istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.2/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html

206 lines
95 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content=Rules><meta name=description content="Describes the rules used to configure Mixer's policy and telemetry features."><meta name=keywords content=microservices,services,mesh><meta property=og:title content=Rules><meta property=og:type content=website><meta property=og:description content="Describes the rules used to configure Mixer's policy and telemetry features."><meta property=og:url content=/v1.2/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Rules</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Rules";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
<a title="Posts about using Istio." href=/v1.2/blog/2019/announcing-1.2.5/>Blog</a>
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/reference\/config\/policy-and-telemetry\/istio.policy.v1beta1\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/reference\/config\/policy-and-telemetry\/istio.policy.v1beta1\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.2/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card24 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card24-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card24 role=region id=card24-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card24><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.2/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.2/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.2/docs/concepts/security/>Policies and Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.2/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.2/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.2/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card46 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card46-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card46 role=region id=card46-body><ul role=tree aria-expanded=true aria-labelledby=card46><li role=treeitem aria-label=Kubernetes><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.2/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Download, install, and try out Istio." href=/v1.2/docs/setup/kubernetes/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for use with Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for use with Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.2/docs/setup/kubernetes/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.2/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster for evaluation." href=/v1.2/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.2/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.2/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with individually deployed control planes." href=/v1.2/docs/setup/kubernetes/install/multicluster/gateways/>Multiple control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters." href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-vpn/>Shared control plane (single-network)</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for diconnected cluster networks." href=/v1.2/docs/setup/kubernetes/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation instructions for supported Kubernetes platforms." href=/v1.2/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.2/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.2/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.2/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.2/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.2." href=/v1.2/docs/setup/kubernetes/upgrade/notice/>1.2 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.2/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.2/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.2/docs/setup/kubernetes/additional-setup/requirements/>Pods and Services</a></li><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.2/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.2/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.2/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.2/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad &amp; Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.2/docs/setup/consul/>Nomad &amp; Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.2/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.2/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card69 title="How to do single specific targeted activities with the Istio system." aria-controls=card69-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card69 role=region id=card69-body><ul role=tree aria-expanded=true aria-labelledby=card69><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.2/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.2/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.2/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.2/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.2/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.2/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.2/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.2/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.2/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.2/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.2/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.2/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.2/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.2/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.2/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.2/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.2/docs/tasks/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.2/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.2/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.2/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.2/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.2/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.2/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.2/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.2/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.2/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.2/docs/tasks/security/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.2/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.2/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.2/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.2/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.2/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.2/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.2/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.2/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.2/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.2/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.2/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.2/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.2/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.2/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.2/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.2/docs/tasks/telemetry/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.2/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.2/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.2/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.2/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.2/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.2/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.2/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.2/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card83 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card83-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card83 role=region id=card83-body><ul role=tree aria-expanded=true aria-labelledby=card83><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.2/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.2/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.2/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="Multicluster service mesh examples for Istio that you can experiment with." href=/v1.2/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.2/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.2/docs/examples/multicluster/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card100 title="Hints, tips, tricks about running an Istio mesh." aria-controls=card100-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card100 role=region id=card100-body><ul role=tree aria-expanded=true aria-labelledby=card100><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.2/docs/ops/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.2/docs/ops/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="How to do low-level debugging of Istio components." href=/v1.2/docs/ops/component-debugging/>Component Debugging</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.2/docs/ops/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="An introduction to Istio networking operational aspects." href=/v1.2/docs/ops/traffic-management/introduction/>Introduction to Network Operations</a></li><li role=none><a role=treeitem title="Provides specific deployment and configuration guidelines." href=/v1.2/docs/ops/traffic-management/deploy-guidelines/>Deployment