diff --git a/content/en/docs/reference/commands/install-cni/index.html b/content/en/docs/reference/commands/install-cni/index.html
index 17f477738b..6a31e574bb 100644
--- a/content/en/docs/reference/commands/install-cni/index.html
+++ b/content/en/docs/reference/commands/install-cni/index.html
@@ -60,6 +60,10 @@ remove_toc_prefix: 'install-cni '
 <td>The IP port to use for the ControlZ introspection facility  (default `9876`)</td>
 </tr>
 <tr>
+<td><code>--ebpf-enabled</code></td>
+<td>Whether ebpf redirection is enabled </td>
+</tr>
+<tr>
 <td><code>--kube-ca-file &lt;string&gt;</code></td>
 <td>CA file for kubeconfig. Defaults to the same as install-cni pod  (default ``)</td>
 </tr>
@@ -85,11 +89,11 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -109,7 +113,7 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -215,11 +219,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -239,7 +243,7 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -284,11 +288,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -308,7 +312,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -352,11 +356,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -376,7 +380,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -419,11 +423,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -443,7 +447,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -493,11 +497,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -517,7 +521,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -560,12 +564,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -590,7 +594,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -694,6 +698,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Directory on the host where CNI network plugins are installed</td>
 </tr>
 <tr>
+<td><code>EBPF_ENABLED</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Whether ebpf redirection is enabled</td>
+</tr>
+<tr>
 <td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@@ -874,6 +884,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1388,6 +1404,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html
index 74e150bbfc..53cf70a9c0 100644
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
@@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
 title: istioctl
 description: Istio control interface.
 generator: pkg-collateral-docs
-number_of_entries: 107
+number_of_entries: 108
 max_toc_level: 2
 remove_toc_prefix: 'istioctl '
 ---
@@ -4177,6 +4177,61 @@ istioctl x version --xds-label istio.io/rev=default
 <h3 id="istioctl-experimental-waypoint-apply Examples">Examples</h3>
 <pre class="language-bash"><code>  # Apply a waypoint to the current namespace
   istioctl x waypoint apply
+
+  # Apply a waypoint to a specific namespace for a specific service account
+  istioctl x waypoint apply --service-account something --namespace default
+</code></pre>
+<h2 id="istioctl-experimental-waypoint-delete">istioctl experimental waypoint delete</h2>
+<p>Delete a waypoint configuration from the cluster</p>
+<pre class="language-bash"><code>istioctl experimental waypoint delete [flags]
+</code></pre>
+<table class="command-flags">
+<thead>
+<tr>
+<th>Flags</th>
+<th>Shorthand</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--context &lt;string&gt;</code></td>
+<td></td>
+<td>The name of the kubeconfig context to use  (default ``)</td>
+</tr>
+<tr>
+<td><code>--istioNamespace &lt;string&gt;</code></td>
+<td><code>-i</code></td>
+<td>Istio system namespace  (default `istio-system`)</td>
+</tr>
+<tr>
+<td><code>--kubeconfig &lt;string&gt;</code></td>
+<td><code>-c</code></td>
+<td>Kubernetes configuration file  (default ``)</td>
+</tr>
+<tr>
+<td><code>--namespace &lt;string&gt;</code></td>
+<td><code>-n</code></td>
+<td>Config namespace  (default ``)</td>
+</tr>
+<tr>
+<td><code>--service-account &lt;string&gt;</code></td>
+<td><code>-s</code></td>
+<td>service account to create a waypoint for  (default ``)</td>
+</tr>
+<tr>
+<td><code>--vklog &lt;Level&gt;</code></td>
+<td></td>
+<td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
+</tr>
+</tbody>
+</table>
+<h3 id="istioctl-experimental-waypoint-delete Examples">Examples</h3>
+<pre class="language-bash"><code>  # Delete a waypoint from the current namespace
+  istioctl x waypoint delete
+  
+  # Delete a waypoint from a specific namespace for a specific service account
+  istioctl x waypoint delete --service-account something --namespace default
 </code></pre>
 <h2 id="istioctl-experimental-waypoint-generate">istioctl experimental waypoint generate</h2>
 <p>Generate a waypoint configuration as YAML</p>
@@ -7228,7 +7283,7 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 <tr>
 <td><code>--filename &lt;stringSlice&gt;</code></td>
 <td><code>-f</code></td>
-<td>Names of files to validate  (default `[]`)</td>
+<td>Inputs of files to validate  (default `[]`)</td>
 </tr>
 <tr>
 <td><code>--istioNamespace &lt;string&gt;</code></td>
@@ -7720,6 +7775,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -8188,6 +8249,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index a8fff11d47..9ee9a29819 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -557,6 +557,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1025,6 +1031,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index 2fe29e537e..8fe551b04f 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -1405,6 +1405,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td></td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_META_CERT_SIGNER</code></td>
 <td>String</td>
 <td><code></code></td>
@@ -1925,6 +1931,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index 184d8bbd23..61c6572c34 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -725,6 +725,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1217,6 +1223,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index c3d7510038..8582424c9c 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -1069,6 +1069,8 @@ The secret (of type <code>generic</code>)should contain the
 following keys and values: <code>key: &lt;privateKey&gt;</code>,
 <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>.
