-  servers:
-  - port:
-      number: 27018
-      name: mongo
-      protocol: MONGO
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -439,31 +252,7 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    The following is an example of TLS configuration for port 443
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-tls-ingress
-spec:
-  selector:
-    app: my-tls-ingressgateway
-  servers:
-  - port:
-      number: 443
-      name: https
-      protocol: HTTPS
-    hosts:
-    - "*"
-    tls:
-      mode: SIMPLE
-      credentialName: tls-cert
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -482,8 +271,6 @@ spec:
       mode: SIMPLE
       credentialName: tls-cert
 
    
-
    {{}}
-{{}}
    
 
 
@@ -712,6 +499,21 @@ No
 containing certificate authority certificates to use in verifying a presented
 client side certificate.
    
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1302,21 +3127,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1349,16 +3229,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1369,21 +3289,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1416,16 +3391,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1436,21 +3451,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1483,16 +3553,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1503,26 +3613,81 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1566,16 +3731,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1586,21 +3791,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1633,16 +3893,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1653,21 +3953,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1693,11 +4048,51 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1708,11 +4103,66 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1732,11 +4182,51 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1747,11 +4237,66 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1776,16 +4321,56 @@ from multiple sources (mesh-level, namespace-level and workload-level).
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1796,11 +4381,66 @@ from multiple sources (mesh-level, namespace-level and workload-level).
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1832,11 +4472,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1852,11 +4532,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1889,11 +4624,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1904,11 +4679,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1933,11 +4763,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1948,11 +4818,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1976,11 +4901,51 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1991,11 +4956,66 @@ Checks associated resources of the given resource, and running webhooks to exami
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2021,11 +5041,51 @@ the configuration objects that affect that pod.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2041,11 +5101,66 @@ the configuration objects that affect that pod.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2074,11 +5189,51 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2094,11 +5249,66 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2125,11 +5335,51 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2140,14 +5390,64 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2155,6 +5455,16 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
@@ -2168,6 +5478,9 @@ the configuration objects that affect that service.
    
   # Retrieve Envoy server metrics in prometheus format
   istioctl experimental envoy-stats <pod-name[.namespace]> --output prom
 
+  # Retrieve Envoy server metrics in prometheus format with custom proxy admin port
+  istioctl experimental envoy-stats <pod-name[.namespace]> --output prom --proxy-admin-port 15000
+
   # Retrieve Envoy server metrics in prometheus format with merged application metrics
   istioctl experimental envoy-stats <pod-name[.namespace]> --output prom-merged
 
@@ -2189,11 +5502,51 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2204,11 +5557,66 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2232,11 +5640,51 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2247,11 +5695,66 @@ the configuration objects that affect that service.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2284,6 +5787,16 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
    
+
+
+
+
+
+
+
+
+
+
@@ -2294,11 +5807,41 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2314,26 +5857,81 @@ THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2409,16 +6007,56 @@ calculated over a time interval of 1 minute.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2429,11 +6067,66 @@ calculated over a time interval of 1 minute.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2464,16 +6157,56 @@ calculated over a time interval of 1 minute.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2484,11 +6217,31 @@ calculated over a time interval of 1 minute.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2499,16 +6252,51 @@ calculated over a time interval of 1 minute.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2544,6 +6332,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
@@ -2554,16 +6352,46 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2579,26 +6407,81 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2632,28 +6515,31 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
    
 
    
+No
+
    caCrlstring
+
    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+to use in verifying a presented client side certificate. CRL is a list of certificates
+that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+If omitted, the proxy will not verify the certificate against the crl.
    
+
     		
 
 No
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index f8853aa09c..49005dcf1a 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -28,26 +28,6 @@ services.
    
 
    The following example declares a few external APIs accessed by internal
 applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-https
-spec:
-  hosts:
-  - api.dropboxapi.com
-  - www.googleapis.com
-  - api.facebook.com
-  location: MESH_EXTERNAL
-  ports:
-  - number: 443
-    name: https
-    protocol: TLS
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -64,35 +44,10 @@ spec:
     protocol: TLS
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    The following configuration adds a set of MongoDB instances running on
 unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-mongocluster
-spec:
-  hosts:
-  - mymongodb.somedomain # not used
-  addresses:
-  - 192.192.192.192/24 # VIPs
-  ports:
-  - number: 27018
-    name: mongodb
-    protocol: MONGO
-  location: MESH_INTERNAL
-  resolution: STATIC
-  endpoints:
-  - address: 2.2.2.2
-  - address: 3.3.3.3
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -112,26 +67,7 @@ spec:
   - address: 2.2.2.2
   - address: 3.3.3.3
 
    
-
    {{}}
-{{}}
    
 
    and the associated DestinationRule
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: mtls-mongocluster
-spec:
-  host: mymongodb.somedomain
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -145,30 +81,9 @@ spec:
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
    {{}}
-{{}}
    
 
    The following example uses a combination of service entry and TLS
 routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-redirect
-spec:
-  hosts:
-  - wikipedia.org
-  - "*.wikipedia.org"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 443
-    name: https
-    protocol: TLS
-  resolution: NONE
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -184,30 +99,7 @@ spec:
     protocol: TLS
   resolution: NONE
 
    
-
    {{}}
-{{}}
    
 
    And the associated VirtualService to route based on the SNI value.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: tls-routing
-spec:
-  hosts:
-  - wikipedia.org
-  - "*.wikipedia.org"
-  tls:
-  - match:
-    - sniHosts:
-      - wikipedia.org
-      - "*.wikipedia.org"
-    route:
-    - destination:
-        host: internal-egress-firewall.ns1.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -225,8 +117,6 @@ spec:
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
    The virtual service with TLS match serves to override the default SNI
 match. In the absence of a virtual service, traffic will be forwarded to
 the wikipedia domains.
    
@@ -237,27 +127,6 @@ declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
 current namespace, represented by “.”, so that it cannot be used by other
 namespaces.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-httpbin
-  namespace : egress
-spec:
-  hosts:
-  - example.com
-  exportTo:
-  - "."
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -275,29 +144,7 @@ spec:
     protocol: HTTP
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    Define a gateway to handle all egress traffic.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: istio-egressgateway
- namespace: istio-system
-spec:
- selector:
-   istio: egressgateway
- servers:
- - port:
-     number: 80
-     name: http
-     protocol: HTTP
-   hosts:
-   - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -314,47 +161,12 @@ spec:
    hosts:
    - "*"
 
    
-
    {{}}
-{{}}
    
 
    And the associated VirtualService to route from the sidecar to the
 gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
 well as route from the gateway to the external service. Note that the
 virtual service is exported to all namespaces enabling them to route traffic
 through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: gateway-routing
-  namespace: egress
-spec:
-  hosts:
-  - example.com
-  exportTo:
-  - "*"
-  gateways:
-  - mesh
-  - istio-egressgateway
-  http:
-  - match:
-    - port: 80
-      gateways:
-      - mesh
-    route:
-    - destination:
-        host: istio-egressgateway.istio-system.svc.cluster.local
-  - match:
-    - port: 80
-      gateways:
-      - istio-egressgateway
-    route:
-    - destination:
-        host: example.com
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -384,30 +196,10 @@ spec:
     - destination:
         host: example.com
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates the use of wildcards in the hosts for
 external services. If the connection has to be routed to the IP address
 requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the resolution mode must be set to NONE.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-wildcard-example
-spec:
-  hosts:
-  - "*.bar.com"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: NONE
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -422,31 +214,9 @@ spec:
     protocol: HTTP
   resolution: NONE
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates a service that is available via a
 Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: unix-domain-socket-example
-spec:
-  hosts:
-  - "example.unix.local"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  endpoints:
-  - address: unix:///var/run/example/socket
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -463,8 +233,6 @@ spec:
   endpoints:
   - address: unix:///var/run/example/socket
 
    
-
    {{}}
-{{}}
    
 
    For HTTP-based services, it is possible to create a VirtualService
 backed by multiple DNS addressable endpoints. In such a scenario, the
 application can use the HTTP_PROXY environment variable to transparently
@@ -472,34 +240,6 @@ reroute API calls for the VirtualService to a chosen backend. For
 example, the following configuration creates a non-existent external
 service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-dns
-spec:
-  hosts:
-  - foo.bar.com
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: DNS
-  endpoints:
-  - address: us.foo.bar.com
-    ports:
-      http: 8080
-  - address: uk.foo.bar.com
-    ports:
-      http: 9080
-  - address: in.foo.bar.com
-    ports:
-      http: 7080
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -524,8 +264,6 @@ spec:
     ports:
       http: 7080
 
    
-
    {{}}
-{{}}
    
 
    With HTTP_PROXY=http://localhost/, calls from the application to
 http://foo.bar.com will be load balanced across the three domains
 specified above. In other words, a call to http://foo.bar.com/baz would
@@ -533,30 +271,6 @@ be translated to http://uk.foo.bar.com/baz.
    
 
    The following example illustrates the usage of a ServiceEntry
 containing a subject alternate name
 whose format conforms to the SPIFFE standard:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: httpbin
-  namespace : httpbin-ns
-spec:
-  hosts:
-  - example.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  endpoints:
-  - address: 2.2.2.2
-  - address: 3.3.3.3
-  subjectAltNames:
-  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -577,8 +291,6 @@ spec:
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates the use of ServiceEntry with a
 workloadSelector to handle the migration of a service
 details.bookinfo.com from VMs to Kubernetes. The service has two
@@ -586,32 +298,6 @@ VM-based instances with sidecars as well as a set of Kubernetes
 pods managed by a standard deployment object. Consumers of this
 service in the mesh will be automatically load balanced across the
 VMs and Kubernetes.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-vm-1
-spec:
-  serviceAccount: details
-  address: 2.2.2.2
-  labels:
-    app: details
-    instance-id: vm1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-vm-2
-spec:
-  serviceAccount: details
-  address: 3.3.3.3
-  labels:
-    app: details
-    instance-id: vm2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -634,33 +320,10 @@ spec:
     app: details
     instance-id: vm2
 
    
-
    {{}}
-{{}}
    
 
    Assuming there is also a Kubernetes deployment with pod labels
 app: details using the same service account details, the
 following service entry declares a service spanning both VMs and
 Kubernetes:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  workloadSelector:
-    labels:
-      app: details
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -678,8 +341,6 @@ spec:
     labels:
       app: details
 
    
-
    {{}}
-{{}}
    
 
 
    ServiceEntry
    
 
    
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index bb6d3c89c4..a45041238a 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -48,21 +48,6 @@ in the root namespace called istio-config, that configures
 sidecars in all namespaces to allow egress traffic only to other
 workloads in the same namespace as well as to services in the
 istio-system namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: default
-  namespace: istio-config
-spec:
-  egress:
-  - hosts:
-    - "./*"
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -74,29 +59,11 @@ spec:
     - "./*"
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    The example below declares a Sidecar configuration in the
 prod-us1 namespace that overrides the global default defined
 above, and configures the sidecars in the namespace to allow egress
 traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: default
-  namespace: prod-us1
-spec:
-  egress:
-  - hosts:
-    - "prod-us1/*"
-    - "prod-apis/*"
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -109,8 +76,6 @@ spec:
     - "prod-apis/*"
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    The following example declares a Sidecar configuration in the
 prod-us1 namespace for all pods with labels app: ratings
 belonging to the ratings.prod-us1 service.  The workload accepts
@@ -119,35 +84,6 @@ the attached workload instance listening on a Unix domain
 socket. In the egress direction, in addition to the istio-system
 namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: ratings
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: ratings
-  ingress:
-  - port:
-      number: 9080
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: unix:///var/run/someuds.sock
-  egress:
-  - port:
-      number: 9080
-      protocol: HTTP
-      name: egresshttp
-    hosts:
-    - "prod-us1/*"
-  - hosts:
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -173,8 +109,6 @@ spec:
   - hosts:
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    If the workload is deployed without IPTables-based traffic capture,
 the Sidecar configuration is the only way to configure the ports
 on the proxy attached to the workload instance. The following
@@ -189,36 +123,6 @@ it to the application listening on 127.0.0.1:8080. It also allows
 the application to communicate with a backing MySQL database on
 127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: no-ip-tables
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  ingress:
-  - port:
-      number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: 127.0.0.1:8080
-    captureMode: NONE # not needed if metadata is set for entire proxy
-  egress:
-  - port:
-      number: 3306
-      protocol: MYSQL
-      name: egressmysql
-    captureMode: NONE # not needed if metadata is set for entire proxy
-    bind: 127.0.0.1
-    hosts:
-    - "*/mysql.foo.com"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -245,28 +149,7 @@ spec:
     hosts:
     - "*/mysql.foo.com"
 
    
-
    {{}}
-{{}}
    
 
    And the associated service entry for routing to mysql.foo.com:3306
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-mysql
-  namespace: ns1
-spec:
-  hosts:
-  - mysql.foo.com
-  ports:
-  - number: 3306
-    name: mysql
-    protocol: MYSQL
-  location: MESH_EXTERNAL
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -282,8 +165,6 @@ spec:
   location: MESH_EXTERNAL
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    It is also possible to mix and match traffic capture modes in a single
 proxy. For example, consider a setup where internal services are on the
 192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
@@ -295,36 +176,6 @@ listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving
 
    NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: partial-ip-tables
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  ingress:
-  - bind: 172.16.1.32
-    port:
-      number: 80 # binds to 172.16.1.32:80
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: 127.0.0.1:8080
-    captureMode: NONE
-  egress:
-    # use the system detected defaults
-    # sets up configuration to handle outbound traffic to services
-    # in 192.168.0.0/16 subnet, based on information provided by the
-    # service registry
-  - captureMode: IPTABLES
-    hosts:
-    - "*/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -351,8 +202,6 @@ spec:
     hosts:
     - "*/*"
 
    
-
    {{}}
-{{}}
    
 
    The following example declares a Sidecar configuration in the
 prod-us1 namespace for all pods with labels app: ratings
 belonging to the ratings.prod-us1 service.  The service accepts
@@ -365,9 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
   name: ratings
@@ -386,10 +233,8 @@ spec:
       mode: SIMPLE
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
-
    
-
    {{}}
    
-
    {{}}
    
-
    apiVersion: v1
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: ratings
@@ -403,10 +248,8 @@ spec:
     targetPort: 80
   selector:
     app: ratings
-
    
-
    {{}}
    
-
    {{}}
    
-
    apiVersion: security.istio.io/v1beta1
+---
+apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: ratings-peer-auth
@@ -421,8 +264,6 @@ spec:
     80:
       mode: DISABLE
 
    
-
    {{}}
-{{}}
    
 
    In addition to configuring traffic capture and how traffic is forwarded to the app,
 it’s possible to control inbound connection pool settings. By default, Istio pushes
 connection pool settings from DestinationRules to both clients (for outbound
@@ -430,39 +271,6 @@ connections to the service) as well as servers (for inbound connections to a ser
 instance). Using the InboundConnectionPool and per-port ConnectionPool settings
 in a Sidecar allow you to control those connection pools for the server separately
 from the settings pushed to all clients.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: connection-pool-settings
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  inboundConnectionPool:
-      http:
-        http1MaxPendingRequests: 1024
-        http2MaxRequests: 1024
-        maxRequestsPerConnection: 1024
-        maxRetries: 100
-  ingress:
-  - port:
-      number: 80
-      protocol: HTTP
-      name: somename
-    connectionPool:
-      http:
-        http1MaxPendingRequests: 1024
-        http2MaxRequests: 1024
-        maxRequestsPerConnection: 1024
-        maxRetries: 100
-      tcp:
-        maxConnections: 100
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -492,8 +300,6 @@ spec:
       tcp:
         maxConnections: 100
 
    
-
    {{}}
-{{}}
    
 
 
    Sidecar
    
 
    
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index e62025e33c..62132d392c 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -43,36 +43,6 @@ to be customized for specific client contexts.
    
 pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - name: "reviews-v2-routes"
-    match:
-    - uri:
-        prefix: "/wpcatalog"
-    - uri:
-        prefix: "/consumercatalog"
-    rewrite:
-      uri: "/newcatalog"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-  - name: "reviews-v1-route"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -99,29 +69,9 @@ spec:
         host: reviews.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
    A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-spec:
-  host: reviews.prod.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -136,8 +86,6 @@ spec:
     labels:
       version: v2
 
    
-
    {{}}
-{{}}
    
 
 
    VirtualService
    
 
    
@@ -301,35 +249,6 @@ domain names over short names.
    
