istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/docs/reference/config/networking/sidecar/index.html

809 lines
25 KiB
HTML
Raw Permalink Blame History

---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: Sidecar
description: Configuration affecting network reachability of a sidecar.
location: https://istio.io/docs/reference/config/networking/sidecar.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.Sidecar
aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
number_of_entries: 7
---
<p><code>Sidecar</code> describes the configuration of the sidecar proxy that mediates
inbound and outbound communication to the workload instance it is attached to. By
default, Istio will program all sidecar proxies in the mesh with the
necessary configuration required to reach every workload instance in the mesh, as
well as accept traffic on all the ports associated with the
workload. The <code>Sidecar</code> configuration provides a way to fine tune the set of
ports, protocols that the proxy will accept when forwarding traffic to
and from the workload. In addition, it is possible to restrict the set
of services that the proxy can reach when forwarding outbound traffic
from workload instances.</p>
<p>Services and configuration in a mesh are organized into one or more
namespaces (e.g., a Kubernetes namespace or a CF org/space). A <code>Sidecar</code>
configuration in a namespace will apply to one or more workload instances in the same
namespace, selected using the <code>workloadSelector</code> field. In the absence of a
<code>workloadSelector</code>, it will apply to all workload instances in the same
namespace. When determining the <code>Sidecar</code> configuration to be applied to a
workload instance, preference will be given to the resource with a
<code>workloadSelector</code> that selects this workload instance, over a <code>Sidecar</code> configuration
without any <code>workloadSelector</code>.</p>
<p><strong>NOTE 1</strong>: <em><em>Each namespace can have only one <code>Sidecar</code>
configuration without any <code>workloadSelector</code></em> that specifies the
default for all pods in that namespace</em>. It is recommended to use
the name <code>default</code> for the namespace-wide sidecar. The behavior of
the system is undefined if more than one selector-less <code>Sidecar</code>
configurations exist in a given namespace. The behavior of the
system is undefined if two or more <code>Sidecar</code> configurations with a
<code>workloadSelector</code> select the same workload instance.</p>
<p><strong>NOTE 2</strong>: <em><em>A <code>Sidecar</code> configuration in the <code>MeshConfig</code>
<a href="/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">root namespace</a>
will be applied by default to all namespaces without a <code>Sidecar</code>
configuration</em></em>. This global default <code>Sidecar</code> configuration should not have
any <code>workloadSelector</code>.</p>
<p>The example below declares a global default <code>Sidecar</code> configuration
in the root namespace called <code>istio-config</code>, that configures
sidecars in all namespaces to allow egress traffic only to other
workloads in the same namespace as well as to services in the
<code>istio-system</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- &quot;./*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-config
spec:
egress:
- hosts:
- &quot;./*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The example below declares a <code>Sidecar</code> configuration in the
<code>prod-us1</code> namespace that overrides the global default defined
above, and configures the sidecars in the namespace to allow egress
traffic to public services in the <code>prod-us1</code>, <code>prod-apis</code>, and the
<code>istio-system</code> namespaces.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- &quot;prod-us1/*&quot;
- &quot;prod-apis/*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: prod-us1
spec:
egress:
- hosts:
- &quot;prod-us1/*&quot;
- &quot;prod-apis/*&quot;
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>The following example declares a <code>Sidecar</code> configuration in the
<code>prod-us1</code> namespace for all pods with labels <code>app: ratings</code>
belonging to the <code>ratings.prod-us1</code> service. The workload accepts
inbound HTTP traffic on port 9080. The traffic is then forwarded to
the attached workload instance listening on a Unix domain
socket. In the egress direction, in addition to the <code>istio-system</code>
namespace, the sidecar proxies only HTTP traffic bound for port
9080 for services in the <code>prod-us1</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- &quot;prod-us1/*&quot;
- hosts:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: ratings
namespace: prod-us1
spec:
workloadSelector:
labels:
app: ratings
ingress:
- port:
number: 9080
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- &quot;prod-us1/*&quot;
- hosts:
- &quot;istio-system/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the workload is deployed without IPTables-based traffic capture,
the <code>Sidecar</code> configuration is the only way to configure the ports
on the proxy attached to the workload instance. The following
example declares a <code>Sidecar</code> configuration in the <code>prod-us1</code>
namespace for all pods with labels <code>app: productpage</code> belonging to
the <code>productpage.prod-us1</code> service. Assuming that these pods are
deployed without IPtable rules (i.e. the <code>istio-init</code> container)
and the proxy metadata <code>ISTIO_META_INTERCEPTION_MODE</code> is set to
<code>NONE</code>, the specification, below, allows such pods to receive HTTP
traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
it to the application listening on <code>127.0.0.1:8080</code>. It also allows
the application to communicate with a backing MySQL database on
<code>127.0.0.1:3306</code>, that then gets proxied to the externally hosted
MySQL service at <code>mysql.foo.com:3306</code>.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- &quot;*/mysql.foo.com&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: no-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE # not needed if metadata is set for entire proxy
egress:
- port:
number: 3306
protocol: MYSQL
name: egressmysql
captureMode: NONE # not needed if metadata is set for entire proxy
bind: 127.0.0.1
hosts:
- &quot;*/mysql.foo.com&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>And the associated service entry for routing to <code>mysql.foo.com:3306</code></p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-mysql
namespace: ns1
spec:
hosts:
- mysql.foo.com
ports:
- number: 3306
name: mysql
protocol: MYSQL
location: MESH_EXTERNAL
resolution: DNS
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-svc-mysql
namespace: ns1
spec:
hosts:
- mysql.foo.com
ports:
- number: 3306
name: mysql
protocol: MYSQL
location: MESH_EXTERNAL
resolution: DNS
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>It is also possible to mix and match traffic capture modes in a single
proxy. For example, consider a setup where internal services are on the
<code>192.168.0.0/16</code> subnet. So, IP tables are setup on the VM to capture all
outbound traffic on <code>192.168.0.0/16</code> subnet. Assume that the VM has an
additional network interface on <code>172.16.0.0/16</code> subnet for inbound
traffic. The following <code>Sidecar</code> configuration allows the VM to expose a
listener on <code>172.16.1.32:80</code> (the VM&rsquo;s IP) for traffic arriving from the
<code>172.16.0.0/16</code> subnet.</p>
<p><strong>NOTE</strong>: The <code>ISTIO_META_INTERCEPTION_MODE</code> metadata on the
proxy in the VM should contain <code>REDIRECT</code> or <code>TPROXY</code> as its value,
implying that IP tables based traffic capture is active.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: partial-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- bind: 172.16.1.32
port:
number: 80 # binds to 172.16.1.32:80
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE
egress:
# use the system detected defaults
# sets up configuration to handle outbound traffic to services
# in 192.168.0.0/16 subnet, based on information provided by the
# service registry
- captureMode: IPTABLES
hosts:
- &quot;*/*&quot;
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: partial-ip-tables
namespace: prod-us1
spec:
workloadSelector:
labels:
app: productpage
ingress:
- bind: 172.16.1.32
port:
number: 80 # binds to 172.16.1.32:80
protocol: HTTP
name: somename
defaultEndpoint: 127.0.0.1:8080
captureMode: NONE
egress:
# use the system detected defaults
# sets up configuration to handle outbound traffic to services
# in 192.168.0.0/16 subnet, based on information provided by the
# service registry
- captureMode: IPTABLES
hosts:
- &quot;*/*&quot;
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<h2 id="Sidecar">Sidecar</h2>
<section>
<p><code>Sidecar</code> describes the configuration of the sidecar proxy that mediates
inbound and outbound communication of the workload instance to which it is
attached.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Sidecar-workload_selector">
<td><code>workloadSelector</code></td>
<td><code><a href="#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>Criteria used to select the specific set of pods/VMs on which this
<code>Sidecar</code> configuration should be applied. If omitted, the <code>Sidecar</code>
configuration will be applied to all workload instances in the same namespace.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-ingress">
<td><code>ingress</code></td>
<td><code><a href="#IstioIngressListener">IstioIngressListener[]</a></code></td>
<td>
<p>Ingress specifies the configuration of the sidecar for processing
inbound traffic to the attached workload instance. If omitted, Istio will
automatically configure the sidecar based on the information about the workload
obtained from the orchestration platform (e.g., exposed ports, services,
etc.). If specified, inbound ports are configured if and only if the
workload instance is associated with a service.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-egress">
<td><code>egress</code></td>
<td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
<td>
<p>Egress specifies the configuration of the sidecar for processing