 Here CACertificate is used to verify the server certificate.
+For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
+same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
 Secret of type tls for client certificates along with
 ca.crt key for CA certificates is also supported.
 Only one of client certificates and CA certificate
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index 717a47a70e..6c2da6f92d 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -216,8 +216,8 @@ No
 <td><code><a href="#HTTPRoute">HTTPRoute[]</a></code></td>
 <td>
 <p>An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named &lsquo;http-<em>&rsquo;/&lsquo;http2-</em>&rsquo;/&lsquo;grpc-*&rsquo;, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+applied to platform service ports using HTTP/HTTP2/GRPC protocols, gateway
+ports with protocol HTTP/HTTP2/GRPC/TLS-terminated-HTTPS and service
 entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.</p>
 
diff --git a/content/zh/docs/reference/commands/install-cni/index.html b/content/zh/docs/reference/commands/install-cni/index.html
index 17f477738b..6a31e574bb 100644
--- a/content/zh/docs/reference/commands/install-cni/index.html
+++ b/content/zh/docs/reference/commands/install-cni/index.html
@@ -60,6 +60,10 @@ remove_toc_prefix: 'install-cni '
 <td>The IP port to use for the ControlZ introspection facility  (default `9876`)</td>
 </tr>
 <tr>
+<td><code>--ebpf-enabled</code></td>
+<td>Whether ebpf redirection is enabled </td>
+</tr>
+<tr>
 <td><code>--kube-ca-file &lt;string&gt;</code></td>
 <td>CA file for kubeconfig. Defaults to the same as install-cni pod  (default ``)</td>
 </tr>
@@ -85,11 +89,11 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -109,7 +113,7 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -215,11 +219,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -239,7 +243,7 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -284,11 +288,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -308,7 +312,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -352,11 +356,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -376,7 +380,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -419,11 +423,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -443,7 +447,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -493,11 +497,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -517,7 +521,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -560,12 +564,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@@ -590,7 +594,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, authorization, cni, controllers, default, ebpf, install, klog, model, proxyconfig, repair, spiffe, telemetry, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@@ -694,6 +698,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Directory on the host where CNI network plugins are installed</td>
 </tr>
 <tr>
+<td><code>EBPF_ENABLED</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Whether ebpf redirection is enabled</td>
+</tr>
+<tr>
 <td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@@ -874,6 +884,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1388,6 +1404,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/zh/docs/reference/commands/istioctl/index.html b/content/zh/docs/reference/commands/istioctl/index.html
index 74e150bbfc..53cf70a9c0 100644
--- a/content/zh/docs/reference/commands/istioctl/index.html
+++ b/content/zh/docs/reference/commands/istioctl/index.html
@@ -4,7 +4,7 @@ source_repo: https://github.com/istio/istio
 title: istioctl
 description: Istio control interface.
