mirror of https://github.com/istio/istio.io.git
205 lines
83 KiB
HTML
205 lines
83 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Service Mesh"><meta name=description content="Configuration affecting the service mesh as a whole."><meta name=keywords content=microservices,services,mesh><meta property=og:title content="Service Mesh"><meta property=og:type content=website><meta property=og:description content="Configuration affecting the service mesh as a whole."><meta property=og:url content=/v1.1/docs/reference/config/istio.mesh.v1alpha1/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Service Mesh</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Service Mesh";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
|
|
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
|
|
<a title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.1/help/>Help</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
|
|
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/reference\/config\/istio.mesh.v1alpha1\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/reference\/config\/istio.mesh.v1alpha1\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.1/search.html>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card19 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card19-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card19 role=region id=card19-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card19><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.1/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.1/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.1/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the policy enforcement and telemetry mechanisms." href=/v1.1/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.1/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.1/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card39 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card39-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card39 role=region id=card39-body><ul role=tree aria-expanded=true aria-labelledby=card39><li role=treeitem aria-label=Kubernetes><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.1/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Prepare><button aria-hidden=true></button><a title="Getting ready for Istio." href=/v1.1/docs/setup/kubernetes/prepare/>Prepare</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.1/docs/setup/kubernetes/prepare/requirements/>Pods and Services</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker For Desktop for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/docker/>Docker For Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup Minikube for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li></ul></li><li role=none><a role=treeitem title="Download the Istio release and prepare for installation." href=/v1.1/docs/setup/kubernetes/download/>Download</a></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the flows that best suit your needs and platform." href=/v1.1/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install and configure an Istio mesh in a Kubernetes cluster for evaluation." href=/v1.1/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Instructions to install Istio using a Helm chart." href=/v1.1/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.1/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using Istio Gateway to reach remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/gateways/>Gateway Connectivity</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with direct network access to remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/vpn/>VPN Connectivity</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation flows for the supported Kubernetes platforms." href=/v1.1/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.1/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.1/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.1/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.1/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.1." href=/v1.1/docs/setup/kubernetes/upgrade/notice/>1.1 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.1/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.1/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.1/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.1/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.1/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.1/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad & Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.1/docs/setup/consul/>Nomad & Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.1/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.1/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card57 title="How to do single specific targeted activities with the Istio system." aria-controls=card57-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card57 role=region id=card57-body><ul role=tree aria-expanded=true aria-labelledby=card57><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.1/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.1/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.1/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.1/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.1/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.1/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.1/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li role=treeitem aria-label="Securing Ingress Gateway"><button aria-hidden=true></button><a title="Secure ingress gateway controllers using various approaches." href=/v1.1/docs/tasks/traffic-management/secure-ingress/>Securing Ingress Gateway</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.1/docs/tasks/traffic-management/secure-ingress/mount/>Securing Gateways with HTTPS With a File Mount-Based Approach</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS, using secret discovery service." href=/v1.1/docs/tasks/traffic-management/secure-ingress/sds/>Securing Gateways with HTTPS Using Secret Discovery Service</a></li></ul></li><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.1/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.1/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.1/docs/tasks/traffic-management/mirroring/>Mirroring</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.1/docs/tasks/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.1/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.1/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.1/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.1/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.1/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.1/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.1/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.1/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.1/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.1/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.1/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.1/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.1/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.1/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.1/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.1/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.1/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.1/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.1/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.1/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.1/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.1/docs/tasks/telemetry/logs/access-log/>Getting Envoy's Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.1/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.1/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.1/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.1/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.1/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.1/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.1/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.1/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.1/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.1/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.1/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Edge Traffic Management"><button aria-hidden=true></button><a title="A variety of advanced examples for managing traffic at the edge (i.e., ingress and egress traffic) of an Istio service mesh." href=/v1.1/docs/examples/advanced-gateways/>Edge Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.1/docs/examples/advanced-gateways/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.1/docs/examples/advanced-gateways/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.1/docs/examples/advanced-gateways/egress-gateway/>Configure an Egress Gateway</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.1/docs/examples/advanced-gateways/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.1/docs/examples/advanced-gateways/wildcard-egress-hosts/>Configure Egress Traffic using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.1/docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/>SNI Monitoring and Policies for TLS Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.1/docs/examples/advanced-gateways/http-proxy/>Connect to an External HTTPS Proxy</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.1/docs/examples/advanced-gateways/ingress-certmgr/>Securing Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.1/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuring remote services in a gateway-connected multicluster mesh." href=/v1.1/docs/examples/multicluster/gateways/>Gateway-Connected Clusters</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.1/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.1/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li role=none><a role=treeitem title="Multicluster mesh between IBM Cloud Kubernetes Service and IBM Cloud Private." href=/v1.1/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service & IBM Cloud Private</a></li><li role=none><a role=treeitem title="Leveraging Istio's Split-horizon EDS to create a multicluster mesh." href=/v1.1/docs/examples/multicluster/split-horizon-eds/>Cluster-Aware Service Routing</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card106 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card106-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#reference"/></svg>Reference</button><div class="body default" aria-labelledby=card106 role=region id=card106-body><ul role=tree aria-expanded=true aria-labelledby=card106><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.1/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.1/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.1/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.1/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.1/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.1/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.1/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.0 and release-1.1." href=/v1.1/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.1/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.1/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.1/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><span role=treeitem class=current title="Configuration affecting the service mesh as a whole.">Service Mesh</span></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.1/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.1/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.1/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.1/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Utility to trigger direct calls to Mixer's API." href=/v1.1/docs/reference/commands/mixc/>mixc</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.1/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.1/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.1/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.1/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.1/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.1/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a></li><li><a href=/v1.1/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a></li><li>Service Mesh</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Service Mesh</h1><p class=byline><span title="2712 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span> </span>13 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=LocalityLoadBalancerSetting><a href=#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a><li role=none aria-label=LocalityLoadBalancerSetting.Distribute><a href=#LocalityLoadBalancerSetting-Distribute>LocalityLoadBalancerSetting.Distribute</a><li role=none aria-label=LocalityLoadBalancerSetting.Failover><a href=#LocalityLoadBalancerSetting-Failover>LocalityLoadBalancerSetting.Failover</a><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Lightstep><a href=#Tracing-Lightstep>Tracing.Lightstep</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a></ol><hr></div></nav><p>Configuration affecting the service mesh as a whole.</p><h2 id=AuthenticationPolicy>AuthenticationPolicy</h2><section><p>AuthenticationPolicy defines authentication policy. It can be set for
|
|
different scopes (mesh, service …), and the most narrow scope with
|
|
non-INHERIT value will be used.
|
|
Mesh policy cannot be INHERIT.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=AuthenticationPolicy-NONE><td><code>NONE</code></td><td><p>Do not encrypt Envoy to Envoy traffic.</p></td></tr><tr id=AuthenticationPolicy-MUTUAL_TLS><td><code>MUTUAL_TLS</code></td><td><p>Envoy to Envoy traffic is wrapped into mutual TLS connections.</p></td></tr><tr id=AuthenticationPolicy-INHERIT><td><code>INHERIT</code></td><td><p>Use the policy defined by the parent scope. Should not be used for mesh
|
|
policy.</p></td></tr></tbody></table></section><h2 id=ConfigSource>ConfigSource</h2><section><p>ConfigSource describes information about a configuration store inside a
|
|
mesh. A single control plane instance can interact with one or more data
|
|
sources.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ConfigSource-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the server implementing the Istio Mesh Configuration
|
|
protocol (MCP). Can be IP address or a fully qualified DNS name.
|
|
Use fs:/// to specify a file-based backend with absolute path to the directory.</p></td></tr><tr id=ConfigSource-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule.html#TLSSettings>istio.networking.v1alpha3.TLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the MCP server
|
|
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
|
mode as <code>ISTIO_MUTUAL</code>.</p></td></tr></tbody></table></section><h2 id=LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</h2><section><p>Locality-weighted load balancing allows administrators to control the
|
|
distribution of traffic to endpoints based on the localities of where the
|
|
traffic originates and where it will terminate. These localities are
|
|
specified using arbitrary labels that designate a hierarchy of localities in
|
|
{region}/{zone}/{sub-zone} form. For additional detail refer to
|
|
<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight>Locality Weight</a>
|
|
The following example shows how to setup locality weights mesh-wide.</p><p>Given a mesh with workloads and their service deployed to “us-west/zone1/<em>”
|
|
and “us-west/zone2/</em>”. This example specifies that when traffic accessing a
|
|
service originates from workloads in “us-west/zone1/<em>”, 80% of the traffic
|
|
will be sent to endpoints in “us-west/zone1/</em>”, i.e the same zone, and the
|
|
remaining 20% will go to endpoints in “us-west/zone2/<em>”. This setup is
|
|
intended to favor routing traffic to endpoints in the same locality.
|
|
A similar setting is specified for traffic originating in “us-west/zone2/</em>”.</p><pre><code class=language-yaml> distribute:
|
|
- from: us-west/zone1/*
|
|
to:
|
|
"us-west/zone1/*": 80
|
|
"us-west/zone2/*": 20
|
|
- from: us-west/zone2/*
|
|
to:
|
|
"us-west/zone1/*": 20
|
|
"us-west/zone2/*": 80
|
|
</code></pre><p>If the goal of the operator is not to distribute load across zones and
|
|
regions but rather to restrict the regionality of failover to meet other
|
|
operational requirements an operator can set a ‘failover’ policy instead of
|
|
a ‘distribute’ policy.</p><p>The following example sets up a locality failover policy for regions.
|
|
Assume a service resides in zones within us-east, us-west & eu-west
|
|
this example specifies that when endpoints within us-east become unhealthy
|
|
traffic should failover to endpoints in any zone or sub-zone within eu-west
|
|
and similarly us-west should failover to us-east.</p><pre><code class=language-yaml> failover:
|
|
- from: us-east
|
|
to: eu-west
|
|
- from: us-west
|
|
to: us-east
|
|
</code></pre><p>Locality load balancing settings.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LocalityLoadBalancerSetting-distribute><td><code>distribute</code></td><td><code><a href=#LocalityLoadBalancerSetting-Distribute>LocalityLoadBalancerSetting.Distribute[]</a></code></td><td><p>Optional: only one of distribute or failover can be set.
|
|
Explicitly specify loadbalancing weight across different zones and geographical locations.
|
|
Refer to <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight>Locality weighted load balancing</a>
|
|
If empty, the locality weight is set according to the endpoints number within it.</p></td></tr><tr id=LocalityLoadBalancerSetting-failover><td><code>failover</code></td><td><code><a href=#LocalityLoadBalancerSetting-Failover>LocalityLoadBalancerSetting.Failover[]</a></code></td><td><p>Optional: only failover or distribute can be set.
|
|
Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
|
|
Should be used together with OutlierDetection to detect unhealthy endpoints.
|
|
Note: if no OutlierDetection specified, this will not take effect.</p></td></tr></tbody></table></section><h2 id=LocalityLoadBalancerSetting-Distribute>LocalityLoadBalancerSetting.Distribute</h2><section><p>Describes how traffic originating in the ‘from’ zone or sub-zone is
|
|
distributed over a set of ‘to’ zones. Syntax for specifying a zone is
|
|
{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
|
|
segment of the specification. Examples:
|
|
* - matches all localities
|
|
us-west/* - all zones and sub-zones within the us-west region
|
|
us-west/zone-1/* - all sub-zones within us-west/zone-1</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LocalityLoadBalancerSetting-Distribute-from><td><code>from</code></td><td><code>string</code></td><td><p>Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.</p></td></tr><tr id=LocalityLoadBalancerSetting-Distribute-to><td><code>to</code></td><td><code>map<string, uint32></code></td><td><p>Map of upstream localities to traffic distribution weights. The sum of
|
|
all weights should be == 100. Any locality not assigned a weight will
|
|
receive no traffic.</p></td></tr></tbody></table></section><h2 id=LocalityLoadBalancerSetting-Failover>LocalityLoadBalancerSetting.Failover</h2><section><p>Specify the traffic failover policy across regions. Since zone and sub-zone
|
|
failover is supported by default this only needs to be specified for
|
|
regions when the operator needs to constrain traffic failover so that
|
|
the default behavior of failing over to any endpoint globally does not
|
|
apply. This is useful when failing over traffic across regions would not
|
|
improve service health or may need to be restricted for other reasons
|
|
like regulatory controls.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LocalityLoadBalancerSetting-Failover-from><td><code>from</code></td><td><code>string</code></td><td><p>Originating region.</p></td></tr><tr id=LocalityLoadBalancerSetting-Failover-to><td><code>to</code></td><td><code>string</code></td><td><p>Destination region the traffic will fail over to when endpoints in
|
|
the ‘from’ region becomes unhealthy.</p></td></tr></tbody></table></section><h2 id=MeshConfig>MeshConfig</h2><section><p>MeshConfig defines mesh-wide variables shared by all Envoy instances in the
|
|
Istio service mesh.</p><p>NOTE: This configuration type should be used for the low-level global
|
|
configuration, such as component addresses and port numbers. It should not
|
|
be used for the features of the mesh that can be scoped by service or by
|
|
namespace. Some of the fields in the mesh config are going to be deprecated
|
|
and replaced with several individual configuration types (for example,
|
|
tracing configuration).</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-mixer_check_server><td><code>mixerCheckServer</code></td><td><code>string</code></td><td><p>Address of the server that will be used by the proxies for policy
|
|
check calls. By using different names for mixerCheckServer and
|
|
mixerReportServer, it is possible to have one set of Mixer servers handle
|
|
policy check calls while another set of Mixer servers handle telemetry
|
|
calls.</p><p>NOTE: Omitting mixerCheckServer while specifying mixerReportServer is
|
|
equivalent to setting disablePolicyChecks to true.</p></td></tr><tr id=MeshConfig-mixer_report_server><td><code>mixerReportServer</code></td><td><code>string</code></td><td><p>Address of the server that will be used by the proxies for policy report
|
|
calls.</p></td></tr><tr id=MeshConfig-disable_policy_checks><td><code>disablePolicyChecks</code></td><td><code>bool</code></td><td><p>Disable policy checks by the Mixer service. Default
|
|
is false, i.e. Mixer policy check is enabled by default.</p></td></tr><tr id=MeshConfig-policy_check_fail_open><td><code>policyCheckFailOpen</code></td><td><code>bool</code></td><td><p>Allow all traffic in cases when the Mixer policy service cannot be reached.
|
|
Default is false which means the traffic is denied when the client is unable
|
|
to connect to Mixer.</p></td></tr><tr id=MeshConfig-sidecar_to_telemetry_session_affinity><td><code>sidecarToTelemetrySessionAffinity</code></td><td><code>bool</code></td><td><p>Enable session affinity for Envoy Mixer reports so that calls from a proxy will
|
|
always target the same Mixer instance.</p></td></tr><tr id=MeshConfig-proxy_listen_port><td><code>proxyListenPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for incoming connections from
|
|
other services.</p></td></tr><tr id=MeshConfig-proxy_http_port><td><code>proxyHttpPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for HTTP PROXY requests if set.</p></td></tr><tr id=MeshConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Connection timeout used by Envoy. (MUST BE >=1ms)</p></td></tr><tr id=MeshConfig-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule.html#ConnectionPoolSettings-TCPSettings-TcpKeepalive>istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive</a></code></td><td><p>If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.</p></td></tr><tr id=MeshConfig-ingress_class><td><code>ingressClass</code></td><td><code>string</code></td><td><p>Class of ingress resources to be processed by Istio ingress
|
|
controller. This corresponds to the value of
|
|
“kubernetes.io/ingress.class” annotation.</p></td></tr><tr id=MeshConfig-ingress_service><td><code>ingressService</code></td><td><code>string</code></td><td><p>Name of theKubernetes service used for the istio ingress controller.</p></td></tr><tr id=MeshConfig-ingress_controller_mode><td><code>ingressControllerMode</code></td><td><code><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a></code></td><td><p>Defines whether to use Istio ingress controller for annotated or all ingress resources.</p></td></tr><tr id=MeshConfig-enable_tracing><td><code>enableTracing</code></td><td><code>bool</code></td><td><p>Flag to control generation of trace spans and request IDs.
|
|
Requires a trace span collector defined in the proxy configuration.</p></td></tr><tr id=MeshConfig-access_log_file><td><code>accessLogFile</code></td><td><code>string</code></td><td><p>File address for the proxy access log (e.g. /dev/stdout).
|
|
Empty value disables access logging.</p></td></tr><tr id=MeshConfig-access_log_format><td><code>accessLogFormat</code></td><td><code>string</code></td><td><p>Format for the proxy access log
|
|
Empty value results in proxy’s default access log format</p></td></tr><tr id=MeshConfig-access_log_encoding><td><code>accessLogEncoding</code></td><td><code><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a></code></td><td><p>Encoding for the proxy access log (text or json).
|
|
Default value is text.</p></td></tr><tr id=MeshConfig-default_config><td><code>defaultConfig</code></td><td><code><a href=#ProxyConfig>ProxyConfig</a></code></td><td><p>Default proxy config used by the proxy injection mechanism operating in the mesh
|
|
(e.g. Kubernetes admission controller)
|
|
In case of Kubernetes, the proxy config is applied once during the injection process,
|
|
and remain constant for the duration of the pod. The rest of the mesh config can be changed
|
|
at runtime and config gets distributed dynamically.</p></td></tr><tr id=MeshConfig-outbound_traffic_policy><td><code>outboundTrafficPolicy</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a></code></td><td><p>Set the default behavior of the sidecar for handling outbound traffic
|
|
from the application. If your application uses one or more external
|
|
services that are not known apriori, setting the policy to ALLOW<em>ANY
|
|
will cause the sidecars to route any unknown traffic originating from
|
|
the application to its requested destination. Users are strongly
|
|
encouraged to use ServiceEntries to explicitly declare any external
|
|
dependencies, instead of using allow</em>any, so that traffic to these
|
|
services can be monitored.</p></td></tr><tr id=MeshConfig-enable_client_side_policy_check><td><code>enableClientSidePolicyCheck</code></td><td><code>bool</code></td><td><p>Enables clide side policy checks.</p></td></tr><tr id=MeshConfig-sds_uds_path><td><code>sdsUdsPath</code></td><td><code>string</code></td><td><p>Unix Domain Socket through which Envoy communicates with NodeAgent SDS to get key/cert for mTLS.
|
|
Use secret-mount files instead of SDS if set to empty.</p></td></tr><tr id=MeshConfig-config_sources><td><code>configSources</code></td><td><code><a href=#ConfigSource>ConfigSource[]</a></code></td><td><p>ConfigSource describes a source of configuration data for networking
|
|
rules, and other Istio configuration artifacts. Multiple data sources
|
|
can be configured for a single control plane.</p></td></tr><tr id=MeshConfig-trust_domain><td><code>trustDomain</code></td><td><code>string</code></td><td><p>The trust domain corresponds to the trust root of a system.
|
|
Refer to <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain>SPIFEE-ID</a>
|
|
Fallback to old identity format(without trust domain) if not set.</p></td></tr><tr id=MeshConfig-locality_lb_setting><td><code>localityLbSetting</code></td><td><code><a href=#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a></code></td><td><p>Locality based load balancing distribution or failover settings.</p></td></tr><tr id=MeshConfig-dns_refresh_rate><td><code>dnsRefreshRate</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Configures DNS refresh rate for Envoy clusters of type STRICT_DNS</p></td></tr></tbody></table></section><h2 id=MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-AccessLogEncoding-TEXT><td><code>TEXT</code></td><td></td></tr><tr id=MeshConfig-AccessLogEncoding-JSON><td><code>JSON</code></td><td></td></tr></tbody></table></section><h2 id=MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-IngressControllerMode-OFF><td><code>OFF</code></td><td><p>Disables Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-DEFAULT><td><code>DEFAULT</code></td><td><p>Istio ingress controller will act on ingress resources that do not
|
|
contain any annotation or whose annotations match the value
|
|
specified in the ingress_class parameter described earlier. Use this
|
|
mode if Istio ingress controller will be the default ingress
|
|
controller for the entireKubernetes cluster.</p></td></tr><tr id=MeshConfig-IngressControllerMode-STRICT><td><code>STRICT</code></td><td><p>Istio ingress controller will only act on ingress resources whose
|
|
annotations match the value specified in the ingress_class parameter
|
|
described earlier. Use this mode if Istio ingress controller will be
|
|
a secondary ingress controller (e.g., in addition to a
|
|
cloud-provided ingress controller).</p></td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-mode><td><code>mode</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a></code></td><td></td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY><td><code>REGISTRY_ONLY</code></td><td><p>outbound traffic will be restricted to services defined in the
|
|
service registry as well as those defined through ServiceEntries</p></td></tr><tr id=MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY><td><code>ALLOW_ANY</code></td><td><p>outbound traffic to unknown destinations will be allowed, in case