outbound traffic from the attached workload instance to other
services in the mesh. If not specified, inherits the system
detected defaults from the namespace-wide or the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-outbound_traffic_policy">
<td><code>outboundTrafficPolicy</code></td>
<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
<td>
<p>Configuration for the outbound traffic policy. If your
application uses one or more external services that are not known
apriori, setting the policy to <code>ALLOW_ANY</code> will cause the
sidecars to route any unknown traffic originating from the
application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="IstioIngressListener">IstioIngressListener</h2>
<section>
<p><code>IstioIngressListener</code> specifies the properties of an inbound
traffic listener on the sidecar proxy attached to a workload instance.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioIngressListener-port">
<td><code>port</code></td>
<td><code><a href="/docs/reference/config/networking/gateway/#Port">Port</a></code></td>
<td>
<p>The port associated with the listener.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="IstioIngressListener-bind">
<td><code>bind</code></td>
<td><code>string</code></td>
<td>
<p>The IP to which the listener should be bound. Must be in the
format <code>x.x.x.x</code>. Unix domain socket addresses are not allowed in
the bind field for ingress listeners. If omitted, Istio will
automatically configure the defaults based on imported services
and the workload instances to which this configuration is applied
to.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-capture_mode">
<td><code>captureMode</code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td>
<p>The captureMode option dictates how traffic to the listener is
expected to be captured (or not).</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioIngressListener-default_endpoint">
<td><code>defaultEndpoint</code></td>
<td><code>string</code></td>
<td>
<p>The loopback IP endpoint or Unix domain socket to which
traffic should be forwarded to. This configuration can be used to
redirect traffic arriving at the bind <code>IP:Port</code> on the sidecar to a <code>localhost:port</code>
or Unix domain socket where the application workload instance is listening for
connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/to/socket</code></p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="IstioEgressListener">IstioEgressListener</h2>
<section>
<p><code>IstioEgressListener</code> specifies the properties of an outbound traffic
listener on the sidecar proxy attached to a workload instance.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IstioEgressListener-port">
<td><code>port</code></td>
<td><code><a href="/docs/reference/config/networking/gateway/#Port">Port</a></code></td>
<td>
<p>The port associated with the listener. If using Unix domain socket,
use 0 as the port number, with a valid protocol. The port if
specified, will be used as the default destination port associated
with the imported hosts. If the port is omitted, Istio will infer the
listener ports based on the imported hosts. Note that when multiple
egress listeners are specified, where one or more listeners have
specific ports while others have no port, the hosts exposed on a
listener port will be based on the listener with the most specific
port.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-bind">
<td><code>bind</code></td>
<td><code>string</code></td>
<td>
<p>The IP or the Unix domain socket to which the listener should be bound
to. Port MUST be specified if bind is not empty. Format: <code>x.x.x.x</code> or
<code>unix:///path/to/uds</code> or <code>unix://@foobar</code> (Linux abstract namespace). If
omitted, Istio will automatically configure the defaults based on imported
services, the workload instances to which this configuration is applied to and
the captureMode. If captureMode is <code>NONE</code>, bind will default to
127.0.0.1.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-capture_mode">
<td><code>captureMode</code></td>
<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
<td>
<p>When the bind address is an IP, the captureMode option dictates
how traffic to the listener is expected to be captured (or not).
captureMode must be DEFAULT or <code>NONE</code> for Unix domain socket binds.</p>
</td>
<td>
No
</td>
</tr>
<tr id="IstioEgressListener-hosts">
<td><code>hosts</code></td>
<td><code>string[]</code></td>
<td>
<p>One or more service hosts exposed by the listener
in <code>namespace/dnsName</code> format. Services in the specified namespace
matching <code>dnsName</code> will be exposed.
The corresponding service can be a service in the service registry
(e.g., a Kubernetes or cloud foundry service) or a service specified
using a <code>ServiceEntry</code> or <code>VirtualService</code> configuration. Any
associated <code>DestinationRule</code> in the same namespace will also be used.</p>
<p>The <code>dnsName</code> should be specified using FQDN format, optionally including
a wildcard character in the left-most component (e.g., <code>prod/*.example.com</code>).
Set the <code>dnsName</code> to <code>*</code> to select all services from the specified namespace
(e.g., <code>prod/*</code>).</p>
<p>The <code>namespace</code> can be set to <code>*</code>, <code>.</code>, or <code>~</code>, representing any, the current,
or no namespace, respectively. For example, <code>*/foo.example.com</code> selects the
service from any available namespace while <code>./foo.example.com</code> only selects
the service from the namespace of the sidecar. If a host is set to <code>*/*</code>,
Istio will configure the sidecar to be able to reach every service in the
mesh that is exported to the sidecar&rsquo;s namespace. The value <code>~/*</code> can be used
to completely trim the configuration for sidecars that simply receive traffic
and respond, but make no outbound connections of their own.</p>
<p>NOTE: Only services and configuration artifacts exported to the sidecar&rsquo;s
namespace (e.g., <code>exportTo</code> value of <code>*</code>) can be referenced.
Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
<code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>
<p><strong>WARNING:</strong> The list of egress hosts in a <code>Sidecar</code> must also include
the Mixer control plane services if they are enabled. Envoy will not
be able to reach them otherwise. For example, add host
<code>istio-system/istio-telemetry.istio-system.svc.cluster.local</code> if telemetry
is enabled, <code>istio-system/istio-policy.istio-system.svc.cluster.local</code> if
policy is enabled, or add <code>istio-system/*</code> to allow all services in the
<code>istio-system</code> namespace. This requirement is temporary and will be removed
in a future Istio release.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="WorkloadSelector">WorkloadSelector</h2>
<section>
<p><code>WorkloadSelector</code> specifies the criteria used to determine if the
<code>Gateway</code>, <code>Sidecar</code>, or <code>EnvoyFilter</code> or <code>ServiceEntry</code>
configuration can be applied to a proxy. The matching criteria
includes the metadata associated with a proxy, workload instance
info such as labels attached to the pod/VM, or any other info that
the proxy provides to Istio during the initial handshake. If
multiple conditions are specified, all conditions need to match in
order for the workload instance to be selected. Currently, only
label based selection mechanism is supported.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="WorkloadSelector-labels">
<td><code>labels</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>One or more labels that indicate a specific set of pods/VMs
on which the configuration should be applied. The scope of
label search is restricted to the configuration namespace in which the
the resource is present.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy">OutboundTrafficPolicy</h2>
<section>
<p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling outbound traffic from the application.
If your application uses one or more external
services that are not known apriori, setting the policy to <code>ALLOW_ANY</code>
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use <code>ServiceEntry</code> configurations to explicitly declare any external
dependencies, instead of using <code>ALLOW_ANY</code>, so that traffic to these
services can be monitored.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-mode">
<td><code>mode</code></td>
<td><code><a href="#OutboundTrafficPolicy-Mode">Mode</a></code></td>
<td>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
<td><code>REGISTRY_ONLY</code></td>
<td>
<p>Outbound traffic will be restricted to services defined in the
service registry as well as those defined through <code>ServiceEntry</code> configurations.</p>
</td>
</tr>
<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
<td><code>ALLOW_ANY</code></td>
<td>
<p>Outbound traffic to unknown destinations will be allowed, in case
there are no services or <code>ServiceEntry</code> configurations for the destination port.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="CaptureMode">CaptureMode</h2>
<section>
<p><code>CaptureMode</code> describes how traffic to a listener is expected to be
captured. Applicable only when the listener is bound to an IP.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="CaptureMode-DEFAULT">
<td><code>DEFAULT</code></td>
<td>
<p>The default capture mode defined by the environment.</p>
</td>
</tr>
<tr id="CaptureMode-IPTABLES">
<td><code>IPTABLES</code></td>
<td>
<p>Capture traffic using IPtables redirection.</p>
</td>
</tr>
<tr id="CaptureMode-NONE">
<td><code>NONE</code></td>
<td>
<p>No traffic capture. When used in an egress listener, the application is
expected to explicitly communicate with the listener port or Unix
domain socket. When used in an ingress listener, care needs to be taken
to ensure that the listener port is not in use by other processes on
the host.</p>
</td>
</tr>
</tbody>
</table>
</section>
Reference in New Issue View Git Blame Copy Permalink