 generator: pkg-collateral-docs
-number_of_entries: 107
+number_of_entries: 108
 max_toc_level: 2
 remove_toc_prefix: 'istioctl '
 ---
@@ -4177,6 +4177,61 @@ istioctl x version --xds-label istio.io/rev=default
 <h3 id="istioctl-experimental-waypoint-apply Examples">Examples</h3>
 <pre class="language-bash"><code>  # Apply a waypoint to the current namespace
   istioctl x waypoint apply
+
+  # Apply a waypoint to a specific namespace for a specific service account
+  istioctl x waypoint apply --service-account something --namespace default
+</code></pre>
+<h2 id="istioctl-experimental-waypoint-delete">istioctl experimental waypoint delete</h2>
+<p>Delete a waypoint configuration from the cluster</p>
+<pre class="language-bash"><code>istioctl experimental waypoint delete [flags]
+</code></pre>
+<table class="command-flags">
+<thead>
+<tr>
+<th>Flags</th>
+<th>Shorthand</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--context &lt;string&gt;</code></td>
+<td></td>
+<td>The name of the kubeconfig context to use  (default ``)</td>
+</tr>
+<tr>
+<td><code>--istioNamespace &lt;string&gt;</code></td>
+<td><code>-i</code></td>
+<td>Istio system namespace  (default `istio-system`)</td>
+</tr>
+<tr>
+<td><code>--kubeconfig &lt;string&gt;</code></td>
+<td><code>-c</code></td>
+<td>Kubernetes configuration file  (default ``)</td>
+</tr>
+<tr>
+<td><code>--namespace &lt;string&gt;</code></td>
+<td><code>-n</code></td>
+<td>Config namespace  (default ``)</td>
+</tr>
+<tr>
+<td><code>--service-account &lt;string&gt;</code></td>
+<td><code>-s</code></td>
+<td>service account to create a waypoint for  (default ``)</td>
+</tr>
+<tr>
+<td><code>--vklog &lt;Level&gt;</code></td>
+<td></td>
+<td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
+</tr>
+</tbody>
+</table>
+<h3 id="istioctl-experimental-waypoint-delete Examples">Examples</h3>
+<pre class="language-bash"><code>  # Delete a waypoint from the current namespace
+  istioctl x waypoint delete
+  
+  # Delete a waypoint from a specific namespace for a specific service account
+  istioctl x waypoint delete --service-account something --namespace default
 </code></pre>
 <h2 id="istioctl-experimental-waypoint-generate">istioctl experimental waypoint generate</h2>
 <p>Generate a waypoint configuration as YAML</p>
@@ -7228,7 +7283,7 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca
 <tr>
 <td><code>--filename &lt;stringSlice&gt;</code></td>
 <td><code>-f</code></td>
-<td>Names of files to validate  (default `[]`)</td>
+<td>Inputs of files to validate  (default `[]`)</td>
 </tr>
 <tr>
 <td><code>--istioNamespace &lt;string&gt;</code></td>
@@ -7720,6 +7775,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -8188,6 +8249,12 @@ These environment variables affect the behavior of the <code>istioctl</code> com
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/zh/docs/reference/commands/operator/index.html b/content/zh/docs/reference/commands/operator/index.html
index a8fff11d47..9ee9a29819 100644
--- a/content/zh/docs/reference/commands/operator/index.html
+++ b/content/zh/docs/reference/commands/operator/index.html
@@ -557,6 +557,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1025,6 +1031,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/zh/docs/reference/commands/pilot-agent/index.html b/content/zh/docs/reference/commands/pilot-agent/index.html
index 2fe29e537e..8fe551b04f 100644
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@@ -1405,6 +1405,12 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td></td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_META_CERT_SIGNER</code></td>
 <td>String</td>
 <td><code></code></td>
@@ -1925,6 +1931,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/zh/docs/reference/commands/pilot-discovery/index.html b/content/zh/docs/reference/commands/pilot-discovery/index.html
index 184d8bbd23..61c6572c34 100644
--- a/content/zh/docs/reference/commands/pilot-discovery/index.html
+++ b/content/zh/docs/reference/commands/pilot-discovery/index.html
@@ -725,6 +725,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Sets the maximum number of concurrent grpc streams.</td>
 </tr>
 <tr>
+<td><code>ISTIO_METADATA_DISCOVERY</code></td>
+<td>Boolean</td>
+<td><code>false</code></td>
+<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
+</tr>
+<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@@ -1217,6 +1223,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.</td>
 </tr>
 <tr>
+<td><code>PILOT_XDS_CACHE_INDEX_CLEAR_INTERVAL</code></td>
+<td>Time Duration</td>
+<td><code>5s</code></td>
+<td>The interval for xds cache index clearing.</td>
+</tr>
+<tr>
 <td><code>PILOT_XDS_CACHE_SIZE</code></td>
 <td>Integer</td>
 <td><code>60000</code></td>
diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index 291d4072ea..33d18a117c 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -1069,6 +1069,8 @@ The secret (of type <code>generic</code>)should contain the
 following keys and values: <code>key: &lt;privateKey&gt;</code>,
 <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>.
 Here CACertificate is used to verify the server certificate.
+For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
+same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
 Secret of type tls for client certificates along with
 ca.crt key for CA certificates is also supported.
 Only one of client certificates and CA certificate
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index 50f77ec124..7e9fd87141 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -216,8 +216,8 @@ No
 <td><code><a href="#HTTPRoute">HTTPRoute[]</a></code></td>
 <td>
 <p>An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named &lsquo;http-<em>&rsquo;/&lsquo;http2-</em>&rsquo;/&lsquo;grpc-*&rsquo;, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+applied to platform service ports using HTTP/HTTP2/GRPC protocols, gateway
+ports with protocol HTTP/HTTP2/GRPC/TLS-terminated-HTTPS and service
 entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.</p>
 
diff --git a/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html b/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html
deleted file mode 100644
index 3e1250e37d..0000000000
--- a/content/zh/docs/reference/config/proxy_extensions/attributegen/index.html
+++ /dev/null
@@ -1,261 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
-source_repo: https://github.com/istio/proxy
-title: AttributeGen Config
-description: Configuration for Attribute Generation plugin.
-location: https://istio.io/docs/reference/config/proxy_extensions/attributegen.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-schema: istio.attributegen
-weight: 20
-number_of_entries: 3
----
-<p>AttributeGen plugin uses <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes">builtin
-attributes</a>
-as inputs and produces new attributes that can be used by downstream plugins.</p>
-<p>The following is an example of a configuration that produces one attribute
-named <code>istio_operationId</code> using <code>request.url_path</code> and <code>request.method</code>.</p>
-<p>{{<tabset category-name="example">}}
-{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
-<pre><code class="language-yaml">{
-  &quot;attributes&quot;: [
-    {
-      &quot;output_attribute&quot;: &quot;istio_operationId&quot;,
-      &quot;match&quot;: [
-        {
-          &quot;value&quot;: &quot;ListBooks&quot;,
-          &quot;condition&quot;: &quot;request.url_path == '/books' &amp;&amp; request.method ==
-          'GET'&quot;
-        },
-        {
-          &quot;value&quot;: &quot;GetBook&quot;,
-          &quot;condition&quot;:
-          &quot;request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
-          &amp;&amp; request.method == 'GET'&quot;
-        },
-        {
-          &quot;value&quot;: &quot;CreateBook&quot;,
-          &quot;condition&quot;: &quot;request.url_path == '/books/' &amp;&amp; request.method ==
-          'POST'&quot;
-        }
-      ]
-    }
-  ]
-}
-
-</code></pre>
-<p>{{</tab>}}
-{{</tabset>}}</p>
-<p>If the Stats plugin runs after AttributeGen, it can use <code>istio_operationId</code>
-to populate a dimension on a metric.</p>
-<p>The following is an example of response codes being mapped into a smaller
-number of response classes as the <code>istio_responseClass</code> attribute. For
-example, all response codes in 200s are mapped to <code>2xx</code>.</p>
-<p>{{<tabset category-name="example">}}
-{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
-<pre><code class="language-yaml">{
-  &quot;attributes&quot;: [
-    {
-      &quot;output_attribute&quot;: &quot;istio_responseClass&quot;,
-      &quot;match&quot;: [
-        {
-          &quot;value&quot;: &quot;2xx&quot;,
-          &quot;condition&quot;: &quot;response.code &gt;= 200 &amp;&amp; response.code &lt;= 299&quot;
-        },
-        {
-          &quot;value&quot;: &quot;3xx&quot;,
-          &quot;condition&quot;: &quot;response.code &gt;= 300 &amp;&amp; response.code &lt;= 399&quot;
-        },
-        {
-          &quot;value&quot;: &quot;404&quot;,
-          &quot;condition&quot;: &quot;response.code == 404&quot;
-        },
-        {
-          &quot;value&quot;: &quot;429&quot;,
-          &quot;condition&quot;: &quot;response.code == 429&quot;
-        },
-        {
-          &quot;value&quot;: &quot;503&quot;,
-          &quot;condition&quot;: &quot;response.code == 503&quot;
-        },
-        {
-          &quot;value&quot;: &quot;5xx&quot;,
-          &quot;condition&quot;: &quot;response.code &gt;= 500 &amp;&amp; response.code &lt;= 599&quot;
-        },
-        {
-          &quot;value&quot;: &quot;4xx&quot;,
-          &quot;condition&quot;: &quot;response.code &gt;= 400 &amp;&amp; response.code &lt;= 499&quot;
-        }
-      ]
-    }
-  ]
-}
-
-</code></pre>
-<p>{{</tab>}}
-{{</tabset>}}</p>
-<p>If multiple AttributeGen configurations produce the same attribute, the
-result of the last configuration will be visible to downstream filters.</p>
-
-<h2 id="PluginConfig">PluginConfig</h2>
-<section>
-<p>Top level configuration to generate new attributes based on attributes of the
-proxied traffic.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="PluginConfig-debug">
-<td><code>debug</code></td>
-<td><code>bool</code></td>
-<td>
-<p>The following settings should be rarely used.
-Enable debug for this filter.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-attributes">
-<td><code>attributes</code></td>
-<td><code><a href="#AttributeGeneration">AttributeGeneration[]</a></code></td>
-<td>
-<p>Multiple independent attribute generation configurations.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AttributeGeneration">AttributeGeneration</h2>
-<section>
-<p>AttributeGeneration define generation of one attribute.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AttributeGeneration-output_attribute">
-<td><code>output_attribute</code></td>
-<td><code>string</code></td>
-<td>
-<p>The name of the attribute that is populated on a successful match.
-An attribute name SHOULD NOT contain a <code>.</code>. You may use underscores for
-namespacing instead.</p>
-<p>Example: <code>istio_operationId</code></p>
-<p><code>istio_</code> attribute namespace is reserved by Istio.</p>
-<p>AttributeGeneration may fail to evaluate when an attribute is not
-available. For example, <code>response.code</code> may not be available when a request
-ends abruptly. When attribute generation fails, it will not populate the
-attribute.</p>
-<p>If the generated attribute is used by an authz plugin, it should account
-for the possibility that the attribute may be missing. Use
-<code>has(attribute_name)</code> function to check for presence of an attribute before
-using its value, and provide appropriate defaults. For example the
-following is a safe use of <code>response.code</code></p>
-<p><code>has(response.code)?response.code:200</code></p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="AttributeGeneration-match">
-<td><code>match</code></td>
-<td><code><a href="#Match">Match[]</a></code></td>
-<td>
-<p>Matches are evaluated in order until the first successful match.
-The value specified by the successful match is assgined to the
-output_attribute.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Match">Match</h2>
-<section>
-<p>If the condition evaluates to true then the Match returns the specified
-value.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Match-condition">
-<td><code>condition</code></td>
-<td><code>string</code></td>
-<td>
-<p>The condition is a <a href="https://github.com/google/cel-spec/blob/master/doc/langdef.md">CEL
-expression</a>
-that may use <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes#attributes">builtin
-attributes</a>.</p>
-<p>Example:</p>
-<p>{{<tabset category-name="example">}}
-{{<tab name="attribute-match" >}}</p>
-<pre><code class="language-yaml">   {
-     &quot;value&quot;: &quot;GetBook&quot;,
-     &quot;condition&quot;:
-     &quot;request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
-     &amp;&amp; request.method == 'GET'&quot;
-   },
-</code></pre>
-<p>Note: CEL uses <a href="https://github.com/google/re2/wiki/Syntax">re2</a> regex
-library. Use anchors <code>{^, $}</code> to ensure that the regex evaluates
-efficiently.</p>
-<p>Note: <code>request.url_path</code> is normalized and stripped of query params.</p>
-<p>a Read only operation on books</p>
-<pre><code class="language-yaml">{ &quot;value&quot;: &quot;ReadOnlyBooks&quot;,
-  &quot;condition&quot;: &quot;request.url_path.startsWith('/books/') &amp;&amp;
-  in(request.method, ['GET', 'HEAD'])&quot;}
-</code></pre>
-<p>{{</tab>}}
-{{</tabset>}}</p>
-<p>An empty condition evaluates to <code>true</code> and should be used to provide a
-default value.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="Match-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
-<td>
-<p>If condition evaluates to true, return the <code>value</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
diff --git a/content/zh/docs/reference/config/proxy_extensions/stats/index.html b/content/zh/docs/reference/config/proxy_extensions/stats/index.html
deleted file mode 100644
index 5acd5cf810..0000000000
--- a/content/zh/docs/reference/config/proxy_extensions/stats/index.html
+++ /dev/null
@@ -1,271 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
-source_repo: https://github.com/istio/proxy
-title: Stats Config
-description: Configuration for Stats Filter.
