--- title: Service Mesh overview: Global configuration schema order: 30 layout: docs type: markdown --- ### Index * [ProxyMeshConfig](#istio.proxy.v1.config.ProxyMeshConfig) (message) * [ProxyMeshConfig.AuthPolicy](#istio.proxy.v1.config.ProxyMeshConfig.AuthPolicy) (enum) * [ProxyMeshConfig.IngressControllerMode](#istio.proxy.v1.config.ProxyMeshConfig.IngressControllerMode) (enum) ### ProxyMeshConfig ProxyMeshConfig defines variables shared by all Envoy instances in the Istio service mesh.
Field Type Description
egressProxyAddress string Address of the egress envoy service (e.g. istio-egress:80).
discoveryAddress string Address of the discovery service exposing SDS, CDS, RDS (e.g. istio-manager:8080).
mixerAddress string Address of the mixer service (e.g. istio-mixer:9090).
zipkinAddress string Address of the Zipkin service (e.g. zipkin:9411).
proxyListenPort int32 Port on which egress envoy should listen for incoming connections from other services.
proxyAdminPort int32 Port on which egress envoy should listen for administrative commands.
drainDuration Duration The time in seconds that Envoy will drain connections during a hot restart. MUST be >=1s (e.g., 1s/1m/1h)
parentShutdownDuration Duration The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h). MUST BE greater than drainDuration parameter.
istioServiceCluster string

istioServiceCluster defines the name for the serviceCluster that is shared by all Envoy instances. This setting corresponds to --service-cluster flag in Envoy. In a typical Envoy deployment, the service-cluster flag is used to identify the caller, for source-based routing scenarios.

Since Istio does not assign a local service/service version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the --service-node flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the service-node flag to compute routes that are relative to the service instances located at that IP address.
discoveryRefreshDelay Duration Polling interval for service discovery. (MUST BE >=1ms)
connectTimeout Duration Connection timeout used by Envoy. (MUST BE >=1ms)
ingressClass string Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of "kubernetes.io/ingress.class" annotation.
ingressService string Name of the kubernetes service used for the istio ingress controller.
ingressControllerMode IngressControllerMode Defines whether to use Istio ingress controller for annotated or all ingress resources.
authPolicy AuthPolicy Authentication policy defines the global switch to control authentication for Envoy-to-Envoy communication.
authCertsPath string Path to the secrets used by the authentication policy.
### AuthPolicy
Value Description
NONE Do not encrypt Envoy to Envoy traffic.
MUTUALTLS Envoy to Envoy traffic is wrapped into mutual TLS connections.
### IngressControllerMode
Value Description
OFF Disables Istio ingress controller.
DEFAULT Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire kubernetes cluster.
STRICT Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller).