This page presents the various resource annotations that Istio supports to control its behavior.
| Annotation Name | Resource Types | Description |
|---|---|---|
kubernetes.io/ingress.class |
[Ingress] | Annotation on an Ingress resources denoting the class of controllers responsible for it. |
networking.istio.io/exportTo |
[Service] | Specifies the namespaces to which this service should be exported to. A value of '*' indicates it is reachable within the mesh '.' indicates it is reachable within its namespace. |
policy.istio.io/check |
[Pod] | Determines the policy for behavior when unable to connect to Mixer. If not set, FAIL_CLOSE is set, rejecting requests. |
policy.istio.io/checkBaseRetryWaitTime |
[Pod] | Base time to wait between retries, will be adjusted by backoff and jitter. In duration format. If not set, this will be 80ms. |
policy.istio.io/checkMaxRetryWaitTime |
[Pod] | Maximum time to wait between retries to Mixer. In duration format. If not set, this will be 1000ms. |
policy.istio.io/checkRetries |
[Pod] | The maximum number of retries on transport errors to Mixer. If not set, this will be 0, indicating no retries. |
policy.istio.io/lang |
[Pod] | Selects the attribute expression language runtime for Mixer. |
readiness.status.sidecar.istio.io/applicationPorts |
[Pod] | Specifies the list of ports exposed by the application container. Used by the Envoy sidecar readiness probe to determine that Envoy is configured and ready to receive traffic. |
readiness.status.sidecar.istio.io/failureThreshold |
[Pod] | Specifies the failure threshold for the Envoy sidecar readiness probe. |
readiness.status.sidecar.istio.io/initialDelaySeconds |
[Pod] | Specifies the initial delay (in seconds) for the Envoy sidecar readiness probe. |
readiness.status.sidecar.istio.io/periodSeconds |
[Pod] | Specifies the period (in seconds) for the Envoy sidecar readiness probe. |
sidecar.istio.io/bootstrapOverride |
[Pod] | Specifies an alternative Envoy bootstrap configuration file. |
sidecar.istio.io/componentLogLevel |
[Pod] | Specifies the component log level for Envoy. |
sidecar.istio.io/controlPlaneAuthPolicy |
[Pod] | Specifies the auth policy used by the Istio control plane. If NONE, traffic will not be encrypted. If MUTUAL_TLS, traffic between Envoy sidecar will be wrapped into mutual TLS connections. |
sidecar.istio.io/discoveryAddress |
[Pod] | Specifies the XDS discovery address to be used by the Envoy sidecar. |
sidecar.istio.io/inject |
[Pod] | Specifies whether or not an Envoy sidecar should be automatically injected into the workload. |
sidecar.istio.io/interceptionMode |
[Pod] | Specifies the mode used to redirect inbound connections to Envoy (REDIRECT or TPROXY). |
sidecar.istio.io/logLevel |
[Pod] | Specifies the log level for Envoy. |
sidecar.istio.io/proxyCPU |
[Pod] | Specifies the requested CPU setting for the Envoy sidecar. |
sidecar.istio.io/proxyImage |
[Pod] | Specifies the Docker image to be used by the Envoy sidecar. |
sidecar.istio.io/proxyMemory |
[Pod] | Specifies the requested memory setting for the Envoy sidecar. |
sidecar.istio.io/rewriteAppHTTPProbers |
[Pod] | Rewrite HTTP readiness and liveness probes to be redirected to the Envoy sidecar. |
sidecar.istio.io/statsInclusionPrefixes |
[Pod] | Specifies the comma separated list of prefixes of the stats to be emitted by Envoy. |
sidecar.istio.io/statsInclusionRegexps |
[Pod] | Specifies the comma separated list of regexes the stats should match to be emitted by Envoy. |
sidecar.istio.io/statsInclusionSuffixes |
[Pod] | Specifies the comma separated list of suffixes of the stats to be emitted by Envoy. |
sidecar.istio.io/status |
[Pod] | Generated by Envoy sidecar injection that indicates the status of the operation. Includes a version hash of the executed template, as well as names of injected resources. |
sidecar.istio.io/userVolume |
[Pod] | Specifies one or more user volumes (as a JSON array) to be added to the Envoy sidecar. |
sidecar.istio.io/userVolumeMount |
[Pod] | Specifies one or more user volume mounts (as a JSON array) to be added to the Envoy sidecar. |
status.sidecar.istio.io/port |
[Pod] | Specifies the HTTP status Port for the Envoy sidecar. If zero, the sidecar will not provide status. |
traffic.sidecar.istio.io/excludeInboundPorts |
[Pod] | A comma separated list of inbound ports to be excluded from redirection to Envoy. Only applies when all inbound traffic (i.e. '*') is being redirected. |
traffic.sidecar.istio.io/excludeOutboundIPRanges |
[Pod] | A comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all outbound traffic (i.e. '*') is being redirected. |
traffic.sidecar.istio.io/excludeOutboundPorts |
[Pod] | A comma separated list of outbound ports to be excluded from redirection to Envoy. |
traffic.sidecar.istio.io/includeInboundPorts |
[Pod] | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. An empty list will disable all inbound redirection. |
traffic.sidecar.istio.io/includeOutboundIPRanges |
[Pod] | A comma separated list of IP ranges in CIDR form to redirect to Envoy (optional). The wildcard character '*' can be used to redirect all outbound traffic. An empty list will disable all outbound redirection. |
traffic.sidecar.istio.io/kubevirtInterfaces |
[Pod] | A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. |