|
|
there are no services or ServiceEntries for the destination port</p></td></tr></tbody></table></section><h2 id=MeshNetworks>MeshNetworks</h2><section><p>MeshNetworks (config map) provides information about the set of networks
|
|
inside a mesh and how to route to endpoints in each network. For example</p><p>MeshNetworks(file/config map):
|
|
networks:
|
|
network1:
|
|
- endpoints:
|
|
- fromRegistry: registry1 #must match secret name in Kubernetes
|
|
- fromCidr: 192.168.100.0/22 #a VM network for example
|
|
gateways:
|
|
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
|
port: 15443
|
|
locality: us-east-1a
|
|
- address: 192.168.100.1
|
|
port: 15443
|
|
locality: us-east-1a</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=MeshNetworks-networks><td><code>networks</code></td><td><code>map<string, <a href=#Network>Network</a>></code></td><td><p>REQUIRED: The set of networks inside this mesh. Each network should
|
|
have a unique name and information about how to infer the endpoints in
|
|
the network as well as the gateways associated with the network.</p></td></tr></tbody></table></section><h2 id=Network>Network</h2><section><p>Network provides information about the endpoints in a routable L3
|
|
network. A single routable L3 network can have one or more service
|
|
registries. Note that the network has no relation to the locality of the
|
|
endpoint. The endpoint locality will be obtained from the service
|
|
registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Network-endpoints><td><code>endpoints</code></td><td><code><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints[]</a></code></td><td><p>REQUIRED: The list of endpoints in the network (obtained through the
|
|
constituent service registries or from CIDR ranges). All endpoints in
|
|
the network are directly accessible to one another.</p></td></tr><tr id=Network-gateways><td><code>gateways</code></td><td><code><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway[]</a></code></td><td><p>REQUIRED: Set of gateways associated with the network.</p></td></tr></tbody></table></section><h2 id=Network-IstioNetworkGateway>Network.IstioNetworkGateway</h2><section><p>The gateway associated with this network. Traffic from remote networks
|
|
will arrive at the specified gateway:port. All incoming traffic must
|
|
use mTLS.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Network-IstioNetworkGateway-registry_service_name class="oneof oneof-start"><td><code>registryServiceName</code></td><td><code>string (oneof)</code></td><td><p>A fully qualified domain name of the gateway service. Pilot will
|
|
lookup the service from the service registries in the network and
|
|
obtain the endpoint IPs of the gateway from the service
|
|
registry. Note that while the service name is a fully qualified
|
|
domain name, it need not be resolvable outside the orchestration
|
|
platform for the registry. e.g., this could be
|
|
istio-ingressgateway.istio-system.svc.cluster.local.</p></td></tr><tr id=Network-IstioNetworkGateway-address class=oneof><td><code>address</code></td><td><code>string (oneof)</code></td><td><p>IP address or externally resolvable DNS address associated with the gateway.</p></td></tr><tr id=Network-IstioNetworkGateway-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED: The port associated with the gateway.</p></td></tr><tr id=Network-IstioNetworkGateway-locality><td><code>locality</code></td><td><code>string</code></td><td><p>The locality associated with an explicitly specified gateway (i.e. ip)</p></td></tr></tbody></table></section><h2 id=Network-NetworkEndpoints>Network.NetworkEndpoints</h2><section><p>NetworkEndpoints describes how the network associated with an endpoint
|
|
should be inferred. An endpoint will be assigned to a network based on
|
|
the following rules:</p><ol><li><p>Implicitly: If the registry explicitly provides information about
|
|
the network to which the endpoint belongs to. In some cases, its
|
|
possible to indicate the network associated with the endpoint by
|
|
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li><li><p>Explicitly:</p></li></ol><p>a. By matching the registry name with one of the “fromRegistry”
|
|
in the mesh config. A “from_registry” can only be assigned to a
|
|
single network.</p><p>b. By matching the IP against one of the CIDR ranges in a mesh
|
|
config network. The CIDR ranges must not overlap and be assigned to
|
|
a single network.</p><p>(2) will override (1) if both are present.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Network-NetworkEndpoints-from_cidr class="oneof oneof-start"><td><code>fromCidr</code></td><td><code>string (oneof)</code></td><td><p>A CIDR range for the set of endpoints in this network. The CIDR
|
|
ranges for endpoints from different networks must not overlap.</p></td></tr><tr id=Network-NetworkEndpoints-from_registry class=oneof><td><code>fromRegistry</code></td><td><code>string (oneof)</code></td><td><p>Add all endpoints from the specified registry into this network.
|
|
The names of the registries should correspond to the secret name
|
|
that was used to configure the registry (Kubernetes multicluster) or
|
|
supplied by MCP server.</p></td></tr></tbody></table></section><h2 id=ProxyConfig>ProxyConfig</h2><section><p>ProxyConfig defines variables for individual Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-config_path><td><code>configPath</code></td><td><code>string</code></td><td><p>Path to the generated configuration file directory.
|
|
Proxy agent generates the actual configuration and stores it in this directory.</p></td></tr><tr id=ProxyConfig-binary_path><td><code>binaryPath</code></td><td><code>string</code></td><td><p>Path to the proxy binary</p></td></tr><tr id=ProxyConfig-service_cluster><td><code>serviceCluster</code></td><td><code>string</code></td><td><p>Service cluster defines the name for the service_cluster that is
|
|
shared by all Envoy instances. This setting corresponds to
|
|
<em>–service-cluster</em> flag in Envoy. In a typical Envoy deployment, the
|
|
<em>service-cluster</em> flag is used to identify the caller, for
|
|
source-based routing scenarios.</p><p>Since Istio does not assign a local service/service version to each
|
|
Envoy instance, the name is same for all of them. However, the
|
|
source/caller’s identity (e.g., IP address) is encoded in the
|
|
<em>–service-node</em> flag when launching Envoy. When the RDS service
|
|
receives API calls from Envoy, it uses the value of the <em>service-node</em>
|
|
flag to compute routes that are relative to the service instances
|
|
located at that IP address.</p></td></tr><tr id=ProxyConfig-drain_duration><td><code>drainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>The time in seconds that Envoy will drain connections during a hot
|
|
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)</p></td></tr><tr id=ProxyConfig-parent_shutdown_duration><td><code>parentShutdownDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>The time in seconds that Envoy will wait before shutting down the
|
|
parent process during a hot restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>).
|
|
MUST BE greater than <em>drain</em>duration_ parameter.</p></td></tr><tr id=ProxyConfig-discovery_address><td><code>discoveryAddress</code></td><td><code>string</code></td><td><p>Address of the discovery service exposing xDS with mTLS connection.</p></td></tr><tr id=ProxyConfig-zipkin_address class=deprecated><td><code>zipkinAddress</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
|
|
DEPRECATED: Use <a href=#ProxyConfig-tracing>tracing</a> instead.</p></td></tr><tr id=ProxyConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)</p></td></tr><tr id=ProxyConfig-statsd_udp_address><td><code>statsdUdpAddress</code></td><td><code>string</code></td><td><p>IP Address and Port of a statsd UDP listener (e.g. <em>10.75.241.127:9125</em>).</p></td></tr><tr id=ProxyConfig-envoy_metrics_service_address><td><code>envoyMetricsServiceAddress</code></td><td><code>string</code></td><td><p>Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
|
|
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto>Metric Service</a>
|
|
for details about Envoy’s Metrics Service API.</p></td></tr><tr id=ProxyConfig-proxy_admin_port><td><code>proxyAdminPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for administrative commands.</p></td></tr><tr id=ProxyConfig-control_plane_auth_policy><td><code>controlPlaneAuthPolicy</code></td><td><code><a href=#AuthenticationPolicy>AuthenticationPolicy</a></code></td><td><p>Authentication policy defines the global switch to control authentication
|
|
for Envoy-to-Envoy communication for istio components Mixer and Pilot.</p></td></tr><tr id=ProxyConfig-custom_config_file><td><code>customConfigFile</code></td><td><code>string</code></td><td><p>File path of custom proxy configuration, currently used by proxies
|
|
in front of Mixer and Pilot.</p></td></tr><tr id=ProxyConfig-stat_name_length><td><code>statNameLength</code></td><td><code>int32</code></td><td><p>Maximum length of name field in Envoy’s metrics. The length of the name field
|
|
is determined by the length of a name field in a service and the set of labels that
|
|
comprise a particular version of the service. The default value is set to 189 characters.
|
|
Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
|
|
Increase the value of this field if you find that the metrics from Envoys are truncated.</p></td></tr><tr id=ProxyConfig-concurrency><td><code>concurrency</code></td><td><code>int32</code></td><td><p>The number of worker threads to run. Default value is number of cores on the machine.</p></td></tr><tr id=ProxyConfig-proxy_bootstrap_template_path><td><code>proxyBootstrapTemplatePath</code></td><td><code>string</code></td><td><p>Path to the proxy bootstrap template file</p></td></tr><tr id=ProxyConfig-interception_mode><td><code>interceptionMode</code></td><td><code><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a></code></td><td><p>The mode used to redirect inbound traffic to Envoy.</p></td></tr><tr id=ProxyConfig-tracing><td><code>tracing</code></td><td><code><a href=#Tracing>Tracing</a></code></td><td><p>Tracing configuration to be used by the proxy.</p></td></tr></tbody></table></section><h2 id=ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</h2><section><p>The mode used to redirect inbound traffic to Envoy.
|
|
This setting has no effect on outbound traffic: iptables REDIRECT is always used for
|
|
outbound connections.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-InboundInterceptionMode-REDIRECT><td><code>REDIRECT</code></td><td><p>The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
|
|
source IP addresses during redirection.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-TPROXY><td><code>TPROXY</code></td><td><p>The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
|
|
source and destination IP addresses and ports, so that they can be used for advanced
|
|
filtering and manipulation. This mode also configures the sidecar to run with the
|
|
CAP<em>NET</em>ADMIN capability, which is required to use TPROXY.</p></td></tr></tbody></table></section><h2 id=Tracing>Tracing</h2><section><p>Tracing defines configuration for the tracing performed by Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Tracing-zipkin class="oneof oneof-start"><td><code>zipkin</code></td><td><code><a href=#Tracing-Zipkin>Tracing.Zipkin (oneof)</a></code></td><td><p>Use a Zipkin tracer.</p></td></tr><tr id=Tracing-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#Tracing-Lightstep>Tracing.Lightstep (oneof)</a></code></td><td><p>Use a LightStep tracer.</p></td></tr><tr id=Tracing-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#Tracing-Datadog>Tracing.Datadog (oneof)</a></code></td><td><p>Use a Datadog tracer.</p></td></tr></tbody></table></section><h2 id=Tracing-Datadog>Tracing.Datadog</h2><section><p>Datadog defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Tracing-Datadog-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Datadog Agent.</p></td></tr></tbody></table></section><h2 id=Tracing-Lightstep>Tracing.Lightstep</h2><section><p>Lightstep defines configuration for a LightStep tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Tracing-Lightstep-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the LightStep Satellite pool.</p></td></tr><tr id=Tracing-Lightstep-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>The LightStep access token.</p></td></tr><tr id=Tracing-Lightstep-secure><td><code>secure</code></td><td><code>bool</code></td><td><p>True if a secure connection should be used when communicating with the pool.</p></td></tr><tr id=Tracing-Lightstep-cacert_path><td><code>cacertPath</code></td><td><code>string</code></td><td><p>Path to the trusted cacert used to authenticate the pool.</p></td></tr></tbody></table></section><h2 id=Tracing-Zipkin>Tracing.Zipkin</h2><section><p>Zipkin defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Tracing-Zipkin-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Authentication policy for Istio services." href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Authentication Policy</a></div><div class=right></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=LocalityLoadBalancerSetting><a href=#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a><li role=none aria-label=LocalityLoadBalancerSetting.Distribute><a href=#LocalityLoadBalancerSetting-Distribute>LocalityLoadBalancerSetting.Distribute</a><li role=none aria-label=LocalityLoadBalancerSetting.Failover><a href=#LocalityLoadBalancerSetting-Failover>LocalityLoadBalancerSetting.Failover</a><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Lightstep><a href=#Tracing-Lightstep>Tracing.Lightstep</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.1.9<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html> |