and Configuration Guidelines</a></li><li role=none><a role=treeitem title="Describes common networking issues and how to recognize and avoid them." href=/v1.2/docs/ops/traffic-management/troubleshooting/>Troubleshooting Networking Issues</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.2/docs/ops/traffic-management/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.2/docs/ops/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.2/docs/ops/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Demonstrates how to debug authorization." href=/v1.2/docs/ops/security/debugging-authorization/>Debugging Authorization</a></li><li role=none><a role=treeitem title="What to do if Citadel is not behaving properly." href=/v1.2/docs/ops/security/repairing-citadel/>Repairing Citadel</a></li><li role=none><a role=treeitem title="What to do if you suspect problems with Istio keys and certificates." href=/v1.2/docs/ops/security/keys-and-certs/>Keys and Certificates</a></li><li role=none><a role=treeitem title="What to do if mutual TLS authentication isn't working." href=/v1.2/docs/ops/security/mutual-tls/>Mutual TLS</a></li><li role=none><a role=treeitem title="Authorization is enabled, but requests make it through anyway." href=/v1.2/docs/ops/security/authorization-permissive/>Authorization Too Permissive</a></li><li role=none><a role=treeitem title="Authorization is enabled and no requests make it through to the service." href=/v1.2/docs/ops/security/authorization-restrictive/>Authorization Too Restrictive</a></li><li role=none><a role=treeitem title="What to do if end-user authentication doesn't work." href=/v1.2/docs/ops/security/end-user-auth/>End User Authentication</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.2/docs/ops/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.2/docs/ops/telemetry/>Telemetry</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Diagnose problems where metrics are not being collected." href=/v1.2/docs/ops/telemetry/missing-metrics/>Missing Metrics</a></li><li role=none><a role=treeitem title="Dealing with Grafana issues." href=/v1.2/docs/ops/telemetry/grafana/>Grafana</a></li><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.2/docs/ops/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li><li role=treeitem aria-label="Installation and Setup"><button aria-hidden=true></button><a title="Helps you diagnose and repair Istio installations." href=/v1.2/docs/ops/setup/>Installation and Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.2/docs/ops/setup/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.2/docs/ops/setup/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.2/docs/ops/setup/istioctl/>Using the istioctl command-line tool</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.2/docs/ops/setup/injection/>Sidecar Injection Webhook</a></li><li role=none><a role=treeitem title="Describes how to check which capabilities are allowed for your pods." href=/v1.2/docs/ops/setup/required-pod-capabilities/>Required Pod Capabilities</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.2/docs/ops/setup/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=none><a role=treeitem title="Advice on tackling common problems with Istio." href=/v1.2/docs/ops/misc/>Miscellaneous</a></li></ul></div></div><div class=card><button class="header dynamic" id=card130 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card130-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#reference"/></svg>Reference</button><div class="body default" aria-labelledby=card130 role=region id=card130-body><ul role=tree aria-expanded=true aria-labelledby=card130><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.2/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.2/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.2/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.2/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.2/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.2/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.2/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.2/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.2/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.2/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.2/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.2/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.1 and release-1.2." href=/v1.2/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button class=show aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.2/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.2/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.2/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.2/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.2/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.2/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.2/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><span role=treeitem class=current title="Describes the rules used to configure Mixer's policy and telemetry features.">Rules</span></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.2/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.2/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.2/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.2/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.2/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.2/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.2/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.2/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.2/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.2/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.2/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.2/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.2/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.2/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a></li><li><a href=/v1.2/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a></li><li><a href=/v1.2/docs/reference/config/policy-and-telemetry/ title="Describes how to configure Istio's policy and telemetry features.">Policies and Telemetry</a></li><li>Rules</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Rules</h1><p class=byline><span title="2888 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span>&nbsp;</span>14 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Action><a href=#Action>Action</a><li role=none aria-label=AttributeManifest><a href=#AttributeManifest>AttributeManifest</a><li role=none aria-label=AttributeManifest.AttributeInfo><a href=#AttributeManifest-AttributeInfo>AttributeManifest.AttributeInfo</a><ol><li role=none aria-label="Istio Attributes"><a href=#istio-attributes>Istio Attributes</a><li role=none aria-label=Design><a href=#design>Design</a><li role=none aria-label="HTTP Mapping"><a href=#http-mapping>HTTP Mapping</a></ol></li><li role=none aria-label=Authentication><a href=#Authentication>Authentication</a><li role=none aria-label=Connection><a href=#Connection>Connection</a><li role=none aria-label=DNSName><a href=#DNSName>DNSName</a><li role=none aria-label=DirectHttpResponse><a href=#DirectHttpResponse>DirectHttpResponse</a><li role=none aria-label=Duration><a href=#Duration>Duration</a><li role=none aria-label=EmailAddress><a href=#EmailAddress>EmailAddress</a><li role=none aria-label=FractionalPercent.DenominatorType><a href=#FractionalPercent-DenominatorType>FractionalPercent.DenominatorType</a><li role=none aria-label=Handler><a href=#Handler>Handler</a><li role=none aria-label=HttpStatusCode><a href=#HttpStatusCode>HttpStatusCode</a><li role=none aria-label=IPAddress><a href=#IPAddress>IPAddress</a><li role=none aria-label=Instance><a href=#Instance>Instance</a><li role=none aria-label=Mutual><a href=#Mutual>Mutual</a><li role=none aria-label=OAuth><a href=#OAuth>OAuth</a><li role=none aria-label=Rule><a href=#Rule>Rule</a><li role=none aria-label=Rule.HeaderOperationTemplate><a href=#Rule-HeaderOperationTemplate>Rule.HeaderOperationTemplate</a><li role=none aria-label=Rule.HeaderOperationTemplate.Operation><a href=#Rule-HeaderOperationTemplate-Operation>Rule.HeaderOperationTemplate.Operation</a><li role=none aria-label=TimeStamp><a href=#TimeStamp>TimeStamp</a><li role=none aria-label=Tls><a href=#Tls>Tls</a><li role=none aria-label=Tls.AuthHeader><a href=#Tls-AuthHeader>Tls.AuthHeader</a><li role=none aria-label=Uri><a href=#Uri>Uri</a><li role=none aria-label=Value><a href=#Value>Value</a><li role=none aria-label=ValueType><a href=#ValueType>ValueType</a></ol><hr></div></nav><p>Describes the rules used to configure Mixer&rsquo;s policy and telemetry features.</p><h2 id=Action>Action</h2><section><p>Action describes which <a href=#Handler>Handler</a> to invoke and what data to pass to it for processing.</p><p>The following example instructs Mixer to invoke &lsquo;prometheus-handler&rsquo; handler and pass it the object
constructed using the instance &lsquo;RequestCountByService&rsquo;.</p><pre><code class=language-yaml> handler: prometheus-handler
instances:
- RequestCountByService
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Action-handler><td><code>handler</code></td><td><code>string</code></td><td><p>Required. Fully qualified name of the handler to invoke.