-location: https://istio.io/docs/reference/config/proxy_extensions/stats.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-weight: 20
-number_of_entries: 5
----
-<h2 id="MetricConfig">MetricConfig</h2>
-<section>
-<p>Metric instance configuration overrides.
-The metric value and the metric type are optional and permit changing the
-reported value for an existing metric.
-The standard metrics are optimized and reported through a &ldquo;fast-path&rdquo;.
-The customizations allow full configurability, at the cost of a &ldquo;slower&rdquo;
-path.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricConfig-dimensions">
-<td><code>dimensions</code></td>
-<td><code>map&lt;string,&nbsp;string&gt;</code></td>
-<td>
-<p>(Optional) Collection of tag names and tag expressions to include in the
-metric. Conflicts are resolved by the tag name by overriding previously
-supplied values.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>(Optional) Metric name to restrict the override to a metric. If not
-specified, applies to all.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-tags_to_remove">
-<td><code>tags_to_remove</code></td>
-<td><code>string[]</code></td>
-<td>
-<p>(Optional) A list of tags to remove.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-match">
-<td><code>match</code></td>
-<td><code>string</code></td>
-<td>
-<p>NOT IMPLEMENTED. (Optional) Conditional enabling the override.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricConfig-drop">
-<td><code>drop</code></td>
-<td><code>bool</code></td>
-<td>
-<p>(Optional) If this is set to true, the metric(s) selected by this
-configuration will not be generated or reported.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MetricDefinition">MetricDefinition</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricDefinition-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>Metric name.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricDefinition-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
-<td>
-<p>Metric value expression.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="MetricDefinition-type">
-<td><code>type</code></td>
-<td><code><a href="#MetricType">MetricType</a></code></td>
-<td>
-<p>NOT IMPLEMENTED (Optional) Metric type.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="PluginConfig">PluginConfig</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="PluginConfig-disable_host_header_fallback">
-<td><code>disable_host_header_fallback</code></td>
-<td><code>bool</code></td>
-<td>
-<p>Optional: Disable using host header as a fallback if destination service is
-not available from the controlplane. Disable the fallback if the host
-header originates outsides the mesh, like at ingress.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-tcp_reporting_duration">
-<td><code>tcp_reporting_duration</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
-<td>
-<p>Optional. Allows configuration of the time between calls out to for TCP
-metrics reporting. The default duration is <code>15s</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-metrics">
-<td><code>metrics</code></td>
-<td><code><a href="#MetricConfig">MetricConfig[]</a></code></td>
-<td>
-<p>Metric overrides.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-definitions">
-<td><code>definitions</code></td>
-<td><code><a href="#MetricDefinition">MetricDefinition[]</a></code></td>
-<td>
-<p>Metric definitions.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="PluginConfig-reporter">
-<td><code>reporter</code></td>
-<td><code><a href="#Reporter">Reporter</a></code></td>
-<td>
-<p>Proxy deployment type.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="MetricType">MetricType</h2>
-<section>
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="MetricType-COUNTER">
-<td><code>COUNTER</code></td>
-<td>
-</td>
-</tr>
-<tr id="MetricType-GAUGE">
-<td><code>GAUGE</code></td>
-<td>
-</td>
-</tr>
-<tr id="MetricType-HISTOGRAM">
-<td><code>HISTOGRAM</code></td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Reporter">Reporter</h2>
-<section>
-<p>Specifies the proxy deployment type.</p>
-
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Reporter-UNSPECIFIED">
-<td><code>UNSPECIFIED</code></td>
-<td>
-<p>Default value is inferred from the listener direction, as either client or
-server sidecar.</p>
-
-</td>
-</tr>
-<tr id="Reporter-SERVER_GATEWAY">
-<td><code>SERVER_GATEWAY</code></td>
-<td>
-<p>Shared server gateway, e.g. &ldquo;waypoint&rdquo;.</p>
-
-</td>
-</tr>
-</tbody>
-</table>
-</section>
diff --git a/data/analysis.yaml b/data/analysis.yaml
index cb52dec618..03f7b9a991 100644
--- a/data/analysis.yaml
+++ b/data/analysis.yaml
@@ -618,3 +618,29 @@ messages:
     args:
       - name: podNames
         type: "[]string"
+
+  - name: "ConflictingTelemetryWorkloadSelectors"
+    code: IST0159
+    level: Error
+    description: "A Telemetry resource selects the same workloads as another Telemetry resource"
+    template: "The Telemetries %v in namespace %q select the same workload pod %q, which can lead to undefined behavior."