 
    The following Kubernetes example routes all traffic by default to pods
 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-  namespace: foo
-spec:
-  hosts:
-  - reviews # interpreted as reviews.foo.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: "/wpcatalog"
-    - uri:
-        prefix: "/consumercatalog"
-    rewrite:
-      uri: "/newcatalog"
-    route:
-    - destination:
-        host: reviews # interpreted as reviews.foo.svc.cluster.local
-        subset: v2
-  - route:
-    - destination:
-        host: reviews # interpreted as reviews.foo.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -355,28 +274,7 @@ spec:
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
    And the associated DestinationRule
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-  namespace: foo
-spec:
-  host: reviews # interpreted as reviews.foo.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -392,8 +290,6 @@ spec:
     labels:
       version: v2
 
    
-
    {{}}
-{{}}
    
 
    The following VirtualService sets a timeout of 5s for all calls to
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
@@ -403,24 +299,6 @@ that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: my-productpage-rule
-  namespace: istio-system
-spec:
-  hosts:
-  - productpage.prod.svc.cluster.local # ignores rule namespace
-  http:
-  - timeout: 5s
-    route:
-    - destination:
-        host: productpage.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -435,44 +313,11 @@ spec:
     - destination:
         host: productpage.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
    To control routing for traffic bound to services outside the mesh, external
 services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-wikipedia
-spec:
-  hosts:
-  - wikipedia.org
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: example-http
-    protocol: HTTP
-  resolution: DNS
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: my-wiki-rule
-spec:
-  hosts:
-  - wikipedia.org
-  http:
-  - timeout: 5s
-    route:
-    - destination:
-        host: wikipedia.org
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -500,8 +345,6 @@ spec:
     - destination:
         host: wikipedia.org
 
    
-
    {{}}
-{{}}
    
 
 
@@ -892,36 +735,6 @@ The following VirtualService adds a test header with the value reviews service destination.
 It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - headers:
-      request:
-        set:
-          test: "true"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-      headers:
-        response:
-          remove:
-          - foo
-      weight: 75
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -948,8 +761,6 @@ spec:
           - foo
       weight: 75
 
    
-
    {{}}
-{{}}
    
 
 
    
 
    
@@ -994,35 +805,6 @@ No
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
 traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-sni
-spec:
-  hosts:
-  - "*.bookinfo.com"
-  gateways:
-  - mygateway
-  tls:
-  - match:
-    - port: 443
-      sniHosts:
-      - login.bookinfo.com
-    route:
-    - destination:
-        host: login.prod.svc.cluster.local
-  - match:
-    - port: 443
-      sniHosts:
-      - reviews.bookinfo.com
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1048,8 +830,6 @@ spec:
     - destination:
         host: reviews.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -1094,26 +874,6 @@ No
 
    Describes match conditions and actions for routing TCP traffic. The
 following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-mongo
-spec:
-  hosts:
-  - mongo.prod.svc.cluster.local
-  tcp:
-  - match:
-    - port: 27017
-    route:
-    - destination:
-        host: mongo.backup.svc.cluster.local
-        port:
-          number: 5555
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1130,8 +890,6 @@ spec:
         port:
           number: 5555
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -1178,29 +936,6 @@ rule to be applied to the HTTP request. For example, the following
 restricts the rule to match only requests where the URL path
 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - headers:
-        end-user:
-          exact: jason
-      uri:
-        prefix: "/ratings/v2/"
-      ignoreUriCase: true
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1220,8 +955,6 @@ spec:
     - destination:
         host: ratings.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    HTTPMatchRequest CANNOT be empty.
 Note:
      
@@ -1513,28 +1246,6 @@ determine the proportion of traffic it receives. For example, the
 following rule will route 25% of traffic for the “reviews” service to
 instances with the “v2” tag and the remaining traffic (i.e., 75%) to
 “v1”.
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-      weight: 75
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1553,27 +1264,7 @@ spec:
         subset: v1
       weight: 75
 
      
-
      {{}}
-{{}}
      
 
      And the associated DestinationRule
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-spec:
-  host: reviews.prod.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1588,31 +1279,9 @@ spec:
     labels:
       version: v2
 
      
-
      {{}}
-{{}}
      
 
      Traffic can also be split across two entirely different services without
 having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route-two-domains
-spec:
-  hosts:
-  - reviews.com
-  http:
-  - route:
-    - destination:
-        host: dev.reviews.com
-      weight: 25
-    - destination:
-        host: reviews.com
-      weight: 75
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1629,8 +1298,6 @@ spec:
         host: reviews.com
       weight: 75
 
      
-
      {{}}
-{{}}
      
 
 
    
 
 
 
 
    
@@ -1910,26 +1577,6 @@ where the Authority/Host and the URI in the response can be swapped with
 the specified values. For example, the following rule redirects
 requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    redirect:
-      uri: /v1/bookRatings
-      authority: newratings.default.svc.cluster.local
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1946,8 +1593,6 @@ spec:
       authority: newratings.default.svc.cluster.local
   ...
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2044,27 +1689,6 @@ No
 
    HTTPDirectResponse can be used to send a fixed response to clients.
 For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        string: "unknown error"
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2082,31 +1706,8 @@ spec:
         string: "unknown error"
   ...
 
    
-
    {{}}
-{{}}
    It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2124,36 +1725,9 @@ spec:
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
    
-
    {{}}
-{{}}
    It is good practice to add headers in the HTTPRoute
 as well as the direct_response, for example to specify
 the returned Content-Type.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        string: "{\"error\": \"unknown error\"}"
-    headers:
-      response:
-        set:
-          content-type: "application/json"
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2175,8 +1749,6 @@ spec:
           content-type: "text/plain"
   ...
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
 
 
 
    
@@ -2258,28 +1830,6 @@ before forwarding the request to the destination. Rewrite primitive can
 be used only with HTTPRouteDestination. The following example
 demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: /ratings
-    rewrite:
-      uri: /v1/bookRatings
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2298,8 +1848,6 @@ spec:
         host: ratings.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2452,27 +2000,6 @@ example, the following rule sets the maximum number of retries to 3 when
 calling ratings:v1 service, with a 2s timeout per retry attempt.
 A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    retries:
-      attempts: 3
-      perTryTimeout: 2s
-      retryOn: connect-failure,refused-stream,503
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2490,8 +2017,6 @@ spec:
       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2572,33 +2097,6 @@ the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
 Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    corsPolicy:
-      allowOrigins:
-      - exact: https://example.com
-      allowMethods:
-      - POST
-      - GET
-      allowCredentials: false
-      allowHeaders:
-      - X-Foo-Bar
-      maxAge: "24h"
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2622,8 +2120,6 @@ spec:
       - X-Foo-Bar
       maxAge: "24h"
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2917,31 +2413,6 @@ No
 forwarding path. The following example will introduce a 5 second delay
 in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - match:
-    - sourceLabels:
-        env: prod
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2963,8 +2434,6 @@ spec:
           value: 0.1
         fixedDelay: 5s
 
    
-
    {{}}
-{{}}
    The fixedDelay field is used to indicate the amount of delay in seconds.
 The optional percentage field can be used to only delay a certain
 percentage of requests. If left unspecified, no request will be delayed.
    
@@ -3024,28 +2493,6 @@ No
 
    Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -3064,8 +2511,6 @@ spec:
           value: 0.1
         httpStatus: 400
 
    
-
    {{}}
-{{}}
    The httpStatus field is used to indicate the HTTP status code to
 return to the caller. The optional percentage field can be used to only
 abort a certain percentage of requests. If not specified, no request will be
diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html
index c6f96ae5a1..9ded68bd6d 100644
--- a/content/en/docs/reference/config/networking/workload-entry/index.html
+++ b/content/en/docs/reference/config/networking/workload-entry/index.html
@@ -30,25 +30,6 @@ account. The service is exposed on port 80 to applications in the
 mesh. The HTTP traffic to this service is wrapped in Istio mutual
 TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-svc
-spec:
-  # use of the service account indicates that the workload has a
-  # sidecar proxy bootstrapped with this service account. Pods with
-  # sidecars will automatically communicate with the workload using
-  # istio mutual TLS.
-  serviceAccount: details-legacy
-  address: 2.2.2.2
-  labels:
-    app: details-legacy
-    instance-id: vm1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -64,31 +45,7 @@ spec:
     app: details-legacy
     instance-id: vm1
 
    
-
    {{}}
-{{}}
    and the associated service entry
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-    targetPort: 8080
-  resolution: STATIC
-  workloadSelector:
-    labels:
-      app: details-legacy
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -107,32 +64,11 @@ spec:
     labels:
       app: details-legacy
 
    
-
    {{}}
-{{}}
    The following example declares the same VM workload using
 its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-svc
-spec:
-  # use of the service account indicates that the workload has a
-  # sidecar proxy bootstrapped with this service account. Pods with
-  # sidecars will automatically communicate with the workload using
-  # istio mutual TLS.
-  serviceAccount: details-legacy
-  address: vm1.vpc01.corp.net
-  labels:
-    app: details-legacy
-    instance-id: vm1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -148,31 +84,7 @@ spec:
     app: details-legacy
     instance-id: vm1
 
    
-
    {{}}
-{{}}
    and the associated service entry
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-    targetPort: 8080
-  resolution: DNS
-  workloadSelector:
-    labels:
-      app: details-legacy
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -191,28 +103,12 @@ spec:
     labels:
       app: details-legacy
 
    
-
    {{}}
-{{}}
    The following example declares a VM workload without an address.
 An alternative to having istiod read from remote API servers is
 to write a WorkloadEntry in the local cluster that represents
 the Workload(s) in the remote network with the given labels. A
 single WorkloadEntry with weights represent the aggregate of all
 the actual workloads in a given remote network.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: foo-workloads-cluster-2
-spec:
-  serviceAccount: foo
-  network: cluster-2-network
-  labels:
-    app: foo
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -223,8 +119,6 @@ spec:
   labels:
     app: foo
 
    
-
    {{}}
-{{}}
    WorkloadEntry
    
diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html
index ef4b0d8970..68f0125a4a 100644
--- a/content/en/docs/reference/config/networking/workload-group/index.html
+++ b/content/en/docs/reference/config/networking/workload-group/index.html
@@ -22,40 +22,6 @@ of workloads that will be registered under reviews in namespace
 instance during the bootstrap process, and the ports 3550 and 8080
 will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadGroup
-metadata:
-  name: reviews
-  namespace: bookinfo
-spec:
-  metadata:
-    labels:
-      app.kubernetes.io/name: reviews
-      app.kubernetes.io/version: "1.3.4"
-  template:
-    ports:
-      grpc: 3550
-      http: 8080
-    serviceAccount: default
-  probe:
-    initialDelaySeconds: 5
-    timeoutSeconds: 3
-    periodSeconds: 4
-    successThreshold: 3
-    failureThreshold: 3
-    httpGet:
-     path: /foo/bar
-     host: 127.0.0.1
-     port: 3100
-     scheme: HTTPS
-     httpHeaders:
-     - name: Lit-Header
-       value: Im-The-Best
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadGroup
 metadata:
@@ -86,8 +52,6 @@ spec:
      - name: Lit-Header
        value: Im-The-Best
 
    
-
    {{}}
-{{}}
    
 
 
    WorkloadGroup
    
 
    
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index 1f921a75d3..74927f28ec 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -44,34 +44,6 @@ but it is useful to be explicit in the policy.
    
 
 
    when the request has a valid JWT token issued by https://accounts.google.com.
    
 
    Any other requests will be denied.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: ALLOW
-  rules:
-  - from:
-    - source:
-        principals: ["cluster.local/ns/default/sa/sleep"]
-    - source:
-        namespaces: ["test"]
-    to:
-    - operation:
-        methods: ["GET"]
-        paths: ["/info*"]
-    - operation:
-        methods: ["POST"]
-        paths: ["/data"]
-    when:
-    - key: request.auth.claims[iss]
-      values: ["https://accounts.google.com"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -96,30 +68,9 @@ spec:
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
    
-
    {{}}
-{{}}
    
 
    The following is another example that sets action to DENY to create a deny policy.
 It denies requests from the dev namespace to the POST method on all workloads
 in the foo namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: DENY
-  rules:
-  - from:
-    - source:
-        namespaces: ["dev"]
-    to:
-    - operation:
-        methods: ["POST"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -135,28 +86,9 @@ spec:
     - operation:
         methods: ["POST"]
 
    
-
    {{}}
-{{}}
    
 
    The following is another example that sets action to DENY to create a deny policy.
 It denies all the requests with POST method on port 8080 on all workloads
 in the foo namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: DENY
-  rules:
-  - to:
-    - operation:
-        methods: ["POST"]
-        ports: ["8080"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -170,34 +102,12 @@ spec:
         methods: ["POST"]
         ports: ["8080"]
 
    
-
    {{}}
-{{}}
    
 
    When this rule is applied to TCP traffic, the method field (as will all HTTP based attributes) cannot be processed.
 For a DENY rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
 If we were to remove the ports match, all TCP traffic would be denied. As a result, it is recommended to always scope DENY policies to a specific port,
 especially when using HTTP attributes Authorization Policy for TCP Ports.
    
 
    The following authorization policy sets the action to AUDIT. It will audit any GET requests to the path with the
 prefix /user/profile.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  namespace: ns1
-  name: anyname
-spec:
-  selector:
-    matchLabels:
-      app: myapi
-  action: AUDIT
-  rules:
-  - to:
-    - operation:
-        methods: ["GET"]
-        paths: ["/user/profile/*"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -214,8 +124,6 @@ spec:
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
    
-
    {{}}
-{{}}
    
 
    Authorization Policy scope (target) is determined by “metadata/namespace” and
 an optional selector.
    
 
      
@@ -225,18 +133,6 @@ namespace, the policy applies to all namespaces in a mesh.
 
    
 
    For example, the following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-nothing
- namespace: foo
-spec:
-  {}
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -245,22 +141,7 @@ metadata:
 spec:
   {}
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy allows all requests to workloads in namespace foo.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-all
- namespace: foo
-spec:
- rules:
- - {}
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -270,24 +151,8 @@ spec:
  rules:
  - {}
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy applies to workloads containing label app: httpbin in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-nothing
-  namespace: bar
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -298,24 +163,8 @@ spec:
     matchLabels:
       app: httpbin
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy applies to workloads containing label version: v1 in all namespaces in the mesh.
 (Assuming the root namespace is configured to istio-system).
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-nothing
- namespace: istio-system
-spec:
- selector:
-   matchLabels:
-     version: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -326,33 +175,11 @@ spec:
    matchLabels:
      version: v1
 
    
-
    {{}}
-{{}}
    
 
    The following example shows you how to set up an authorization policy using an experimental annotation
 istio.io/dry-run to dry-run the policy without actually enforcing it.
    
 
    The dry-run annotation allows you to better understand the effect of an authorization policy before applying it to the production traffic.
 This helps to reduce the risk of breaking the production traffic caused by an incorrect authorization policy.
 For more information, see dry-run tasks.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: dry-run-example
-  annotations:
-    "istio.io/dry-run": "true"
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  action: DENY
-  rules:
-  - to:
-    - operation:
-        paths: ["/headers"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -369,8 +196,6 @@ spec:
     - operation:
         paths: ["/headers"]
 
    
-
    {{}}
-{{}}
    
 
 
    AuthorizationPolicy
    
 
    
diff --git a/content/en/docs/reference/config/security/jwt/index.html b/content/en/docs/reference/config/security/jwt/index.html
index f627c52298..0b84aaf2f6 100644
--- a/content/en/docs/reference/config/security/jwt/index.html
+++ b/content/en/docs/reference/config/security/jwt/index.html
@@ -205,6 +205,18 @@ The header specified in each operation in the list must be unique. Nested claims
 
 
    [Experimental] This feature is a experimental feature.
    
 
+
+
    
+
+
+
+
+
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 16f79507d7..f387df1675 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -21,37 +21,6 @@ Examples:
      
 
    • Require JWT for all request for workloads that have label app:httpbin
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  jwtRules:
-  - issuer: "issuer-foo"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -79,38 +48,11 @@ spec:
     - source:
         requestPrincipals: ["*"]
 
    
-
    {{}}
-{{}}
      
 
    • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: req-authn-for-all
-  namespace: istio-system
-spec:
-  jwtRules:
-  - issuer: "issuer-foo"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: require-jwt-for-all
-  namespace: istio-system
-spec:
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -132,53 +74,11 @@ spec:
     - source:
         requestPrincipals: ["*"]
 
    
-
    {{}}
-{{}}
      
 
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
 declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
 set from the OpenID Connect spec).
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  jwtRules:
-  - issuer: "issuer-foo"
-  - issuer: "issuer-bar"
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["issuer-foo/*"]
-    to:
-    - operation:
-        hosts: ["example.com"]
-  - from:
-    - source:
-        requestPrincipals: ["issuer-bar/*"]
-    to:
-    - operation:
-        hosts: ["another-host.com"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -215,34 +115,11 @@ spec:
     - operation:
         hosts: ["another-host.com"]
 
    
-
    {{}}
-{{}}
      
 
    • You can fine tune the authorization policy to set different requirement per path. For example,
 to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
 authorization policy could be:
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-  - to:
-    - operation:
-        paths: ["/healthz"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -260,8 +137,6 @@ spec:
     - operation:
         paths: ["/healthz"]
 
    
-
    {{}}
-{{}}
    [Experimental] Routing based on derived metadata
 is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
    
@@ -277,62 +152,6 @@ For more information, see }}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: jwt-on-ingress
-  namespace: istio-system
-spec:
-  selector:
-    matchLabels:
-      app: istio-ingressgateway
-  jwtRules:
-  - issuer: "example.com"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: require-jwt
-  namespace: istio-system
-spec:
-  selector:
-    matchLabels:
-      app: istio-ingressgateway
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: route-jwt
-spec:
-  hosts:
-  - foo.prod.svc.cluster.local
-  gateways:
-  - istio-ingressgateway
-  http:
-  - name: "v2"
-    match:
-    - headers:
-        "@request.auth.claims.sub":
-          exact: "dev"
-    route:
-    - destination:
-        host: foo.prod.svc.cluster.local
-        subset: v2
-  - name: "default"
-    route:
-    - destination:
-        host: foo.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -385,8 +204,6 @@ spec:
         host: foo.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
+No
+
    timeoutDuration
+
    The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+will spend waiting for the JWKS to be fetched. Default is 5s.
    
+
     		
 
 No
diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html
index aa7fc472cb..a1f7cb3445 100644
--- a/content/en/docs/reference/config/security/peer_authentication/index.html
+++ b/content/en/docs/reference/config/security/peer_authentication/index.html
@@ -25,7 +25,7 @@ spec:
     mode: STRICT
 
 
    For mesh level, put the policy in root-namespace according to your Istio installation.
    
-
    Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
+
    Policies to allow both mTLS and plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -48,8 +48,9 @@ spec:
   mtls:
     mode: STRICT
 
    
-
    Policy to allow mTLS strict for all workloads, but leave port 8080 to
-plaintext:
    
+
    Policy that enables strict mTLS for all workloads, but leaves the port 8080 to
+plaintext. Note the port value in the portLevelMtls field refers to the port
+of the workload, not the port of the Kubernetes service.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -65,8 +66,8 @@ spec:
     8080:
       mode: DISABLE
 
    
-
    Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
-settings for port 8080
    
+
    Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
+mTLS for workload port 8080.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -123,7 +124,8 @@ No
 
    		map<uint32, MutualTLS>
 
 
    Port specific mutual TLS settings. These only apply when a workload selector
-is specified.
    
+is specified. The port refers to the port of the workload, not the port of the
+Kubernetes service.
    
 
     		
 
@@ -174,7 +176,7 @@ No
 
    
 UNSET
 
-
    Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
    
+
    Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
    
 
     		
 
    
 
 
 
 
 
 
 
 
 
    
diff --git a/content/en/docs/reference/config/type/workload-selector/index.html b/content/en/docs/reference/config/type/workload-selector/index.html
index 9aeb5f2c9f..8c206cebec 100644
--- a/content/en/docs/reference/config/type/workload-selector/index.html
+++ b/content/en/docs/reference/config/type/workload-selector/index.html
@@ -85,8 +85,6 @@ Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway.
    
 a PolicyTargetReference. The example sets action to DENY to create a deny policy.
 It denies all the requests with POST method on port 8080 directed through the
 waypoint Gateway in the foo namespace.
    
-
    {{}}
-{{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -104,8 +102,6 @@ spec:
         methods: ["POST"]
         ports: ["8080"]
 
    
-
    {{}}
-{{}}
    
 
 
    
 
    
diff --git a/content/zh/docs/reference/commands/install-cni/index.html b/content/zh/docs/reference/commands/install-cni/index.html
index 628f5c5c3d..98e0467274 100644
--- a/content/zh/docs/reference/commands/install-cni/index.html
+++ b/content/zh/docs/reference/commands/install-cni/index.html
@@ -696,7 +696,7 @@ These environment variables affect the behavior of the install-cni
 
-
+
@@ -778,6 +778,12 @@ These environment variables affect the behavior of the install-cni
 
+
+
+
+
+
+
@@ -834,7 +840,7 @@ These environment variables affect the behavior of the install-cni
 
-
+
@@ -926,12 +932,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 
-
-
-
-
-
-
@@ -1016,12 +1016,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 
-
-
-
-
-
-
@@ -1172,12 +1166,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 
-
-
-
-
-
-
@@ -1292,6 +1280,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1430,12 +1430,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 
-
-
-
-
-
-
diff --git a/content/zh/docs/reference/commands/istioctl/index.html b/content/zh/docs/reference/commands/istioctl/index.html
index 4122c3314b..2ff0e0e644 100644
--- a/content/zh/docs/reference/commands/istioctl/index.html
+++ b/content/zh/docs/reference/commands/istioctl/index.html
@@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
 title: istioctl
 description: Istio control interface.
 generator: pkg-collateral-docs
-number_of_entries: 92
+number_of_entries: 93
 max_toc_level: 2
 remove_toc_prefix: 'istioctl '
 ---
@@ -21,11 +21,51 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -36,11 +76,66 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -64,11 +159,51 @@ debug and diagnose their Istio mesh.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -79,16 +214,71 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -116,6 +306,31 @@ debug and diagnose their Istio mesh.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -126,6 +341,21 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -138,7 +368,12 @@ debug and diagnose their Istio mesh.
 
-
+
+
+
+
+
+
@@ -146,11 +381,36 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -161,14 +421,39 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -208,26 +493,66 @@ debug and diagnose their Istio mesh.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -253,11 +578,31 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -268,16 +613,41 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -288,6 +658,11 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
@@ -298,6 +673,11 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
@@ -344,11 +724,51 @@ debug and diagnose their Istio mesh.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -359,11 +779,66 @@ debug and diagnose their Istio mesh.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -394,6 +869,31 @@ All names except label and annotation keys support '*' glob matching pat
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -404,6 +904,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -429,6 +934,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -439,6 +949,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -464,31 +979,86 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -509,6 +1079,31 @@ All names except label and annotation keys support '*' glob matching pat
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -519,6 +1114,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -544,6 +1144,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -554,6 +1159,11 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
@@ -579,11 +1189,31 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -594,26 +1224,61 @@ All names except label and annotation keys support '*' glob matching pat
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -634,11 +1299,51 @@ See each sub-command's help for details on how to use the generated script.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -649,11 +1354,66 @@ See each sub-command's help for details on how to use the generated script.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -685,11 +1445,51 @@ If it is not installed already, you can install it via your OS's package man
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -700,16 +1500,71 @@ If it is not installed already, you can install it via your OS's package man
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -736,11 +1591,51 @@ If it is not installed already, you can install it via your OS's package man
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -751,16 +1646,71 @@ If it is not installed already, you can install it via your OS's package man
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -786,11 +1736,51 @@ to your powershell profile.
 
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -801,16 +1791,71 @@ to your powershell profile.
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -843,11 +1888,51 @@ to enable it.  You can execute the following once:
    
 
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -858,16 +1943,71 @@ to enable it.  You can execute the following once:
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -888,6 +2028,16 @@ to enable it.  You can execute the following once:
    
 
     
+
+
+
+
+
+
+
+
+
+
@@ -903,6 +2053,21 @@ to enable it.  You can execute the following once:
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -913,6 +2078,21 @@ to enable it.  You can execute the following once:
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -926,7 +2106,12 @@ to enable it.  You can execute the following once:
    
     
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+
+
+
@@ -939,6 +2124,36 @@ to enable it.  You can execute the following once:
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -954,11 +2169,31 @@ to enable it.  You can execute the following once:
    
     
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1001,16 +2236,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1021,16 +2296,71 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1056,11 +2386,36 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1071,6 +2426,21 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1081,21 +2451,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1138,16 +2563,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1158,26 +2623,81 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1215,16 +2735,56 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1235,21 +2795,76 @@ istioctl d [flags]
 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1263,6 +2878,176 @@ istioctl d [flags]
   istioctl dash grafana
   istioctl d grafana
 
+
    istioctl dashboard istiod-debug
    
+
    Open the debug web UI for a Istio control plane pod
    
+
    istioctl dashboard istiod-debug [<type>/]<name>[.<namespace>] [flags]
+
    
+
    
 
    
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Booleanfalsetrue
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
    
 
    If enabled, the TLS configuration on Sidecar.ingress will take effect
 
    
 
    ENABLE_VTPROTOBUFBooleanfalseIf true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
    
 ENVOY_USER
 String
 istio-proxy
    
 ISTIO_DELTA_XDS
 Booleanfalsetrue
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
    
 
    If enabled, istiod will skip verifying the certificate of the JWKS server.
 
    
 
    JWT_POLICYStringthird-party-jwtThe JWT validation policy.
    
 KUBECFG_FILE_NAME
 String
 ZZZ-istio-cni-kubeconfigIf set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
    
 
    NATIVE_METADATA_EXCHANGEBooleantrueIf set, uses a native implementation of the HTTP metadata exchange filter
    
 NODE_NAME
 String
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
    
 
    PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
    
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 trueIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
    
 
    PILOT_GATEWAY_API_CONTROLLER_NAMEStringistio.io/gateway-controllerGateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
    PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAMEStringistioName of the default GatewayClass
    
 PILOT_HTTP10
 Boolean
 falseIf true, Pilot will collect metrics for XDS cache efficiency.
 
    
 
    PILOT_XDS_SEND_TIMEOUTTime Duration0sThe timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
    
 POD_NAME
 String
 
    
 
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 label selector  (default `app=istiod`)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)ControlZ port  (default `9876`)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
    
 --level <string>
 Comma-separated list of output logging level for scopes in format <scope>:<level>[,<scope>:<level>,...]Possible values for <level>: none, error, warn, info, debug  (default ``)Comma-separated list of output logging level for scopes in the format of <scope>:<level>[,<scope>:<level>,...]. Possible values for <level>: none, error, warn, info, debug  (default ``)
    --mode <string>The operating mode of the implementation.  (default `default`)
 
    
 
    
 --namespace <string>Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --reset
 
 Reset levels to default value. (info) Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 label selector  (default `app=istiod`)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --stack-trace-level <string>
 Comma-separated list of stack trace level  for scopes in format <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...] Possible values for <stack-trace-level>: none, error, warn, info, debug  (default ``)Comma-separated list of stack trace level for scopes in the format of <scope>:<stack-trace-level>[,<scope>:<stack-trace-level>,...]. Possible values for <stack-trace-level>: none, error, warn, info, debug  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
 
    
 
    
 --vklog <Level>
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    
 --all-namespaces
 -A
 Analyze all namespaces 
 
    
 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    
 --color
 
 Default true.  Disable with '=false' or set $TERM to dumb 
 
    
 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --failure-threshold <Level>
 
 The severity level of analysis at which to set a non-zero exit code. Valid values: [Info Warning Error]  (default `Error`)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignore-unknown
 
 Don't complain about un-parseable input documents, for cases where analyze should run only on k8s compliant inputs. Overrides the mesh config values to use for analysis.  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of [log json yaml]  (default `log`)The severity level of analysis at which to display messages. Valid values: [Info Warning Error]  (default `Info`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --recursive
 -R
 Process directory arguments recursively. Useful when you want to analyze related manifests organized within the same directory. 
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 
 analyze a specific revision deployed.  (default `default`)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --suppress <stringArray>
 -S
 Suppress reporting a message code on a specific resource. Values are supplied in the form <code>=<resource> (e.g. '--suppress "IST0102=DestinationRule primary-dr.default"'). Can be repeated. You can include the wildcard character '*' to support a partial match (e.g. '--suppress "IST0102=DestinationRule *.default" ).  (default `[]`)The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --use-kube
 -k
 Use live Kubernetes cluster for analysis. Set --use-kube=false to analyze files only. Enable verbose output 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Name of the kubeconfig Context to use.  (default ``)List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion.  (default `[]`)
 
    
 
    --debugWhether to print debug logs 
    
 --dir <string>
 
 Set a specific directory for temporary artifact storage.  (default ``)Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples.  (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`)
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <string>
 -f
 Path to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics.  (default ``)If set, secret contents are included in output. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignore-errs <stringSlice>
 
 List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic.  (default `[]`)Path to kube config.  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output-dir <string>
 
 Set a specific directory for output archive file.  (default ``)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --rq-concurrency <int>
 
 Set the concurrency limit of requests to the Kubernetes API server, defaults to 32.  (default `0`)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --start-time <string>
 
 Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset.  (default ``)
 
    
 
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive.  (default `30m0s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Name of the kubeconfig Context to use.  (default ``)List of comma separated glob patterns to match against log error strings. If any pattern matches an error in the log, the logs is given the highest priority for archive inclusion.  (default `[]`)
 
    
 
    --debugWhether to print debug logs 
    
 --dir <string>
 
 Set a specific directory for temporary artifact storage.  (default ``)Spec for which pod's proxy logs to exclude from the archive, after the include spec is processed. See above for format and examples.  (default `["kube-node-lease,kube-public,kube-system,local-path-storage"]`)
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <string>
 -f
 Path to a file containing configuration in YAML format. The file contents are applied over the default values and flag settings, with lists being replaced per JSON merge semantics.  (default ``)If set, secret contents are included in output. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignore-errs <stringSlice>
 
 List of comma separated glob patterns to match against log error strings. Any error matching these patterns is ignored when calculating the log importance heuristic.  (default `[]`)Path to kube config.  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)Set a specific directory for output archive file.  (default ``)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --rq-concurrency <int>
 
 Set the concurrency limit of requests to the Kubernetes API server, defaults to 32.  (default `0`)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --short
 -s
 Use --short=false to generate full version information 
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --start-time <string>
 
 Start time for the range of log entries to include in the archive. Default is the infinite past. If set, --duration must be unset.  (default ``)
 
    
 
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 Maximum amount of time to spend fetching logs. When timeout is reached only the logs captured so far are saved to the archive.  (default `30m0s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --no-descriptions
 
 disable completion descriptions 
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --no-descriptions
 
 disable completion descriptions 
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --no-descriptions
 
 disable completion descriptions 
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --no-descriptions
 
 disable completion descriptions 
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --auth-plugin-config <stringToString>
 
 Authenticator plug-in configuration. --auth-type=plugin must be set with this option  (default `[]`)Type of authentication to use. supported values = [bearer-token plugin]  (default `bearer-token`)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)If true, the service account needed for creating the remote secret will be created if it doesn't exist. 
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
    --mode <string>The operating mode of the implementation.  (default `default`)
 
    
 
    
 --name <string>Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --secret-name <string>
 
 The name of the specific secret to use from the service-account. Needed when there are multiple secrets in the service account.  (default ``)Create a secret with this service account's credentials. Default value is "istio-reader-service-account" if --type is "remote", "istiod" if --type is "config".  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --type <SecretType>
 
 Type of the generated secret. supported values = [remote config]  (default `remote`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)ControlZ port  (default `9876`)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 Label selector  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 Label selector  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `15000`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `3000`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FlagsShorthandDescription
    --address <string>Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --browserWhen --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    --context <string>Kubernetes configuration context  (default ``)
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    --istioNamespace <string>-iIstio system namespace  (default `istio-system`)
    --kubeconfig <string>-cKubernetes configuration file  (default ``)
    --mode <string>The operating mode of the implementation.  (default `default`)
    --namespace <string>-nKubernetes namespace  (default ``)
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --port <int>-pLocal port to listen to  (default `0`)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --selector <string>-lLabel selector  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    --vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
+
    Examples
    
+
      # Open Istio debug web UI for the istiod-123-456.istio-system pod
+  istioctl dashboard istiod-debug istiod-123-456.istio-system
+
+  # Open Istio debug web UI for the istiod-56dd66799-jfdvs pod in a custom namespace
+  istioctl dashboard istiod-debug istiod-123-456 -n custom-ns
+
+  # Open Istio debug web UI for any Istiod pod
+  istioctl dashboard istiod-debug deployment/istiod.istio-system
+
+  # with short syntax
+  istioctl dash istiod-debug pilot-123-456.istio-system
+  istioctl d istiod-debug pilot-123-456.istio-system
+
+
    
 
    istioctl dashboard jaeger
    
 
    Open Istio's Jaeger dashboard
    
 
    istioctl dashboard jaeger [flags]
@@ -1282,16 +3067,56 @@ istioctl d [flags]
 
    		Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `16686`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `20001`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `9090`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 Label selector  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `15000`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `8080`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Address to listen on. Only accepts IP address or localhost as a value. When localhost is supplied, istioctl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these address are available to bind.  (default `localhost`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --browser
 
 When --browser is supplied as false, istioctl dashboard will not open the browser. Default is true which means istioctl dashboard will always open a browser to view the dashboard. 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --port <int>
 -p
 Local port to listen to  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --ui-port <int>
 
 The component dashboard UI port.  (default `9411`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 The json file with Envoy config dump to be checked  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Check namespace and label pairs injection status, split multiple labels by commas  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignoreUnmeshed
 
 Suppress warnings for unmeshed pods 
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignoreUnmeshed
 
 Suppress warnings for unmeshed pods 
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -oOutput format: one of json|yaml|prom|prom-merged  (default `short`)Output format: one of json|yaml|short|prom|prom-merged  (default `short`)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --proxy-admin-port <int>Envoy proxy admin port  (default `15000`)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
 
    
 
    
 --type <string>
 Where to grab the stats: one of server|clusters  (default `server`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 Send the same request to all instances of Istiod. Only applicable for in-cluster deployment. 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
 XDS Endpoint certificate directory  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) 
 Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --plaintext
 
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --duration <duration>
 -d
 Duration of query metrics, default value is 1m.  (default `1m0s`)
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --from-version <string>
 -f
 check changes since the provided version  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of [log json yaml]  (default `log`)The severity level of precheck at which to display messages. Valid values: [Info Warning Error]  (default `Warning`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --skip-controlplane
 
 skip checking the control plane 
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)XDS Endpoint certificate directory  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --plaintext
 
 Use plain-text HTTP/2 when connecting to server (no TLS). 
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    Examples
    
 
      # Retrieve sync status for all Envoys in a mesh
-  istioctl x proxy-status
+  istioctl proxy-status
+
+  # Retrieve sync status for Envoys in a specific namespace
+  istioctl proxy-status --namespace foo
 
   # Retrieve sync diff for a single Envoy and Istiod
-  istioctl x proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
+  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
 
   # SECURITY OPTIONS
 
   # Retrieve proxy status information directly from the control plane, using token security
   # (This is the usual way to get the proxy-status with an out-of-cluster control plane.)
-  istioctl x ps --xds-address istio.cloudprovider.example.com:15012
+  istioctl ps --xds-address istio.cloudprovider.example.com:15012
 
   # Retrieve proxy status information via Kubernetes config, using token security
   # (This is the usual way to get the proxy-status with an in-cluster control plane.)
-  istioctl x proxy-status
+  istioctl proxy-status
 
   # Retrieve proxy status information directly from the control plane, using RSA certificate security
   # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
-  istioctl x ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+  istioctl ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
 
   # Retrieve proxy status information via XDS from specific control plane in multi-control plane in-cluster configuration
   # (Select a specific control plane in an in-cluster canary Istio configuration.)
-  istioctl x ps --xds-label istio.io/rev=default
+  istioctl ps --xds-label istio.io/rev=default
 
 
    
 
    istioctl experimental version
    
@@ -2670,6 +6556,16 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
    
 
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)XDS Endpoint certificate directory  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --insecure
 
 Skip server certificate and domain verification. (NOT SECURE!) Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)Use plain-text HTTP/2 when connecting to server (no TLS). 
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --remote
 
 Use --remote=false to suppress control plane check 
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --short
 -s
 Use --short=false to generate full version information 
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --for <string>
 
 Wait condition, must be 'distribution' or 'delete'  (default `distribution`)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --generation <string>
 
 Wait for a specific generation of config to become current, rather than using whatever is latest in Kubernetes  (default ``)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --proxy <string>Name of a specific proxy to wait for the condition to be satisfied  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --threshold <float32>
 
 The ratio of distribution required for success  (default `1`)The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 The revision to label the waypoint with  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Delete all waypoints in the namespace 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 The revision to label the waypoint with  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    
 --all-namespaces
 -A
 List all waypoints in all namespaces 
 
    
 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --service-account <string>
 -s
 service account to create a waypoint for  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --autoregister
 
 Creates a WorkloadEntry upon connection to istiod (if enabled in pilot). Enables the capture of outgoing DNS packets on port 53, redirecting to istio-agent 
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    
 --clusterID <string>
 
 The ID used to identify the cluster  (default ``)
 
    
 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --externalIP <string>
 
 External IP address of the workload  (default ``)filename of the WorkloadGroup artifact. Leave this field empty if using the API server  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ingressIP <string>
 
 IP address of the ingress gateway  (default ``)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --name <string>
 
 The name of the workload group  (default ``)The namespace that the workload instances belong to  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output directory for generated files  (default ``)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --tokenDuration <int>
 
 The token duration in seconds (default: 1 hour)  (default `3600`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --annotations <stringSlice>
 -a
 The annotations to apply to the workload instances  (default `[]`)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)The labels to apply to the workload instances; e.g. -l env=prod,vers=2  (default `[]`)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --name <string>
 
 The name of the workload group  (default ``)The namespace that the workload instances will belong to  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --ports <stringSlice>
 -p
 The incoming ports exposed by the workload instance  (default `[]`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --serviceAccount <string>
 -s
 The service identity to associate with the workload instances  (default `default`)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3492,6 +8561,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
    
 
    
 --skip-confirmation
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --authority <string>
 
 XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)XDS Endpoint certificate directory  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <string>
 -f
 Input Kubernetes resource filename  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --injectConfigFile <string>
 
 Injection configuration filename. Cannot be used with --injectConfigMapName  (default ``)ConfigMap name for Istio mesh configuration, key should be "mesh"  (default `istio`)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --operatorFileName <string>
 
 Path to file containing IstioOperator custom resources. If configs from files like meshConfigFile, valuesFile are provided, they will be overridden by iop config values.  (default ``)
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Modified output Kubernetes resource filename  (default ``)Use plain-text HTTP/2 when connecting to server (no TLS). 
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --timeout <duration>
 
 The duration to wait before failing  (default `30s`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --valuesFile <string>
 
 Injection values configuration filename.  (default ``)
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --directory
 -r
 Compare directory. Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --ignore <string>
 
 Ignore all listed items during comparison, using the same list format as selectResources.  (default ``)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --rename <string>
 
 Rename resources before comparison.
@@ -3818,6 +9202,16 @@ The format of each renaming pair is A->B, all renaming pairs are comma separa
 e.g. Service:*:istiod->Service:*:istio-control - rename istiod service into istio-control  (default ``)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --select <string>
 
 Constrain the list of resources to compare to only the ones in this list, ignoring all others.
@@ -3827,11 +9221,31 @@ e.g.
     Service:*:istiod - compare Services called "istiod" in all namespaces  (default `::`)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verbose
 -v
 Verbose output. 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    
 --cluster-specific
 
 If enabled, the current cluster will be checked for cluster-specific setting detection. Specify which component to generate manifests for.  (default `[]`)
 
    
 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3888,6 +9337,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Manifest output directory path.  (default ``)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
 
    
 
    
 --vklog <Level>
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -3990,6 +9534,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
    
 
    
 --skip-confirmation
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --hub <string>
 
 The hub for the operator controller image.  (default `unknown`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml  (default `yaml`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --tag <string>
 
 The tag for the operator controller image.  (default `unknown`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <string>
 -f
 Path to file containing IstioOperator custom resource
 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --hub <string>
 
 The hub for the operator controller image.  (default `unknown`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --tag <string>
 
 The tag for the operator controller image.  (default `unknown`)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --force
 
 Proceed even with validation errors. 
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    
 --operatorNamespace <string>
 
 The namespace the operator controller is installed into.  (default `istio-operator`)
 
    
 
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --purge
 
 Remove all versions of Istio operator. 
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Target revision for the operator.  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    
 --config-path <string>
 -p
 The path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree  (default ``)
 
    
 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|flags  (default `yaml`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
    
 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --dry-run
 
 Console/log output only, make no changes. 
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Filter listeners by address field  (default ``)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --direction <string>
 
 Filter clusters by Direction field  (default ``)
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump file  (default ``)Filter clusters by substring of Service FQDN field  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --name <string>
 
 Filter listeners by route name field  (default ``)Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)Filter clusters and listeners by Port field  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --subset <string>
 
 Filter clusters by substring of Subset field  (default ``)
 
    
 
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --type <string>
 
 Filter listeners by type field  (default ``)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verbose
 
 Output more information 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `json`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    
 --direction <string>
 
 Filter clusters by Direction field  (default ``)
 
    
 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)Filter clusters by substring of Service FQDN field  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)Filter clusters by Port field  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --subset <string>
 
 Filter clusters by substring of Subset field  (default ``)
 
    
 
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Filter endpoints by address field  (default ``)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    
 --cluster <string>
 
 Filter endpoints by cluster name field  (default ``)
 
    
 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)Filter endpoints by Port field  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    
 --status <string>
 
 Filter endpoints by status field  (default ``)
 
    
 
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Filter listeners by address field  (default ``)
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)Filter listeners by Port field  (default `0`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    
 --type <string>
 
 Filter listeners by type field  (default ``)
 
    
 
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verbose
 
 Output more information 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Comma-separated minimum per-logger level of messages to output, in the form of [<logger>:]<level>,[<logger>:]<level>,... or <level> to change all active loggers, where logger components can be listed by running "istioctl proxy-config log <pod-name[.namespace]>"or referred from https://github.com/envoyproxy/envoy/blob/main/source/common/common/logger.h, and level can be one of [trace, debug, info, warning, error, critical, off]  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --reset
 -r
 Reset levels to default value (warning). 
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    
 --selector <string>
 -l
 Label selector  (default ``)
 
    
 
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --name <string>
 
 Filter listeners by route name field  (default ``)Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    
 --verbose
 
 Output more information 
 
    
 
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    
 --output <string>
 -o
 Output format: one of json|yaml|short  (default `short`)
 
    
 
    --project <string>Implementation's project to issue conformance to  (default ``)
    
 --proxy-admin-port <int>
 
 Envoy proxy admin port  (default `15000`)
 
    
 
    --report-output <string>The file where to write the conformance report  (default ``)
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
 
 
 
    
 
    --all-featuresWhether to enable all supported features for conformance tests 
    --allow-crds-mismatchFlag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
    --authority <string>XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)
    --cert-dir <string>XDS Endpoint certificate directory  (default ``)
    --cleanup-base-resourcesWhether to cleanup base test resources after the run 
    --conformance-profiles <string>Comma-separated list of the conformance profiles to run  (default ``)
    --contact <string>Comma-separated list of contact information for the maintainers  (default ``)
    
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
    
 
    --debugWhether to print debug logs 
    --exempt-features <string>Exempt Features excluded from conformance tests suites  (default ``)
    
 --file <string>
 -f
 Envoy config dump JSON file  (default ``)
 
    
 
    --gateway-class <string>Name of GatewayClass to use for tests  (default `gateway-conformance`)
    --insecureSkip server certificate and domain verification. (NOT SECURE!) 
    
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)Kubernetes configuration file  (default ``)
 
    
 
    --mode <string>The operating mode of the implementation.  (default `default`)
    
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
    
 
    --namespace-annotations <string>Comma-separated list of name=value annotations to add to test namespaces  (default ``)
    --namespace-labels <string>Comma-separated list of name=value labels to add to test namespaces  (default ``)
    --organization <string>Implementation's Organization to issue conformance to  (default ``)
    --plaintextUse plain-text HTTP/2 when connecting to server (no TLS). 
    --project <string>Implementation's project to issue conformance to  (default ``)
    --report-output <string>The file where to write the conformance report  (default ``)
    
 --revision <string>
 -r
 Control plane revision  (default ``)
 
    
 
    --run-test <string>Name of a single test to run, instead of the whole suite  (default ``)
    --skip-tests <string>Comma-separated list of tests to skip  (default ``)
    --supported-features <string>Supported features included in conformance tests suites  (default ``)
    --timeout <duration>The duration to wait before failing  (default `30s`)
    --url <string>Implementation's url to issue conformance to  (default ``)
    --version <string>Implementation's version to issue conformance to  (default ``)
    
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
    --xds-address <string>XDS Endpoint  (default ``)
    --xds-label <string>Istiod pod label selector  (default ``)
    --xds-port <int>Istiod pod port  (default `15012`)
    
     
 
    
 
    Examples
    
 
      # Retrieve sync status for all Envoys in a mesh
   istioctl proxy-status
 
+  # Retrieve sync status for Envoys in a specific namespace
+  istioctl proxy-status --namespace foo
+
   # Retrieve sync diff for a single Envoy and Istiod
   istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system
 
-  # Retrieve sync diff between Istiod and one pod under a deployment
-  istioctl proxy-status deployment/productpage-v1
+  # SECURITY OPTIONS
 
-  # Write proxy config-dump to file, and compare to Istio control plane
-  kubectl port-forward -n istio-system istio-egressgateway-59585c5b9c-ndc59 15000 &
-  curl localhost:15000/config_dump > cd.json
-  istioctl proxy-status istio-egressgateway-59585c5b9c-ndc59.istio-system --file cd.json
+  # Retrieve proxy status information directly from the control plane, using token security
+  # (This is the usual way to get the proxy-status with an out-of-cluster control plane.)
+  istioctl ps --xds-address istio.cloudprovider.example.com:15012
+
+  # Retrieve proxy status information via Kubernetes config, using token security
+  # (This is the usual way to get the proxy-status with an in-cluster control plane.)
+  istioctl proxy-status
+
+  # Retrieve proxy status information directly from the control plane, using RSA certificate security
+  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+  istioctl ps --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+  # Retrieve proxy status information via XDS from specific control plane in multi-control plane in-cluster configuration
+  # (Select a specific control plane in an in-cluster canary Istio configuration.)
+  istioctl ps --xds-label istio.io/rev=default
 
 
    
 
    istioctl remote-clusters
    
@@ -5600,11 +13252,51 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5615,16 +13307,71 @@ Retrieves last sent and last acknowledged xDS sync from Istiod to each Envoy in
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5653,11 +13400,51 @@ without manual relabeling of the "istio.io/rev" tag.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5668,11 +13455,66 @@ without manual relabeling of the "istio.io/rev" tag.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5694,16 +13536,56 @@ injection labels.
    
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --auto-inject-namespaces
 
 If set to true, the sidecars should be automatically injected into all namespaces by default 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5717,7 +13599,12 @@ injection labels.
    
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -5725,23 +13612,73 @@ injection labels.
    
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --overwrite
 
 If true, allow revision tags to be overwritten, otherwise reject revision tag updates that
 overwrite existing revision tags. 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision to reference from a given revision tag  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5784,11 +13721,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5799,16 +13776,71 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 Output format for tag description (available formats: table,json)  (default `table`)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5839,11 +13871,51 @@ revision tag before removing using the "istioctl tag list" command.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5854,17 +13926,72 @@ revision tag before removing using the "istioctl tag list" command.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5891,16 +14018,56 @@ injection labels.
    
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --auto-inject-namespaces
 
 If set to true, the sidecars should be automatically injected into all namespaces by default 
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -5914,7 +14081,12 @@ injection labels.
    
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -5922,23 +14094,73 @@ injection labels.
    
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --overwrite
 
 If true, allow revision tags to be overwritten, otherwise reject revision tag updates that
 overwrite existing revision tags. 
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision to reference from a given revision tag  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --skip-confirmation
 -y
 The skipConfirmation determines whether the user is prompted for confirmation.
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -5982,16 +14204,51 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <string>
 -f
 The filename of the IstioOperator CR.  (default ``)
@@ -6002,6 +14259,11 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6015,30 +14277,65 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --purge
 
 Delete all Istio related sources for all versions 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6047,11 +14344,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verbose
 -v
 Verbose output. 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6082,21 +14399,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
 --charts <string>
 
 Deprecated, use --manifests instead.  (default ``)
 
 
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
 --dry-run
 
 Console/log output only, make no changes. 
 
 
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Path to file containing IstioOperator custom resource
@@ -6108,6 +14460,11 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6121,30 +14478,65 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).
+(e.g. ~/Downloads/istio-1.22.0/manifests).
   (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --readiness-timeout <duration>
 
 Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Target control plane revision for the command.  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --set <stringArray>
 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.21/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.22/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6153,11 +14545,31 @@ settings (--set meshConfig.enableTracing=true). See documentation for more info:
 If set to true, the user is not prompted and a Yes response is assumed in all cases. 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
 --verify
 
 Verify the Istio control plane after installation/in-place upgrade 
 
 
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6181,16 +14593,56 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Inputs of files to validate  (default `[]`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6201,11 +14653,66 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6255,16 +14762,56 @@ istioctl experimental precheck.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --filename <stringSlice>
 -f
 Istio YAML installation file.  (default `[]`)
 
 
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6278,7 +14825,12 @@ istioctl experimental precheck.
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.21.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.22.0/manifests).  (default ``)
+
+
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
 
 
 --namespace <string>
@@ -6286,11 +14838,61 @@ istioctl experimental precheck.
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6324,11 +14926,51 @@ istioctl experimental precheck.
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --context <string>
 
 Kubernetes configuration context  (default ``)
 
 
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
@@ -6339,31 +14981,86 @@ istioctl experimental precheck.
 Kubernetes configuration file  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 
 
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
 --remote
 
 Use --remote=false to suppress control plane check 
 
 
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
 --revision <string>
 -r
 Control plane revision  (default ``)
 
 
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -6439,7 +15136,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -6527,6 +15224,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_ISTIOD
 Boolean
 false
@@ -6631,7 +15334,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -6735,12 +15438,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 K_REVISION
 String
 
@@ -6789,12 +15486,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -6939,12 +15630,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -7059,6 +15744,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -7197,12 +15894,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/zh/docs/reference/commands/operator/index.html b/content/zh/docs/reference/commands/operator/index.html
index 2a33f28df3..84ceee4837 100644
--- a/content/zh/docs/reference/commands/operator/index.html
+++ b/content/zh/docs/reference/commands/operator/index.html
@@ -18,10 +18,86 @@ remove_toc_prefix: 'operator '
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -40,10 +116,86 @@ See each sub-command's help for details on how to use the generated script.
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -73,14 +225,90 @@ If it is not installed already, you can install it via your OS's package man
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -105,14 +333,90 @@ If it is not installed already, you can install it via your OS's package man
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -136,14 +440,90 @@ to your powershell profile.
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -174,14 +554,90 @@ to enable it.  You can execute the following once:
    
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
 --no-descriptions
 disable completion descriptions 
 
 
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -200,6 +656,26 @@ to enable it.  You can execute the following once:
    
 
 
 
+--all-features
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
 --ctrlz_address <string>
 The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
 
@@ -208,10 +684,22 @@ to enable it.  You can execute the following once:
    
 The IP port to use for the ControlZ introspection facility  (default `9876`)
 
 
+--debug
+Whether to print debug logs 
+
+
+--exempt-features <string>
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
 --force
 Proceed even with validation errors. 
 
 
+--gateway-class <string>
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
@@ -221,11 +709,11 @@ to enable it.  You can execute the following once:
    
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -245,7 +733,7 @@ to enable it.  You can execute the following once:
    
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, ca, controllers, controlleruntime, default, delta, file, gateway, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -256,6 +744,10 @@ to enable it.  You can execute the following once:
    
 Defines the concurrency limit for operator to reconcile IstioOperatorSpec in parallel. Default value is 1.  (default `1`)
 
 
+--mode <string>
+The operating mode of the implementation.  (default `default`)
+
+
 --monitoring-host <string>
 HTTP host to use for operator's self-monitoring information  (default `0.0.0.0`)
 
@@ -264,6 +756,46 @@ to enable it.  You can execute the following once:
    
 HTTP port to use for operator's self-monitoring information  (default `8383`)
 
 
+--namespace-annotations <string>
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+Implementation's Organization to issue conformance to  (default ``)
+
+
+--project <string>
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
+--skip-tests <string>
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
@@ -283,21 +815,116 @@ to enable it.  You can execute the following once:
    
 
 
 
+--all-features
+
+Whether to enable all supported features for conformance tests 
+
+
+--allow-crds-mismatch
+
+Flag to allow the suite not to fail in case there is a mismatch between CRDs versions and channels. 
+
+
+--cleanup-base-resources
+
+Whether to cleanup base test resources after the run 
+
+
+--conformance-profiles <string>
+
+Comma-separated list of the conformance profiles to run  (default ``)
+
+
+--contact <string>
+
+Comma-separated list of contact information for the maintainers  (default ``)
+
+
+--debug
+
+Whether to print debug logs 
+
+
+--exempt-features <string>
+
+Exempt Features excluded from conformance tests suites  (default ``)
+
+
+--gateway-class <string>
+
+Name of GatewayClass to use for tests  (default `gateway-conformance`)
+
+
 --kubeconfig <string>
 
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
 
+--mode <string>
+
+The operating mode of the implementation.  (default `default`)
+
+
+--namespace-annotations <string>
+
+Comma-separated list of name=value annotations to add to test namespaces  (default ``)
+
+
+--namespace-labels <string>
+
+Comma-separated list of name=value labels to add to test namespaces  (default ``)
+
+
+--organization <string>
+
+Implementation's Organization to issue conformance to  (default ``)
+
+
 --output <string>
 -o
 One of 'yaml' or 'json'.  (default ``)
 
 
+--project <string>
+
+Implementation's project to issue conformance to  (default ``)
+
+
+--report-output <string>
+
+The file where to write the conformance report  (default ``)
+
+
+--run-test <string>
+
+Name of a single test to run, instead of the whole suite  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
 
 
+--skip-tests <string>
+
+Comma-separated list of tests to skip  (default ``)
+
+
+--supported-features <string>
+
+Supported features included in conformance tests suites  (default ``)
+
+
+--url <string>
+
+Implementation's url to issue conformance to  (default ``)
+
+
+--version <string>
+
+Implementation's version to issue conformance to  (default ``)
+
+
 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
@@ -373,7 +1000,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -461,6 +1088,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_ISTIOD
 Boolean
 false
@@ -511,7 +1144,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -615,12 +1248,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 K_REVISION
 String
 
@@ -669,12 +1296,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -819,12 +1440,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -939,6 +1554,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1077,12 +1704,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/zh/docs/reference/commands/pilot-agent/index.html b/content/zh/docs/reference/commands/pilot-agent/index.html
index fb83f69191..b23f1aec0d 100644
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@@ -543,11 +543,6 @@ to enable it.  You can execute the following once:
    
 Insert tracing logs for each iptables rules, using the LOG chain. 
 
 
---iptables-version <string>
-
-version of iptables command. If not set, this is automatically detected.  (default ``)
-
-
 --istio-exclude-interfaces <string>
 -c
 Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured.  (default ``)
@@ -1136,7 +1131,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -1224,6 +1219,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 ENVOY_PROMETHEUS_PORT
 Integer
 15090
@@ -1376,7 +1377,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -1576,12 +1577,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 OUTPUT_CERTS
 String
 
@@ -1738,12 +1733,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -1858,6 +1847,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1996,12 +1997,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PKCS8_KEY
 Boolean
 false
diff --git a/content/zh/docs/reference/commands/pilot-discovery/index.html b/content/zh/docs/reference/commands/pilot-discovery/index.html
index e3485865b2..3ba1c0516d 100644
--- a/content/zh/docs/reference/commands/pilot-discovery/index.html
+++ b/content/zh/docs/reference/commands/pilot-discovery/index.html
@@ -269,12 +269,12 @@ to enable it.  You can execute the following once:
    
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -299,7 +299,7 @@ to enable it.  You can execute the following once:
    
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpcgen, ingress status, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -535,7 +535,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
-false
+true
 If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 
 
@@ -623,6 +623,12 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 If enabled, the TLS configuration on Sidecar.ingress will take effect
 
 
+ENABLE_VTPROTOBUF
+Boolean
+false
+If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
+
+
 EXTERNAL_CA
 String
 
@@ -709,7 +715,7 @@ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fip
 
 ISTIO_DELTA_XDS
 Boolean
-false
+true
 If enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
 
 
@@ -813,12 +819,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 
 
-JWT_POLICY
-String
-third-party-jwt
-The JWT validation policy.
-
-
 JWT_RULE
 String
 
@@ -897,12 +897,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 
 
-NATIVE_METADATA_EXCHANGE
-Boolean
-true
-If set, uses a native implementation of the HTTP metadata exchange filter
-
-
 PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING
 Boolean
 false
@@ -1047,12 +1041,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, HBONE support can be configured for proxies. Note: proxies must opt in on a per-proxy basis with ENABLE_HBONE to actually get HBONE config, in addition to this flag.
 
 
-PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
-Boolean
-true
-If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
-
-
 PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES
 Boolean
 true
@@ -1167,6 +1155,18 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
 
 
+PILOT_GATEWAY_API_CONTROLLER_NAME
+String
+istio.io/gateway-controller
+Gateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
+
+
+PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME
+String
+istio
+Name of the default GatewayClass
+
+
 PILOT_HTTP10
 Boolean
 false
@@ -1305,12 +1305,6 @@ Only applies when traffic from all groups (i.e. "*") is being redirected
 If true, Pilot will collect metrics for XDS cache efficiency.
 
 
-PILOT_XDS_SEND_TIMEOUT
-Time Duration
-0s
-The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.
-
-
 PLATFORM
 String
 
diff --git a/content/zh/docs/reference/config/annotations/index.html b/content/zh/docs/reference/config/annotations/index.html
index 4822b90cd3..bf65058a5b 100644
--- a/content/zh/docs/reference/config/annotations/index.html
+++ b/content/zh/docs/reference/config/annotations/index.html
@@ -28,7 +28,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation 'galley.istio.io/analyze-suppress=IST0108,IST0103'. If the value is '*', then all configuration analysis messages are suppressed.
+      
    A comma separated list of configuration analysis message codes to suppress when Istio analyzers are run. For example, to suppress reporting of IST0103 (PodMissingProxy) and IST0108 (UnknownAnnotation) on a resource, apply the annotation ‘galley.istio.io/analyze-suppress=IST0108,IST0103’. If the value is ‘*’, then all configuration analysis messages are suppressed.
    
+
     
   
 
@@ -49,7 +50,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.
+      
    The name of the inject template(s) to use, as a comma separate list. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental for more information.
    
+
     
   
 
@@ -70,7 +72,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the name of the chart used to create this resource.
+      
    Represents the name of the chart used to create this resource.
    
+
     
   
 
@@ -91,7 +94,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the generation to which the resource was last reconciled.
+      
    Represents the generation to which the resource was last reconciled.
    
+
     
   
 
@@ -112,7 +116,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Represents the Istio version associated with the resource
+      
    Represents the Istio version associated with the resource
    
+
     
   
 
@@ -133,7 +138,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.
+      
    Specifies whether or not the given resource is in dry-run mode. See https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/ for more information.
    
+
     
   
 
@@ -154,7 +160,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.
+      
    Specifies a control plane revision to which a given proxy is connected. This annotation is added automatically, not set by a user. In contrary to the label istio.io/rev, it represents the actual revision, not the requested revision.
    
+
     
   
 
@@ -175,7 +182,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Annotation on an Ingress resources denoting the class of controllers responsible for it.
+      
    Annotation on an Ingress resources denoting the class of controllers responsible for it.
    
+
     
   
 
@@ -196,7 +204,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace.
+      
    Specifies the namespaces to which this service should be exported to. A value of ‘*’ indicates it is reachable within the mesh ‘.’ indicates it is reachable within its namespace.
    
+
     
   
 
@@ -217,7 +226,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
+      
    Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
    
+
     
   
 
@@ -238,7 +248,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.
+      
    Overrides for the proxy configuration for this specific proxy. Available options can be found at https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig.
    
+
     
   
 
@@ -259,7 +270,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.
+      
    Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic.
    
+
     
   
 
@@ -280,7 +292,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the failure threshold for the Envoy sidecar readiness probe.
+      
    Specifies the failure threshold for the Envoy sidecar readiness probe.
    
+
     
   
 
@@ -301,7 +314,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.
+      
    Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe.
    
+
     
   
 
@@ -322,7 +336,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the period (in seconds) for the Envoy sidecar readiness probe.
+      
    Specifies the period (in seconds) for the Envoy sidecar readiness probe.
    
+
     
   
 
@@ -343,7 +358,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the log output level for pilot-agent.
+      
    Specifies the log output level for pilot-agent.
    
+
     
   
 
@@ -364,7 +380,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies an alternative Envoy bootstrap configuration file.
+      
    Specifies an alternative Envoy bootstrap configuration file.
    
+
     
   
 
@@ -385,7 +402,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the component log level for Envoy.
+      
    Specifies the component log level for Envoy.
    
+
     
   
 
@@ -406,7 +424,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.
+      
    Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections.
    
+
     
   
 
@@ -427,7 +446,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the XDS discovery address to be used by the Envoy sidecar.
+      
    Specifies the XDS discovery address to be used by the Envoy sidecar.
    
+
     
   
 
@@ -448,7 +468,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should enable core dump.
+      
    Specifies whether or not an Envoy sidecar should enable core dump.
    
+
     
   
 
@@ -469,7 +490,8 @@ Istio supports to control its behavior.
     
     
       Description
-      An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.
+      
    An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.
    
+
     
   
 
@@ -490,7 +512,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label.
+      
    Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of sidecar.istio.io/inject label.
    
+
     
   
 
@@ -511,7 +534,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).
+      
    Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY).
    
+
     
   
 
@@ -532,7 +556,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the log level for Envoy.
+      
    Specifies the log level for Envoy.
    
+
     
   
 
@@ -553,7 +578,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the requested CPU setting for the Envoy sidecar.
+      
    Specifies the requested CPU setting for the Envoy sidecar.
    
+
     
   
 
@@ -574,7 +600,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the CPU limit for the Envoy sidecar.
+      
    Specifies the CPU limit for the Envoy sidecar.
    
+
     
   
 
@@ -595,7 +622,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the Docker image to be used by the Envoy sidecar.
+      
    Specifies the Docker image to be used by the Envoy sidecar.
    
+
     
   
 
@@ -616,7 +644,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.
+      
    Specifies the Docker image type to be used by the Envoy sidecar. Istio publishes debug and distroless image types for every release tag.
    
+
     
   
 
@@ -637,7 +666,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the requested memory setting for the Envoy sidecar.
+      
    Specifies the requested memory setting for the Envoy sidecar.
    
+
     
   
 
@@ -658,7 +688,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the memory limit for the Envoy sidecar.
+      
    Specifies the memory limit for the Envoy sidecar.
    
+
     
   
 
@@ -679,7 +710,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.
+      
    Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar.
    
+
     
   
 
@@ -700,7 +732,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`.
+      
    Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. {"istiocustom":[1,5,10,50,100,500,1000,5000,10000],"cluster.xds-grpc":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}. Default buckets are [0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000].
    
+
     
   
 
@@ -721,7 +754,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.
+      
    Specifies the comma separated list of prefixes of the stats to be emitted by Envoy.
    
+
     
   
 
@@ -742,7 +776,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.
+      
    Specifies the comma separated list of regexes the stats should match to be emitted by Envoy.
    
+
     
   
 
@@ -763,7 +798,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.
+      
    Specifies the comma separated list of suffixes of the stats to be emitted by Envoy.
    
+
     
   
 
@@ -784,7 +820,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.
+      
    Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources.
    
+
     
   
 
@@ -805,7 +842,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.
+      
    Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar.
    
+
     
   
 
@@ -826,7 +864,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.
+      
    Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar.
    
+
     
   
 
@@ -847,7 +886,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.
+      
    Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status.
    
+
     
   
 
@@ -868,7 +908,162 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.
+      
    A comma-separated list of clusters (or * for any) running istiod that should attempt leader election for a remote cluster thats system namespace includes this annotation. Istiod will not attempt to lead unannotated remote clusters.
    
+
+    
+  
+
+
    traffic.istio.io/excludeInboundPorts
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/excludeInboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.
    
+
    
+
    traffic.istio.io/excludeInterfaces
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/excludeInterfaces
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of interfaces to be excluded from Istio traffic capture
    
+
    
+
    traffic.istio.io/excludeOutboundIPRanges
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/excludeOutboundIPRanges
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.
    
+
    
+
    traffic.istio.io/excludeOutboundPorts
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/excludeOutboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of outbound ports to be excluded from redirection to Envoy.
    
+
    
+
    traffic.istio.io/includeInboundPorts
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/includeInboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
    
+
    
+
    traffic.istio.io/includeOutboundIPRanges
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
    Nametraffic.istio.io/includeOutboundIPRanges
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
    
+
    
+
    traffic.istio.io/includeOutboundPorts
    
+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
    Nametraffic.istio.io/includeOutboundPorts
    Feature StatusAlpha
    Resource Types[Pod]
    Description
    A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
    
+    		
     
    
       
 
    
@@ -889,7 +1084,8 @@ Istio supports to control its behavior.
     
     
       Description
-      This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.
+      
    This annotation is a set of node-labels (key1=value,key2=value). If the annotated Service is of type NodePort and is a multi-network gateway (see topology.istio.io/network), the addresses for selected nodes will be used for cross-network communication.
    
+
     
   
 
@@ -910,7 +1106,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected.
+      
    A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. ‘*’) is being redirected.
    
+
     
   
 
@@ -931,7 +1128,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of interfaces to be excluded from Istio traffic capture
+      
    A comma separated list of interfaces to be excluded from Istio traffic capture
    
+
     
   
 
@@ -952,7 +1150,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected.
+      
    A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. ‘*’) is being redirected.
    
+
     
   
 
@@ -973,7 +1172,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of outbound ports to be excluded from redirection to Envoy.
+      
    A comma separated list of outbound ports to be excluded from redirection to Envoy.
    
+
     
   
 
@@ -994,7 +1194,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
+      
    A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character ‘*’ can be used to configure redirection for all ports. An empty list will disable all inbound redirection.
    
+
     
   
 
@@ -1015,7 +1216,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
+      
    A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character ‘*’ can be used to redirect all outbound traffic. An empty list will disable all outbound redirection.
    
+
     
   
 
@@ -1036,7 +1238,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
+      
    A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP.
    
+
     
   
 
@@ -1057,7 +1260,8 @@ Istio supports to control its behavior.
     
     
       Description
-      A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.
+      
    A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.
    
+
     
   
 
\ No newline at end of file
diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index 7974ac8579..6f0a4130e1 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 66
+number_of_entries: 73
 ---
 
    Configuration affecting the service mesh as a whole.
    
 
@@ -243,6 +243,19 @@ monitored. Can be overridden at a Sidecar level by setting the
 API.
 Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.
    
 
+
+
+No
+
+
+
+inboundTrafficPolicy
+InboundTrafficPolicy
+
+
    Set the default behavior of the sidecar for handling inbound
+traffic to the application.  If your application listens on
+localhost, you will need to set this to LOCALHOST.
    
+
 
 
 No
@@ -725,6 +738,30 @@ No
 
 
 
    
+
    MeshConfig.InboundTrafficPolicy
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    modeMode
+
+No
+
    
+
    
 
    MeshConfig.CertificateData
    
 
    
 
@@ -1352,17 +1389,6 @@ No
 
    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is “403” (HTTP Forbidden).
    
 
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
-No
-
    includeHeadersInCheckstring[]
-
    DEPRECATED. Use include_request_headers_in_check instead.
    
-
     		
 
 No
@@ -1482,6 +1508,17 @@ except the presence match):
    
 
  • Suffix match: “*abc” will match on value “abc” and “xabc”.
    • 
 
 
+    		
+No
+
    includeHeadersInCheckstring[]
+
    DEPRECATED. Use include_request_headers_in_check instead.
    
+
     		
 
 No
@@ -2280,6 +2317,208 @@ No
 
    Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
    
 
+    		
+No
+
    httpHttpService
+
    Optional. Specifies the configuration for exporting OTLP traces via HTTP.
+When empty, traces will be exported via gRPC.
    
+
    The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:
    
+
      
+
    1. Add/change the OpenTelemetry extension provider in MeshConfig
      2. 
+
    
+
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    http:
+      path: "/api/otlp/traces"
+      timeout: 10s
+      headers:
+      - name: "my-custom-header"
+        value: "some value"
+
    
+
      
+
    1. Deploy a ServiceEntry for the observability back-end
      2. 
+
    
+
    apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: my-olly-backend
+spec:
+  hosts:
+  - my.olly-backend.com
+  ports:
+  - number: 443
+    name: https-port
+    protocol: HTTPS
+  resolution: DNS
+  location: MESH_EXTERNAL
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: my-olly-backend
+spec:
+  host: my.olly-backend.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 443
+      tls:
+        mode: SIMPLE
+
    
+
+    		
+No
+
    resourceDetectorsResourceDetectors
+
    Optional. Specifies Resource Detectors
+to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
+according to the OpenTelemetry Resource specification.
    
+
    The following example shows how to configure the Environment Resource Detector, that will
+read the attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES:
    
+
    - name: otel-tracing
+  opentelemetry:
+    port: 443
+    service: my.olly-backend.com
+    resource_detectors:
+      environment: {}
+
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.HttpService
    
+
    
+
    Defines configuration for an HTTP service that can be used by an Extension Provider.
+that does communication via HTTP.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    pathstring
+
    REQUIRED. Specifies the path on the service.
    
+
+    		
+No
+
    timeoutDuration
+
    Optional. Specifies the timeout for the HTTP request.
+If not specified, the default is 3s.
    
+
+    		
+No
+
    headersHttpHeader[]
+
    Optional. Allows specifying custom HTTP headers that will be added
+to each HTTP request sent.
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.HttpHeader
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    namestring
+
    REQUIRED. The HTTP header name.
    
+
+    		
+No
+
    valuestring
+
    REQUIRED. The HTTP header value.
    
+
+    		
+No
+
    
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    environmentEnvironmentResourceDetector
+
+No
+
    dynatraceDynatraceResourceDetector
 
 
 No
@@ -2422,6 +2661,22 @@ No
 
    
     
 
    
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors.EnvironmentResourceDetector
    
+
    
+
    OpenTelemetry Environment Resource Detector.
+The resource detector reads attributes from the environment variable OTEL_RESOURCE_ATTRIBUTES
+and adds them to the OpenTelemetry resource.
    
+
    See: Resource specification
    
+
+
    
+
    MeshConfig.ExtensionProvider.ResourceDetectors.DynatraceResourceDetector
    
+
    
+
    Dynatrace Resource Detector.
+The resource detector reads from the Dynatrace enrichment files
+and adds host/process related attributes to the OpenTelemetry resource.
    
+
    See: Enrich ingested data with Dynatrace-specific dimensions
    
+
 
    
 
    k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
    
 
    
@@ -3958,6 +4213,35 @@ service registry as well as those defined through ServiceEntries
    
 
    outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntries for the destination port
    
 
+
+
+
+
+
    
+
    MeshConfig.InboundTrafficPolicy.Mode
    
+
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/content/zh/docs/reference/config/labels/index.html b/content/zh/docs/reference/config/labels/index.html
index d492883f2b..23f1dd1d7e 100644
--- a/content/zh/docs/reference/config/labels/index.html
+++ b/content/zh/docs/reference/config/labels/index.html
@@ -28,7 +28,8 @@ Istio supports to control its behavior.
     
-      
+      
    NameDescription
    PASSTHROUGH
+
    inbound traffic will be passed through to the destination listening
+on Pod IP. This matches the behavior without Istio enabled at all
+allowing proxy to be transparent.
    
+
+
    LOCALHOST
+
    inbound traffic will be sent to the destinations listening on localhost.
    
+
     		
 
    
     
     
    
       DescriptionIstio control plane revision associated with the resource; e.g. `canary`
    Istio control plane revision associated with the resource; e.g. canary
    
+    		
     
    
       
 
    
@@ -49,7 +50,8 @@ Istio supports to control its behavior.
     
     
       Description
-      IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway's port
+      
    IstioGatewayPortLabel overrides the default 15443 value to use for a multi-network gateway’s port
    
+
     
   
 
@@ -70,7 +72,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of the canonical service a workload belongs to
+      
    The name of the canonical service a workload belongs to
    
+
     
   
 
@@ -91,7 +94,8 @@ Istio supports to control its behavior.
     
     
       Description
-      The name of a revision within a canonical service that the workload belongs to
+      
    The name of a revision within a canonical service that the workload belongs to
    
+
     
   
 
@@ -112,7 +116,8 @@ Istio supports to control its behavior.
     
     
       Description
-      Specifies whether or not an Envoy sidecar should be automatically injected into the workload.
+      
    Specifies whether or not an Envoy sidecar should be automatically injected into the workload.
    
+
     
   
 
@@ -133,7 +138,8 @@ Istio supports to control its behavior.
     
     
       Description
-      This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via `values.global.multiCluster.clusterName`. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently.
+      
    This label is applied to a workload internally that identifies the Kubernetes cluster containing the workload. The cluster ID is specified during Istio installation for each cluster via values.global.multiCluster.clusterName. It should be noted that this is only used internally within Istio and is not an actual label on workload pods. If a pod contains this label, it will be overridden by Istio internally with the cluster ID specified during Istio installation. This label provides a way to select workloads by cluster when using DestinationRules. For example, a service owner could create a DestinationRule containing a subset per cluster and then use these subsets to control traffic flow to each cluster independently.
    
+
     
   
 
@@ -154,7 +160,37 @@ Istio supports to control its behavior.
     
     
       Description
-      A label used to identify the network for one or more pods. This is used
    internally by Istio to group pods resident in the same L3 domain/network.
    Istio assumes that pods in the same network are directly reachable from
    one another. When pods are in different networks, an Istio Gateway
    (e.g. east-west gateway) is typically used to establish connectivity
    (with AUTO_PASSTHROUGH mode). This label can be applied to the following
    resources to help automate Istio's multi-network configuration.

    * Istio System Namespace: Applying this label to the system namespace
      establishes a default network for pods managed by the control plane.
      This is typically configured during control plane installation using an
      admin-specified value.

    * Pod: Applying this label to a pod allows overriding the default network
      on a per-pod basis. This is typically applied to the pod via webhook
      injection, but can also be manually specified on the pod by the service
      owner. The Istio installation in each cluster configures webhook injection
      using an admin-specified value.

    * Gateway Service: Applying this label to the Service for an Istio Gateway,
      indicates that Istio should use this service as the gateway for the
      network, when configuring cross-network traffic. Istio will configure
      pods residing outside of the network to access the Gateway service
      via `spec.externalIPs`, `status.loadBalancer.ingress[].ip`, or in the case
      of a NodePort service, the Node's address. The label is configured when
      installing the gateway (e.g. east-west gateway) and should match either
      the default network for the control plane (as specified by the Istio System
      Namespace label) or the network of the targeted pods.
+      
    A label used to identify the network for one or more pods. This is used
+internally by Istio to group pods resident in the same L3 domain/network.
+Istio assumes that pods in the same network are directly reachable from
+one another. When pods are in different networks, an Istio Gateway
+(e.g. east-west gateway) is typically used to establish connectivity
+(with AUTO_PASSTHROUGH mode). This label can be applied to the following
+resources to help automate Istio’s multi-network configuration.
    
+
+
      
+
    • Istio System Namespace: Applying this label to the system namespace
+establishes a default network for pods managed by the control plane.
+This is typically configured during control plane installation using an
+admin-specified value.
      • 
+
+
    • Pod: Applying this label to a pod allows overriding the default network
+on a per-pod basis. This is typically applied to the pod via webhook
+injection, but can also be manually specified on the pod by the service
+owner. The Istio installation in each cluster configures webhook injection
+using an admin-specified value.
      • 
+
+
    • Gateway Service: Applying this label to the Service for an Istio Gateway,
+indicates that Istio should use this service as the gateway for the
+network, when configuring cross-network traffic. Istio will configure
+pods residing outside of the network to access the Gateway service
+via spec.externalIPs, status.loadBalancer.ingress[].ip, or in the case
+of a NodePort service, the Node’s address. The label is configured when
+installing the gateway (e.g. east-west gateway) and should match either
+the default network for the control plane (as specified by the Istio System
+Namespace label) or the network of the targeted pods.
      • 
+
    
+
     
   
 
@@ -175,7 +211,8 @@ Istio supports to control its behavior.
     
     
       Description
-      User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones.
+      
    User-provided node label for identifying the locality subzone of a workload. This allows admins to specify a more granular level of locality than what is offered by default with Kubernetes regions and zones.
    
+
     
   
 
\ No newline at end of file
diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index f1d9368024..c9dd4d0799 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -16,20 +16,6 @@ for load balancing, connection pool size from the sidecar, and outlier
 detection settings to detect and evict unhealthy hosts from the load
 balancing pool. For example, a simple load balancing policy for the
 ratings service would look as follows:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -40,34 +26,11 @@ spec:
     loadBalancer:
       simple: LEAST_REQUEST
 
    
-
    {{}}
-{{}}
    
 
    Version specific policies can be specified by defining a named
 subset and overriding the settings specified at the service level. The
 following rule uses a round robin load balancing policy for all traffic
 going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -85,35 +48,12 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
    
 
    Traffic policies can be customized to specific ports as well. The
 following rule uses the least connection load balancing policy for all
 traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings-port
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy: # Apply to all ports
-    portLevelSettings:
-    - port:
-        number: 80
-      loadBalancer:
-        simple: LEAST_REQUEST
-    - port:
-        number: 9080
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -131,34 +71,9 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Destination Rules can be customized to specific workloads as well.
 The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: configure-client-mtls-dr-with-workloadselector
-spec:
-  host: example.com
-  workloadSelector:
-    matchLabels:
-      app: ratings
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-    portLevelSettings:
-    - port:
-        number: 31443
-      tls:
-        credentialName: client-credential
-        mode: MUTUAL
-
    
-
    {{}}
-{{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -178,8 +93,6 @@ spec:
         credentialName: client-credential
         mode: MUTUAL
 
    
-
    {{}}
-{{}}
    
 
 
    DestinationRule
    
 
    
@@ -398,27 +311,6 @@ service-level can be overridden at a subset-level. The following rule
 uses a round robin load balancing policy for all traffic going to a
 subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: LEAST_REQUEST
-  subsets:
-  - name: testversion
-    labels:
-      version: v3
-    trafficPolicy:
-      loadBalancer:
-        simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -436,8 +328,6 @@ spec:
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
    
 
    One or more labels are typically required to identify the subset destination,
@@ -505,20 +395,6 @@ load balancing
 for more details.
    
 
    For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      simple: ROUND_ROBIN
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -529,28 +405,9 @@ spec:
     loadBalancer:
       simple: ROUND_ROBIN
 
    
-
    {{}}
-{{}}
    
 
    The following example sets up sticky sessions for the ratings service
 hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-ratings
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    loadBalancer:
-      consistentHash:
-        httpCookie:
-          name: user
-          ttl: 0s
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -564,8 +421,6 @@ spec:
           name: user
           ttl: 0s
 
    
-
    {{}}
-{{}}
    
 
 
@@ -637,25 +492,6 @@ for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
    For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: bookinfo-redis
-spec:
-  host: myredissrv.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-        connectTimeout: 30ms
-        tcpKeepalive:
-          time: 7200s
-          interval: 75s
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -671,8 +507,6 @@ spec:
           time: 7200s
           interval: 75s
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
    
@@ -725,28 +559,6 @@ with no more than 10 req/connection to the “reviews” service. In add
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-cb-policy
-spec:
-  host: reviews.prod.svc.cluster.local
-  trafficPolicy:
-    connectionPool:
-      tcp:
-        maxConnections: 100
-      http:
-        http2MaxRequests: 1000
-        maxRequestsPerConnection: 10
-    outlierDetection:
-      consecutive5xxErrors: 7
-      interval: 5m
-      baseEjectionTime: 15m
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -765,8 +577,6 @@ spec:
       interval: 5m
       baseEjectionTime: 15m
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -918,23 +728,6 @@ context
 for more details. These settings are common to both HTTP and TCP upstreams.
    For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: db-mtls
-spec:
-  host: mydbserver.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -948,24 +741,8 @@ spec:
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
    {{}}
-{{}}
    The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: tls-foo
-spec:
-  host: "*.foo.com"
-  trafficPolicy:
-    tls:
-      mode: SIMPLE
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -976,24 +753,8 @@ spec:
     tls:
       mode: SIMPLE
 
    
-
    {{}}
-{{}}
    The following rule configures a client to use Istio mutual TLS when talking
 to rating services.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: ratings-istio-mtls
-spec:
-  host: ratings.prod.svc.cluster.local
-  trafficPolicy:
-    tls:
-      mode: ISTIO_MUTUAL
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1004,8 +765,6 @@ spec:
     tls:
       mode: ISTIO_MUTUAL
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
 
 
 
 
    
@@ -1145,6 +904,21 @@ SAN will be skipped.
    
 be true by default in a later version where, going forward, it will be
 enabled by default.
    
 
+
+
+
+
+
+
+
    
 
    
+No
+
    caCrlstring
+
    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+to use in verifying a presented server certificate. CRL is a list of certificates
+that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+If omitted, the proxy will not verify the certificate against the crl.
    
+
     		
 
 No
@@ -1272,6 +1046,7 @@ The following labels which have special semantic meaning are also supported:
    
 
  • topology.kubernetes.io/region is used to match the region metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/region or the deprecated label failure-domain.beta.kubernetes.io/region.
    • 
 
  • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
    • 
 
  • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
    • 
+
  • kubernetes.io/hostname is used to match the current node of an endpoint, which maps to Kubernetes node label kubernetes.io/hostname.
    • 
 
 
    The below topology config indicates the following priority levels:
    
 
    failoverPriority:
diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html
index cc65b02388..ea23a434ba 100644
--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@@ -20,61 +20,6 @@ as a load balancer exposing port 80 and 9080 (http), 443 (https),
 applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
 on these ports, it is the responsibility of the user to ensure that
 external traffic to these ports are allowed into the mesh.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-gateway
-  namespace: some-config-namespace
-spec:
-  selector:
-    app: my-gateway-controller
-  servers:
-  - port:
-      number: 80
-      name: http
-      protocol: HTTP
-    hosts:
-    - uk.bookinfo.com
-    - eu.bookinfo.com
-    tls:
-      httpsRedirect: true # sends 301 redirect for http requests
-  - port:
-      number: 443
-      name: https-443
-      protocol: HTTPS
-    hosts:
-    - uk.bookinfo.com
-    - eu.bookinfo.com
-    tls:
-      mode: SIMPLE # enables HTTPS on this port
-      serverCertificate: /etc/certs/servercert.pem
-      privateKey: /etc/certs/privatekey.pem
-  - port:
-      number: 9443
-      name: https-9443
-      protocol: HTTPS
-    hosts:
-    - "bookinfo-namespace/*.bookinfo.com"
-    tls:
-      mode: SIMPLE # enables HTTPS on this port
-      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
-  - port:
-      number: 9080
-      name: http-wildcard
-      protocol: HTTP
-    hosts:
-    - "*"
-  - port:
-      number: 2379 # to expose internal service via external port 2379
-      name: mongo
-      protocol: MONGO
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -126,8 +71,6 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    The Gateway specification above describes the L4-L6 properties of a load
 balancer. A VirtualService can then be bound to a gateway to control
 the forwarding of traffic arriving at a particular host or gateway port.
    
@@ -141,46 +84,6 @@ in the qa version. The same rule is also applicable inside the mesh for
 requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-rule
-  namespace: bookinfo-namespace
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  - uk.bookinfo.com
-  - eu.bookinfo.com
-  gateways:
-  - some-config-namespace/my-gateway
-  - mesh # applies to all the sidecars in the mesh
-  http:
-  - match:
-    - headers:
-        cookie:
-          exact: "user=dev-123"
-    route:
-    - destination:
-        port:
-          number: 7777
-        host: reviews.qa.svc.cluster.local
-  - match:
-    - uri:
-        prefix: /reviews/
-    route:
-    - destination:
-        port:
-          number: 9080 # can be omitted if it's the only port for reviews
-        host: reviews.prod.svc.cluster.local
-      weight: 80
-    - destination:
-        host: reviews.qa.svc.cluster.local
-      weight: 20
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -217,35 +120,10 @@ spec:
         host: reviews.qa.svc.cluster.local
       weight: 20
 
    
-
    {{}}
-{{}}
    
 
    The following VirtualService forwards traffic arriving at (external)
 port 27017 to internal Mongo server on port 5555. This rule is not
 applicable internally in the mesh as the gateway list omits the
 reserved name mesh.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-mongo
-  namespace: bookinfo-namespace
-spec:
-  hosts:
-  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
-  gateways:
-  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same namespace as virtual service.
-  tcp:
-  - match:
-    - port: 27017
-    route:
-    - destination:
-        host: mongo.prod.svc.cluster.local
-        port:
-          number: 5555
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -265,34 +143,11 @@ spec:
         port:
           number: 5555
 
    
-
    {{}}
-{{}}
    
 
    It is possible to restrict the set of virtual services that can bind to
 a gateway server using the namespace/hostname syntax in the hosts field.
 For example, the following Gateway allows any virtual service in the ns1
 namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-gateway
-  namespace: some-config-namespace
-spec:
-  selector:
-    app: my-gateway-controller
-  servers:
-  - port:
-      number: 80
-      name: http
-      protocol: HTTP
-    hosts:
-    - "ns1/*"
-    - "ns2/foo.bar.com"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -310,8 +165,6 @@ spec:
     - "ns1/*"
     - "ns2/foo.bar.com"
 
    
-
    {{}}
-{{}}
    
 
 
    Gateway
    
 
    
@@ -368,25 +221,6 @@ No
 
    
 
    Server describes the properties of the proxy on a given load balancer
 port. For example,
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-ingress
-spec:
-  selector:
-    app: my-ingressgateway
-  servers:
-  - port:
-      number: 80
-      name: http2
-      protocol: HTTP2
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -402,28 +236,7 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    Another example
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-tcp-ingress
-spec:
-  selector:
-    app: my-tcp-ingressgateway
-  servers:
-  - port:
-      number: 27018
-      name: mongo
-      protocol: MONGO
-    hosts:
-    - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -439,31 +252,7 @@ spec:
     hosts:
     - "*"
 
    
-
    {{}}
-{{}}
    
 
    The following is an example of TLS configuration for port 443
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
-  name: my-tls-ingress
-spec:
-  selector:
-    app: my-tls-ingressgateway
-  servers:
-  - port:
-      number: 443
-      name: https
-      protocol: HTTPS
-    hosts:
-    - "*"
-    tls:
-      mode: SIMPLE
-      credentialName: tls-cert
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -482,8 +271,6 @@ spec:
       mode: SIMPLE
       credentialName: tls-cert
 
    
-
    {{}}
-{{}}
    
 
 
@@ -712,6 +499,21 @@ No
 containing certificate authority certificates to use in verifying a presented
 client side certificate.
    
 
+
+
+
+
+
+
+
    
 
    
+No
+
    caCrlstring
+
    OPTIONAL: The path to the file containing the certificate revocation list (CRL)
+to use in verifying a presented client side certificate. CRL is a list of certificates
+that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
+If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
+If omitted, the proxy will not verify the certificate against the crl.
    
+
     		
 
 No
diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index f188d824e2..c028231c07 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -28,26 +28,6 @@ services.
    
 
    The following example declares a few external APIs accessed by internal
 applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-https
-spec:
-  hosts:
-  - api.dropboxapi.com
-  - www.googleapis.com
-  - api.facebook.com
-  location: MESH_EXTERNAL
-  ports:
-  - number: 443
-    name: https
-    protocol: TLS
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -64,35 +44,10 @@ spec:
     protocol: TLS
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    The following configuration adds a set of MongoDB instances running on
 unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-mongocluster
-spec:
-  hosts:
-  - mymongodb.somedomain # not used
-  addresses:
-  - 192.192.192.192/24 # VIPs
-  ports:
-  - number: 27018
-    name: mongodb
-    protocol: MONGO
-  location: MESH_INTERNAL
-  resolution: STATIC
-  endpoints:
-  - address: 2.2.2.2
-  - address: 3.3.3.3
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -112,26 +67,7 @@ spec:
   - address: 2.2.2.2
   - address: 3.3.3.3
 
    
-
    {{}}
-{{}}
    
 
    and the associated DestinationRule
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: mtls-mongocluster
-spec:
-  host: mymongodb.somedomain
-  trafficPolicy:
-    tls:
-      mode: MUTUAL
-      clientCertificate: /etc/certs/myclientcert.pem
-      privateKey: /etc/certs/client_private_key.pem
-      caCertificates: /etc/certs/rootcacerts.pem
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -145,30 +81,9 @@ spec:
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
    {{}}
-{{}}
    
 
    The following example uses a combination of service entry and TLS
 routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-redirect
-spec:
-  hosts:
-  - wikipedia.org
-  - "*.wikipedia.org"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 443
-    name: https
-    protocol: TLS
-  resolution: NONE
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -184,30 +99,7 @@ spec:
     protocol: TLS
   resolution: NONE
 
    
-
    {{}}
-{{}}
    
 
    And the associated VirtualService to route based on the SNI value.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: tls-routing
-spec:
-  hosts:
-  - wikipedia.org
-  - "*.wikipedia.org"
-  tls:
-  - match:
-    - sniHosts:
-      - wikipedia.org
-      - "*.wikipedia.org"
-    route:
-    - destination:
-        host: internal-egress-firewall.ns1.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -225,8 +117,6 @@ spec:
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
    The virtual service with TLS match serves to override the default SNI
 match. In the absence of a virtual service, traffic will be forwarded to
 the wikipedia domains.
    
@@ -237,27 +127,6 @@ declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
 current namespace, represented by “.”, so that it cannot be used by other
 namespaces.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-httpbin
-  namespace : egress
-spec:
-  hosts:
-  - example.com
-  exportTo:
-  - "."
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -275,29 +144,7 @@ spec:
     protocol: HTTP
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    Define a gateway to handle all egress traffic.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Gateway
-metadata:
- name: istio-egressgateway
- namespace: istio-system
-spec:
- selector:
-   istio: egressgateway
- servers:
- - port:
-     number: 80
-     name: http
-     protocol: HTTP
-   hosts:
-   - "*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -314,47 +161,12 @@ spec:
    hosts:
    - "*"
 
    
-
    {{}}
-{{}}
    
 
    And the associated VirtualService to route from the sidecar to the
 gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
 well as route from the gateway to the external service. Note that the
 virtual service is exported to all namespaces enabling them to route traffic
 through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: gateway-routing
-  namespace: egress
-spec:
-  hosts:
-  - example.com
-  exportTo:
-  - "*"
-  gateways:
-  - mesh
-  - istio-egressgateway
-  http:
-  - match:
-    - port: 80
-      gateways:
-      - mesh
-    route:
-    - destination:
-        host: istio-egressgateway.istio-system.svc.cluster.local
-  - match:
-    - port: 80
-      gateways:
-      - istio-egressgateway
-    route:
-    - destination:
-        host: example.com
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -384,30 +196,10 @@ spec:
     - destination:
         host: example.com
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates the use of wildcards in the hosts for
 external services. If the connection has to be routed to the IP address
 requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the resolution mode must be set to NONE.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-wildcard-example
-spec:
-  hosts:
-  - "*.bar.com"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: NONE
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -422,31 +214,9 @@ spec:
     protocol: HTTP
   resolution: NONE
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates a service that is available via a
 Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: unix-domain-socket-example
-spec:
-  hosts:
-  - "example.unix.local"
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  endpoints:
-  - address: unix:///var/run/example/socket
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -463,8 +233,6 @@ spec:
   endpoints:
   - address: unix:///var/run/example/socket
 
    
-
    {{}}
-{{}}
    
 
    For HTTP-based services, it is possible to create a VirtualService
 backed by multiple DNS addressable endpoints. In such a scenario, the
 application can use the HTTP_PROXY environment variable to transparently
@@ -472,34 +240,6 @@ reroute API calls for the VirtualService to a chosen backend. For
 example, the following configuration creates a non-existent external
 service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-dns
-spec:
-  hosts:
-  - foo.bar.com
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: DNS
-  endpoints:
-  - address: us.foo.bar.com
-    ports:
-      http: 8080
-  - address: uk.foo.bar.com
-    ports:
-      http: 9080
-  - address: in.foo.bar.com
-    ports:
-      http: 7080
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -524,8 +264,6 @@ spec:
     ports:
       http: 7080
 
    
-
    {{}}
-{{}}
    
 
    With HTTP_PROXY=http://localhost/, calls from the application to
 http://foo.bar.com will be load balanced across the three domains
 specified above. In other words, a call to http://foo.bar.com/baz would
@@ -533,30 +271,6 @@ be translated to http://uk.foo.bar.com/baz.
    
 
    The following example illustrates the usage of a ServiceEntry
 containing a subject alternate name
 whose format conforms to the SPIFFE standard:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: httpbin
-  namespace : httpbin-ns
-spec:
-  hosts:
-  - example.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  endpoints:
-  - address: 2.2.2.2
-  - address: 3.3.3.3
-  subjectAltNames:
-  - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -577,8 +291,6 @@ spec:
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
    
-
    {{}}
-{{}}
    
 
    The following example demonstrates the use of ServiceEntry with a
 workloadSelector to handle the migration of a service
 details.bookinfo.com from VMs to Kubernetes. The service has two
@@ -586,32 +298,6 @@ VM-based instances with sidecars as well as a set of Kubernetes
 pods managed by a standard deployment object. Consumers of this
 service in the mesh will be automatically load balanced across the
 VMs and Kubernetes.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-vm-1
-spec:
-  serviceAccount: details
-  address: 2.2.2.2
-  labels:
-    app: details
-    instance-id: vm1
----
-apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-vm-2
-spec:
-  serviceAccount: details
-  address: 3.3.3.3
-  labels:
-    app: details
-    instance-id: vm2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -634,33 +320,10 @@ spec:
     app: details
     instance-id: vm2
 
    
-
    {{}}
-{{}}
    
 
    Assuming there is also a Kubernetes deployment with pod labels
 app: details using the same service account details, the
 following service entry declares a service spanning both VMs and
 Kubernetes:
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-  resolution: STATIC
-  workloadSelector:
-    labels:
-      app: details
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -678,8 +341,6 @@ spec:
     labels:
       app: details
 
    
-
    {{}}
-{{}}
    
 
 
    ServiceEntry
    
 
    
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index e1f178e194..d1dd009985 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -48,21 +48,6 @@ in the root namespace called istio-config, that configures
 sidecars in all namespaces to allow egress traffic only to other
 workloads in the same namespace as well as to services in the
 istio-system namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: default
-  namespace: istio-config
-spec:
-  egress:
-  - hosts:
-    - "./*"
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -74,29 +59,11 @@ spec:
     - "./*"
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    The example below declares a Sidecar configuration in the
 prod-us1 namespace that overrides the global default defined
 above, and configures the sidecars in the namespace to allow egress
 traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: default
-  namespace: prod-us1
-spec:
-  egress:
-  - hosts:
-    - "prod-us1/*"
-    - "prod-apis/*"
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -109,8 +76,6 @@ spec:
     - "prod-apis/*"
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    The following example declares a Sidecar configuration in the
 prod-us1 namespace for all pods with labels app: ratings
 belonging to the ratings.prod-us1 service.  The workload accepts
@@ -119,35 +84,6 @@ the attached workload instance listening on a Unix domain
 socket. In the egress direction, in addition to the istio-system
 namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: ratings
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: ratings
-  ingress:
-  - port:
-      number: 9080
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: unix:///var/run/someuds.sock
-  egress:
-  - port:
-      number: 9080
-      protocol: HTTP
-      name: egresshttp
-    hosts:
-    - "prod-us1/*"
-  - hosts:
-    - "istio-system/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -173,8 +109,6 @@ spec:
   - hosts:
     - "istio-system/*"
 
    
-
    {{}}
-{{}}
    
 
    If the workload is deployed without IPTables-based traffic capture,
 the Sidecar configuration is the only way to configure the ports
 on the proxy attached to the workload instance. The following
@@ -189,36 +123,6 @@ it to the application listening on 127.0.0.1:8080. It also allows
 the application to communicate with a backing MySQL database on
 127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: no-ip-tables
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  ingress:
-  - port:
-      number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: 127.0.0.1:8080
-    captureMode: NONE # not needed if metadata is set for entire proxy
-  egress:
-  - port:
-      number: 3306
-      protocol: MYSQL
-      name: egressmysql
-    captureMode: NONE # not needed if metadata is set for entire proxy
-    bind: 127.0.0.1
-    hosts:
-    - "*/mysql.foo.com"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -245,28 +149,7 @@ spec:
     hosts:
     - "*/mysql.foo.com"
 
    
-
    {{}}
-{{}}
    
 
    And the associated service entry for routing to mysql.foo.com:3306
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-mysql
-  namespace: ns1
-spec:
-  hosts:
-  - mysql.foo.com
-  ports:
-  - number: 3306
-    name: mysql
-    protocol: MYSQL
-  location: MESH_EXTERNAL
-  resolution: DNS
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -282,8 +165,6 @@ spec:
   location: MESH_EXTERNAL
   resolution: DNS
 
    
-
    {{}}
-{{}}
    
 
    It is also possible to mix and match traffic capture modes in a single
 proxy. For example, consider a setup where internal services are on the
 192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
@@ -295,36 +176,6 @@ listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving
 
    NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: partial-ip-tables
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  ingress:
-  - bind: 172.16.1.32
-    port:
-      number: 80 # binds to 172.16.1.32:80
-      protocol: HTTP
-      name: somename
-    defaultEndpoint: 127.0.0.1:8080
-    captureMode: NONE
-  egress:
-    # use the system detected defaults
-    # sets up configuration to handle outbound traffic to services
-    # in 192.168.0.0/16 subnet, based on information provided by the
-    # service registry
-  - captureMode: IPTABLES
-    hosts:
-    - "*/*"
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -351,8 +202,6 @@ spec:
     hosts:
     - "*/*"
 
    
-
    {{}}
-{{}}
    
 
    The following example declares a Sidecar configuration in the
 prod-us1 namespace for all pods with labels app: ratings
 belonging to the ratings.prod-us1 service.  The service accepts
@@ -365,9 +214,7 @@ in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
+
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
   name: ratings
@@ -386,10 +233,8 @@ spec:
       mode: SIMPLE
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
-
    
-
    {{}}
    
-
    {{}}
    
-
    apiVersion: v1
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: ratings
@@ -403,10 +248,8 @@ spec:
     targetPort: 80
   selector:
     app: ratings
-
    
-
    {{}}
    
-
    {{}}
    
-
    apiVersion: security.istio.io/v1beta1
+---
+apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
   name: ratings-peer-auth
@@ -421,8 +264,6 @@ spec:
     80:
       mode: DISABLE
 
    
-
    {{}}
-{{}}
    
 
    In addition to configuring traffic capture and how traffic is forwarded to the app,
 it’s possible to control inbound connection pool settings. By default, Istio pushes
 connection pool settings from DestinationRules to both clients (for outbound
@@ -430,39 +271,6 @@ connections to the service) as well as servers (for inbound connections to a ser
 instance). Using the InboundConnectionPool and per-port ConnectionPool settings
 in a Sidecar allow you to control those connection pools for the server separately
 from the settings pushed to all clients.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: Sidecar
-metadata:
-  name: connection-pool-settings
-  namespace: prod-us1
-spec:
-  workloadSelector:
-    labels:
-      app: productpage
-  inboundConnectionPool:
-      http:
-        http1MaxPendingRequests: 1024
-        http2MaxRequests: 1024
-        maxRequestsPerConnection: 1024
-        maxRetries: 100
-  ingress:
-  - port:
-      number: 80
-      protocol: HTTP
-      name: somename
-    connectionPool:
-      http:
-        http1MaxPendingRequests: 1024
-        http2MaxRequests: 1024
-        maxRequestsPerConnection: 1024
-        maxRetries: 100
-      tcp:
-        maxConnections: 100
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -492,8 +300,6 @@ spec:
       tcp:
         maxConnections: 100
 
    
-
    {{}}
-{{}}
    
 
 
    Sidecar
    
 
    
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index 1f1ec2e406..5c599abdd8 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -43,36 +43,6 @@ to be customized for specific client contexts.
    
 pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - name: "reviews-v2-routes"
-    match:
-    - uri:
-        prefix: "/wpcatalog"
-    - uri:
-        prefix: "/consumercatalog"
-    rewrite:
-      uri: "/newcatalog"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-  - name: "reviews-v1-route"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -99,29 +69,9 @@ spec:
         host: reviews.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
    A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-spec:
-  host: reviews.prod.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -136,8 +86,6 @@ spec:
     labels:
       version: v2
 
    
-
    {{}}
-{{}}
    
 
 
    VirtualService
    
 
    
@@ -301,35 +249,6 @@ domain names over short names.
    
 
    The following Kubernetes example routes all traffic by default to pods
 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-  namespace: foo
-spec:
-  hosts:
-  - reviews # interpreted as reviews.foo.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: "/wpcatalog"
-    - uri:
-        prefix: "/consumercatalog"
-    rewrite:
-      uri: "/newcatalog"
-    route:
-    - destination:
-        host: reviews # interpreted as reviews.foo.svc.cluster.local
-        subset: v2
-  - route:
-    - destination:
-        host: reviews # interpreted as reviews.foo.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -355,28 +274,7 @@ spec:
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
    And the associated DestinationRule
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-  namespace: foo
-spec:
-  host: reviews # interpreted as reviews.foo.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -392,8 +290,6 @@ spec:
     labels:
       version: v2
 
    
-
    {{}}
-{{}}
    
 
    The following VirtualService sets a timeout of 5s for all calls to
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
@@ -403,24 +299,6 @@ that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: my-productpage-rule
-  namespace: istio-system
-spec:
-  hosts:
-  - productpage.prod.svc.cluster.local # ignores rule namespace
-  http:
-  - timeout: 5s
-    route:
-    - destination:
-        host: productpage.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -435,44 +313,11 @@ spec:
     - destination:
         host: productpage.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
    To control routing for traffic bound to services outside the mesh, external
 services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: external-svc-wikipedia
-spec:
-  hosts:
-  - wikipedia.org
-  location: MESH_EXTERNAL
-  ports:
-  - number: 80
-    name: example-http
-    protocol: HTTP
-  resolution: DNS
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: my-wiki-rule
-spec:
-  hosts:
-  - wikipedia.org
-  http:
-  - timeout: 5s
-    route:
-    - destination:
-        host: wikipedia.org
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -500,8 +345,6 @@ spec:
     - destination:
         host: wikipedia.org
 
    
-
    {{}}
-{{}}
    
 
 
@@ -892,36 +735,6 @@ The following VirtualService adds a test header with the value reviews service destination.
 It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - headers:
-      request:
-        set:
-          test: "true"
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-      headers:
-        response:
-          remove:
-          - foo
-      weight: 75
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -948,8 +761,6 @@ spec:
           - foo
       weight: 75
 
    
-
    {{}}
-{{}}
    
 
 
    
 
    
@@ -994,35 +805,6 @@ No
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
 traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-sni
-spec:
-  hosts:
-  - "*.bookinfo.com"
-  gateways:
-  - mygateway
-  tls:
-  - match:
-    - port: 443
-      sniHosts:
-      - login.bookinfo.com
-    route:
-    - destination:
-        host: login.prod.svc.cluster.local
-  - match:
-    - port: 443
-      sniHosts:
-      - reviews.bookinfo.com
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1048,8 +830,6 @@ spec:
     - destination:
         host: reviews.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -1094,26 +874,6 @@ No
 
    Describes match conditions and actions for routing TCP traffic. The
 following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: bookinfo-mongo
-spec:
-  hosts:
-  - mongo.prod.svc.cluster.local
-  tcp:
-  - match:
-    - port: 27017
-    route:
-    - destination:
-        host: mongo.backup.svc.cluster.local
-        port:
-          number: 5555
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1130,8 +890,6 @@ spec:
         port:
           number: 5555
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -1178,29 +936,6 @@ rule to be applied to the HTTP request. For example, the following
 restricts the rule to match only requests where the URL path
 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - headers:
-        end-user:
-          exact: jason
-      uri:
-        prefix: "/ratings/v2/"
-      ignoreUriCase: true
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1220,8 +955,6 @@ spec:
     - destination:
         host: ratings.prod.svc.cluster.local
 
    
-
    {{}}
-{{}}
    HTTPMatchRequest CANNOT be empty.
 Note:
      
@@ -1513,28 +1246,6 @@ determine the proportion of traffic it receives. For example, the
 following rule will route 25% of traffic for the “reviews” service to
 instances with the “v2” tag and the remaining traffic (i.e., 75%) to
 “v1”.
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-      weight: 75
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1553,27 +1264,7 @@ spec:
         subset: v1
       weight: 75
 
      
-
      {{}}
-{{}}
      
 
      And the associated DestinationRule
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: DestinationRule
-metadata:
-  name: reviews-destination
-spec:
-  host: reviews.prod.svc.cluster.local
-  subsets:
-  - name: v1
-    labels:
-      version: v1
-  - name: v2
-    labels:
-      version: v2
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1588,31 +1279,9 @@ spec:
     labels:
       version: v2
 
      
-
      {{}}
-{{}}
      
 
      Traffic can also be split across two entirely different services without
 having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
      
-
      {{}}
-{{}}
      
-
      apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route-two-domains
-spec:
-  hosts:
-  - reviews.com
-  http:
-  - route:
-    - destination:
-        host: dev.reviews.com
-      weight: 25
-    - destination:
-        host: reviews.com
-      weight: 75
-
      
-
      {{}}
      
-
      {{}}
      
 
      apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1629,8 +1298,6 @@ spec:
         host: reviews.com
       weight: 75
 
      
-
      {{}}
-{{}}
      
 
 
    
 
 
 
 
    
@@ -1910,26 +1577,6 @@ where the Authority/Host and the URI in the response can be swapped with
 the specified values. For example, the following rule redirects
 requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    redirect:
-      uri: /v1/bookRatings
-      authority: newratings.default.svc.cluster.local
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1946,8 +1593,6 @@ spec:
       authority: newratings.default.svc.cluster.local
   ...
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2044,27 +1689,6 @@ No
 
    HTTPDirectResponse can be used to send a fixed response to clients.
 For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        string: "unknown error"
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2082,31 +1706,8 @@ spec:
         string: "unknown error"
   ...
 