+    url: "https://istio.io/latest/docs/reference/config/analysis/ist0159/"
+    args:
+      - name: conflictingTelemetries
+        type: "[]string"
+      - name: namespace
+        type: string
+      - name: workloadPod
+        type: string
+
+  - name: "MultipleTelemetriesWithoutWorkloadSelectors"
+    code: IST0160
+    level: Error
+    description: "More than one telemetry resource in a namespace has no workload selector"
+    template: "The Telemetries %v in namespace %q have no workload selector, which can lead to undefined behavior."
+    url: "https://istio.io/latest/docs/reference/config/analysis/ist0160/"
+    args:
+      - name: conflictingTelemetries
+        type: "[]string"
+      - name: namespace
+        type: string
diff --git a/data/features.yaml b/data/features.yaml
index bd66f5379d..8ca953de5d 100644
--- a/data/features.yaml
+++ b/data/features.yaml
@@ -166,6 +166,7 @@ features:
     area: Observability
   - name: "WebAssembly Extension"
     id: "observability.webassembly"
+    link: "/docs/reference/config/proxy_extensions/wasm-plugin/"
     level:
       checklist: ""
       maturity: Alpha

Flags	Shorthand	Description
`--context <string>`		The name of the kubeconfig context to use (default ``)
`--istioNamespace <string>`	`-i`	Istio system namespace (default `istio-system`)
`--kubeconfig <string>`	`-c`	Kubernetes configuration file (default ``)
`--namespace <string>`	`-n`	Config namespace (default ``)
`--service-account <string>`	`-s`	service account to create a waypoint for (default ``)
`--vklog <Level>`		number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
Field	Type	Description	Required
`debug`	`bool`	- The following settings should be rarely used. -Enable debug for this filter. - -	-No -
`attributes`	`AttributeGeneration[]`	- Multiple independent attribute generation configurations. - -	-No -
Field	Type	Description	Required
`dimensions`	`map<string, string>`	- (Optional) Collection of tag names and tag expressions to include in the -metric. Conflicts are resolved by the tag name by overriding previously -supplied values. - -	-No -
`name`	`string`	- (Optional) Metric name to restrict the override to a metric. If not -specified, applies to all. - -	-No -
`tags_to_remove`	`string[]`	- (Optional) A list of tags to remove. - -	-No -
`match`	`string`	- NOT IMPLEMENTED. (Optional) Conditional enabling the override. - -	-No -
`drop`	`bool`	- (Optional) If this is set to true, the metric(s) selected by this -configuration will not be generated or reported. - -	-No -
Field	Type	Description	Required
`name`	`string`	- Metric name. - -	-No -
`value`	`string`	- Metric value expression. - -	-No -
`type`	`MetricType`	- NOT IMPLEMENTED (Optional) Metric type. - -	-No -
Field	Type	Description	Required
`disable_host_header_fallback`	`bool`	- Optional: Disable using host header as a fallback if destination service is -not available from the controlplane. Disable the fallback if the host -header originates outsides the mesh, like at ingress. - -	-No -
`tcp_reporting_duration`	`Duration`	- Optional. Allows configuration of the time between calls out to for TCP -metrics reporting. The default duration is `15s`. - -	-No -
`metrics`	`MetricConfig[]`	- Metric overrides. - -	-No -
`definitions`	`MetricDefinition[]`	- Metric definitions. - -	-No -
`reporter`	`Reporter`	- Proxy deployment type. - -	-No -
Name	Description
`UNSPECIFIED`	- Default value is inferred from the listener direction, as either client or -server sidecar. - -
`SERVER_GATEWAY`	- Shared server gateway, e.g. “waypoint”. - -