    
-
    {{}}
-{{}}
    It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2124,36 +1725,9 @@ spec:
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
    
-
    {{}}
-{{}}
    It is good practice to add headers in the HTTPRoute
 as well as the direct_response, for example to specify
 the returned Content-Type.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    directResponse:
-      status: 503
-      body:
-        string: "{\"error\": \"unknown error\"}"
-    headers:
-      response:
-        set:
-          content-type: "application/json"
-  ...
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2175,8 +1749,6 @@ spec:
           content-type: "text/plain"
   ...
 
    
-
    {{}}
-{{}}
    
 
 
 
 
 
 
 
 
    
@@ -2258,28 +1830,6 @@ before forwarding the request to the destination. Rewrite primitive can
 be used only with HTTPRouteDestination. The following example
 demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: /ratings
-    rewrite:
-      uri: /v1/bookRatings
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2298,8 +1848,6 @@ spec:
         host: ratings.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2452,27 +2000,6 @@ example, the following rule sets the maximum number of retries to 3 when
 calling ratings:v1 service, with a 2s timeout per retry attempt.
 A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    retries:
-      attempts: 3
-      perTryTimeout: 2s
-      retryOn: connect-failure,refused-stream,503
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2490,8 +2017,6 @@ spec:
       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2572,33 +2097,6 @@ the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
 Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    corsPolicy:
-      allowOrigins:
-      - exact: https://example.com
-      allowMethods:
-      - POST
-      - GET
-      allowCredentials: false
-      allowHeaders:
-      - X-Foo-Bar
-      maxAge: "24h"
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2622,8 +2120,6 @@ spec:
       - X-Foo-Bar
       maxAge: "24h"
 
    
-
    {{}}
-{{}}
    
 
 
 
 
    
@@ -2917,31 +2413,6 @@ No
 forwarding path. The following example will introduce a 5 second delay
 in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - match:
-    - sourceLabels:
-        env: prod
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2963,8 +2434,6 @@ spec:
           value: 0.1
         fixedDelay: 5s
 
    
-
    {{}}
-{{}}
    The fixedDelay field is used to indicate the amount of delay in seconds.
 The optional percentage field can be used to only delay a certain
 percentage of requests. If left unspecified, no request will be delayed.
    
@@ -3024,28 +2493,6 @@ No
 
    Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -3064,8 +2511,6 @@ spec:
           value: 0.1
         httpStatus: 400
 
    
-
    {{}}
-{{}}
    The httpStatus field is used to indicate the HTTP status code to
 return to the caller. The optional percentage field can be used to only
 abort a certain percentage of requests. If not specified, no request will be
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
index 0eab0173de..a8738615e4 100644
--- a/content/zh/docs/reference/config/networking/workload-entry/index.html
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -30,25 +30,6 @@ account. The service is exposed on port 80 to applications in the
 mesh. The HTTP traffic to this service is wrapped in Istio mutual
 TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-svc
-spec:
-  # use of the service account indicates that the workload has a
-  # sidecar proxy bootstrapped with this service account. Pods with
-  # sidecars will automatically communicate with the workload using
-  # istio mutual TLS.
-  serviceAccount: details-legacy
-  address: 2.2.2.2
-  labels:
-    app: details-legacy
-    instance-id: vm1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -64,31 +45,7 @@ spec:
     app: details-legacy
     instance-id: vm1
 
    
-
    {{}}
-{{}}
    and the associated service entry
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-    targetPort: 8080
-  resolution: STATIC
-  workloadSelector:
-    labels:
-      app: details-legacy
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -107,32 +64,11 @@ spec:
     labels:
       app: details-legacy
 
    
-
    {{}}
-{{}}
    The following example declares the same VM workload using
 its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: details-svc
-spec:
-  # use of the service account indicates that the workload has a
-  # sidecar proxy bootstrapped with this service account. Pods with
-  # sidecars will automatically communicate with the workload using
-  # istio mutual TLS.
-  serviceAccount: details-legacy
-  address: vm1.vpc01.corp.net
-  labels:
-    app: details-legacy
-    instance-id: vm1
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -148,31 +84,7 @@ spec:
     app: details-legacy
     instance-id: vm1
 
    
-
    {{}}
-{{}}
    and the associated service entry
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: ServiceEntry
-metadata:
-  name: details-svc
-spec:
-  hosts:
-  - details.bookinfo.com
-  location: MESH_INTERNAL
-  ports:
-  - number: 80
-    name: http
-    protocol: HTTP
-    targetPort: 8080
-  resolution: DNS
-  workloadSelector:
-    labels:
-      app: details-legacy
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -191,28 +103,12 @@ spec:
     labels:
       app: details-legacy
 
    
-
    {{}}
-{{}}
    The following example declares a VM workload without an address.
 An alternative to having istiod read from remote API servers is
 to write a WorkloadEntry in the local cluster that represents
 the Workload(s) in the remote network with the given labels. A
 single WorkloadEntry with weights represent the aggregate of all
 the actual workloads in a given remote network.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadEntry
-metadata:
-  name: foo-workloads-cluster-2
-spec:
-  serviceAccount: foo
-  network: cluster-2-network
-  labels:
-    app: foo
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -223,8 +119,6 @@ spec:
   labels:
     app: foo
 
    
-
    {{}}
-{{}}
    WorkloadEntry
    
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
index b5568ad17e..0c574323c9 100644
--- a/content/zh/docs/reference/config/networking/workload-group/index.html
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -22,40 +22,6 @@ of workloads that will be registered under reviews in namespace
 instance during the bootstrap process, and the ports 3550 and 8080
 will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.
    
-
    {{}}
-{{}}
    
-
    apiVersion: networking.istio.io/v1alpha3
-kind: WorkloadGroup
-metadata:
-  name: reviews
-  namespace: bookinfo
-spec:
-  metadata:
-    labels:
-      app.kubernetes.io/name: reviews
-      app.kubernetes.io/version: "1.3.4"
-  template:
-    ports:
-      grpc: 3550
-      http: 8080
-    serviceAccount: default
-  probe:
-    initialDelaySeconds: 5
-    timeoutSeconds: 3
-    periodSeconds: 4
-    successThreshold: 3
-    failureThreshold: 3
-    httpGet:
-     path: /foo/bar
-     host: 127.0.0.1
-     port: 3100
-     scheme: HTTPS
-     httpHeaders:
-     - name: Lit-Header
-       value: Im-The-Best
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadGroup
 metadata:
@@ -86,8 +52,6 @@ spec:
      - name: Lit-Header
        value: Im-The-Best
 
    
-
    {{}}
-{{}}
    
 
 
    WorkloadGroup
    
 
    
diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index 4353265e98..f8c2b75d32 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -44,34 +44,6 @@ but it is useful to be explicit in the policy.
    
 
 
    when the request has a valid JWT token issued by https://accounts.google.com.
    
 
    Any other requests will be denied.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: ALLOW
-  rules:
-  - from:
-    - source:
-        principals: ["cluster.local/ns/default/sa/sleep"]
-    - source:
-        namespaces: ["test"]
-    to:
-    - operation:
-        methods: ["GET"]
-        paths: ["/info*"]
-    - operation:
-        methods: ["POST"]
-        paths: ["/data"]
-    when:
-    - key: request.auth.claims[iss]
-      values: ["https://accounts.google.com"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -96,30 +68,9 @@ spec:
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
    
-
    {{}}
-{{}}
    
 
    The following is another example that sets action to DENY to create a deny policy.
 It denies requests from the dev namespace to the POST method on all workloads
 in the foo namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: DENY
-  rules:
-  - from:
-    - source:
-        namespaces: ["dev"]
-    to:
-    - operation:
-        methods: ["POST"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -135,28 +86,9 @@ spec:
     - operation:
         methods: ["POST"]
 
    
-
    {{}}
-{{}}
    
 
    The following is another example that sets action to DENY to create a deny policy.
 It denies all the requests with POST method on port 8080 on all workloads
 in the foo namespace.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  action: DENY
-  rules:
-  - to:
-    - operation:
-        methods: ["POST"]
-        ports: ["8080"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -170,34 +102,12 @@ spec:
         methods: ["POST"]
         ports: ["8080"]
 
    
-
    {{}}
-{{}}
    
 
    When this rule is applied to TCP traffic, the method field (as will all HTTP based attributes) cannot be processed.
 For a DENY rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
 If we were to remove the ports match, all TCP traffic would be denied. As a result, it is recommended to always scope DENY policies to a specific port,
 especially when using HTTP attributes Authorization Policy for TCP Ports.
    
 
    The following authorization policy sets the action to AUDIT. It will audit any GET requests to the path with the
 prefix /user/profile.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  namespace: ns1
-  name: anyname
-spec:
-  selector:
-    matchLabels:
-      app: myapi
-  action: AUDIT
-  rules:
-  - to:
-    - operation:
-        methods: ["GET"]
-        paths: ["/user/profile/*"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -214,8 +124,6 @@ spec:
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
    
-
    {{}}
-{{}}
    
 
    Authorization Policy scope (target) is determined by “metadata/namespace” and
 an optional selector.
    
 
      
@@ -225,18 +133,6 @@ namespace, the policy applies to all namespaces in a mesh.
 
    
 
    For example, the following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-nothing
- namespace: foo
-spec:
-  {}
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -245,22 +141,7 @@ metadata:
 spec:
   {}
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy allows all requests to workloads in namespace foo.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-all
- namespace: foo
-spec:
- rules:
- - {}
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -270,24 +151,8 @@ spec:
  rules:
  - {}
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy applies to workloads containing label app: httpbin in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: allow-nothing
-  namespace: bar
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -298,24 +163,8 @@ spec:
     matchLabels:
       app: httpbin
 
    
-
    {{}}
-{{}}
    
 
    The following authorization policy applies to workloads containing label version: v1 in all namespaces in the mesh.
 (Assuming the root namespace is configured to istio-system).
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
- name: allow-nothing
- namespace: istio-system
-spec:
- selector:
-   matchLabels:
-     version: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -326,33 +175,11 @@ spec:
    matchLabels:
      version: v1
 
    
-
    {{}}
-{{}}
    
 
    The following example shows you how to set up an authorization policy using an experimental annotation
 istio.io/dry-run to dry-run the policy without actually enforcing it.
    
 
    The dry-run annotation allows you to better understand the effect of an authorization policy before applying it to the production traffic.
 This helps to reduce the risk of breaking the production traffic caused by an incorrect authorization policy.
 For more information, see dry-run tasks.
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: dry-run-example
-  annotations:
-    "istio.io/dry-run": "true"
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  action: DENY
-  rules:
-  - to:
-    - operation:
-        paths: ["/headers"]
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -369,8 +196,6 @@ spec:
     - operation:
         paths: ["/headers"]
 
    
-
    {{}}
-{{}}
    
 
 
    AuthorizationPolicy
    
 
    
diff --git a/content/zh/docs/reference/config/security/jwt/index.html b/content/zh/docs/reference/config/security/jwt/index.html
index b75b6ba8bf..535b3acbf6 100644
--- a/content/zh/docs/reference/config/security/jwt/index.html
+++ b/content/zh/docs/reference/config/security/jwt/index.html
@@ -205,6 +205,18 @@ The header specified in each operation in the list must be unique. Nested claims
 
 
    [Experimental] This feature is a experimental feature.
    
 
+
+
    
+
+
+
+
+
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index d2ecd1d813..b7cfe879e9 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -21,37 +21,6 @@ Examples:
      
 
    • Require JWT for all request for workloads that have label app:httpbin
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  jwtRules:
-  - issuer: "issuer-foo"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -79,38 +48,11 @@ spec:
     - source:
         requestPrincipals: ["*"]
 
    
-
    {{}}
-{{}}
      
 
    • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: req-authn-for-all
-  namespace: istio-system
-spec:
-  jwtRules:
-  - issuer: "issuer-foo"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: require-jwt-for-all
-  namespace: istio-system
-spec:
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -132,53 +74,11 @@ spec:
     - source:
         requestPrincipals: ["*"]
 
    
-
    {{}}
-{{}}
      
 
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
 declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
 set from the OpenID Connect spec).
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  jwtRules:
-  - issuer: "issuer-foo"
-  - issuer: "issuer-bar"
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["issuer-foo/*"]
-    to:
-    - operation:
-        hosts: ["example.com"]
-  - from:
-    - source:
-        requestPrincipals: ["issuer-bar/*"]
-    to:
-    - operation:
-        hosts: ["another-host.com"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -215,34 +115,11 @@ spec:
     - operation:
         hosts: ["another-host.com"]
 
    
-
    {{}}
-{{}}
      
 
    • You can fine tune the authorization policy to set different requirement per path. For example,
 to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
 authorization policy could be:
      • 
 
    
-
    {{}}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: httpbin
-  namespace: foo
-spec:
-  selector:
-    matchLabels:
-      app: httpbin
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
-  - to:
-    - operation:
-        paths: ["/healthz"]
-
    
-
    {{}}
    
-
    {{}}
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -260,8 +137,6 @@ spec:
     - operation:
         paths: ["/healthz"]
 
    
-
    {{}}
-{{}}
    [Experimental] Routing based on derived metadata
 is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
    
@@ -277,62 +152,6 @@ For more information, see }}
-{{}}
    
-
    apiVersion: security.istio.io/v1beta1
-kind: RequestAuthentication
-metadata:
-  name: jwt-on-ingress
-  namespace: istio-system
-spec:
-  selector:
-    matchLabels:
-      app: istio-ingressgateway
-  jwtRules:
-  - issuer: "example.com"
-    jwksUri: https://example.com/.well-known/jwks.json
----
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-  name: require-jwt
-  namespace: istio-system
-spec:
-  selector:
-    matchLabels:
-      app: istio-ingressgateway
-  rules:
-  - from:
-    - source:
-        requestPrincipals: ["*"]
----
-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: route-jwt
-spec:
-  hosts:
-  - foo.prod.svc.cluster.local
-  gateways:
-  - istio-ingressgateway
-  http:
-  - name: "v2"
-    match:
-    - headers:
-        "@request.auth.claims.sub":
-          exact: "dev"
-    route:
-    - destination:
-        host: foo.prod.svc.cluster.local
-        subset: v2
-  - name: "default"
-    route:
-    - destination:
-        host: foo.prod.svc.cluster.local
-        subset: v1
-
    
-
    {{}}
    
-
    {{}}
    
 
    apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -385,8 +204,6 @@ spec:
         host: foo.prod.svc.cluster.local
         subset: v1
 
    
-
    {{}}
-{{}}
    
 
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
    
+No
+
    timeoutDuration
+
    The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+will spend waiting for the JWKS to be fetched. Default is 5s.
    
+
     		
 
 No
diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html
index 741287bf58..a0042dfa6d 100644
--- a/content/zh/docs/reference/config/security/peer_authentication/index.html
+++ b/content/zh/docs/reference/config/security/peer_authentication/index.html
@@ -25,7 +25,7 @@ spec:
     mode: STRICT
 
 
    For mesh level, put the policy in root-namespace according to your Istio installation.
    
-
    Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
+
    Policies to allow both mTLS and plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -48,8 +48,9 @@ spec:
   mtls:
     mode: STRICT
 
    
-
    Policy to allow mTLS strict for all workloads, but leave port 8080 to
-plaintext:
    
+
    Policy that enables strict mTLS for all workloads, but leaves the port 8080 to
+plaintext. Note the port value in the portLevelMtls field refers to the port
+of the workload, not the port of the Kubernetes service.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -65,8 +66,8 @@ spec:
     8080:
       mode: DISABLE
 
    
-
    Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
-settings for port 8080
    
+
    Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
+mTLS for workload port 8080.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -123,7 +124,8 @@ No
 
    		map<uint32, MutualTLS>
 
 
    Port specific mutual TLS settings. These only apply when a workload selector
-is specified.
    
+is specified. The port refers to the port of the workload, not the port of the
+Kubernetes service.
    
 
     		
 
@@ -174,7 +176,7 @@ No
 
    
 UNSET
 
-
    Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
    
+
    Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
    
 
     		
 
    
 
 
 
 
 
 
 
 
 
    
diff --git a/content/zh/docs/reference/config/type/workload-selector/index.html b/content/zh/docs/reference/config/type/workload-selector/index.html
index 9aeb5f2c9f..8c206cebec 100644
--- a/content/zh/docs/reference/config/type/workload-selector/index.html
+++ b/content/zh/docs/reference/config/type/workload-selector/index.html
@@ -85,8 +85,6 @@ Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway.
    
 a PolicyTargetReference. The example sets action to DENY to create a deny policy.
 It denies all the requests with POST method on port 8080 directed through the
 waypoint Gateway in the foo namespace.
    
-
    {{}}
-{{}}
    
 
    apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -104,8 +102,6 @@ spec:
         methods: ["POST"]
         ports: ["8080"]
 
    
-
    {{}}
-{{}}
    
 
 
    
 
    
diff --git a/data/features.yaml b/data/features.yaml
index 05aed70426..f9e3a30a17 100644
--- a/data/features.yaml
+++ b/data/features.yaml
@@ -1,6 +1,7 @@
 features:
   - name: "Protocols:HTTP1.1/HTTP2/gRPC/TCP"
     id: "traffic.http_protocols"
+    link: "/docs/ops/configuration/traffic-management/protocol-selection/"
     level:
       checklist: features/protocol-support.md
       maturity: Stable