Must match the <code>name</code> of a <a href=#Handler-name>Handler</a>.</p></td></tr><tr id=Action-instances><td><code>instances</code></td><td><code>string[]</code></td><td><p>Required. Each value must match the fully qualified name of the
<a href=#Instance-name>Instance</a>s.
Referenced instances are evaluated by resolving the attributes/literals for all the fields.
The constructed objects are then passed to the <code>handler</code> referenced within this action.</p></td></tr><tr id=Action-name><td><code>name</code></td><td><code>string</code></td><td><p>Optional. A handle to refer to the results of the action.</p></td></tr></tbody></table></section><h2 id=AttributeManifest>AttributeManifest</h2><section><p>AttributeManifest describes a set of Attributes produced by some component
of an Istio deployment.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=AttributeManifest-revision><td><code>revision</code></td><td><code>string</code></td><td><p>Optional. The revision of this document. Assigned by server.</p></td></tr><tr id=AttributeManifest-name><td><code>name</code></td><td><code>string</code></td><td><p>Required. Name of the component producing these attributes. This can be
the proxy (with the canonical name <code>istio-proxy</code>) or the name of an
<code>attributes</code> kind adapter in Mixer.</p></td></tr><tr id=AttributeManifest-attributes><td><code>attributes</code></td><td><code>map&lt;string,&nbsp;<a href=#AttributeManifest-AttributeInfo>AttributeManifest.AttributeInfo</a>&gt;</code></td><td><p>The set of attributes this Istio component will be responsible for producing at runtime.
We map from attribute name to the attribute&rsquo;s specification. The name of an attribute,
which is how attributes are referred to in aspect configuration, must conform to:</p><pre><code>Name = IDENT &lbrace; SEPARATOR IDENT };
</code></pre><p>Where <code>IDENT</code> must match the regular expression <code>*a-z*+</code> and <code>SEPARATOR</code> must
match the regular expression <code>[\.-]</code>.</p><p>Attribute names must be unique within a single Istio deployment. The set of canonical
attributes are described at <a href=/v1.2/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>here</a>.
Attributes not in that list should be named with a component-specific suffix such as
<code>request.count-my.component</code>.</p></td></tr></tbody></table></section><h2 id=AttributeManifest-AttributeInfo>AttributeManifest.AttributeInfo</h2><section><p>AttributeInfo describes the schema of an Istio <code>Attribute</code>.</p><h3 id=istio-attributes>Istio Attributes</h3><p>Istio uses <code>attributes</code> to describe runtime activities of Istio services.
An Istio attribute carries a specific piece of information about an activity,
such as the error code of an API request, the latency of an API request, or the
original IP address of a TCP connection. The attributes are often generated
and consumed by different services. For example, a frontend service can
generate an authenticated user attribute and pass it to a backend service for
access control purpose.</p><p>To simplify the system and improve developer experience, Istio uses
shared attribute definitions across all components. For example, the same
authenticated user attribute will be used for logging, monitoring, analytics,
billing, access control, auditing. Many Istio components provide their
functionality by collecting, generating, and operating on attributes.
For example, the proxy collects the error code attribute, and the logging
stores it into a log.</p><h3 id=design>Design</h3><p>Each Istio attribute must conform to an <code>AttributeInfo</code> in an
<code>AttributeManifest</code> in the current Istio deployment at runtime. An
<em><code>AttributeInfo</code></em> is used to define an attribute&rsquo;s
metadata: the type of its value and a detailed description that explains
the semantics of the attribute type. Each attribute&rsquo;s name is globally unique;
in other words an attribute name can only appear once across all manifests.</p><p>The runtime presentation of an attribute is intentionally left out of this
specification, because passing attribute using JSON, XML, or Protocol Buffers
does not change the semantics of the attribute. Different implementations
can choose different representations based on their needs.</p><h3 id=http-mapping>HTTP Mapping</h3><p>Because many systems already have REST APIs, it makes sense to define a
standard HTTP mapping for Istio attributes that are compatible with typical
REST APIs. The design is to map one attribute to one HTTP header, the
attribute name and value becomes the HTTP header name and value. The actual
encoding scheme will be decided later.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=AttributeManifest-AttributeInfo-description><td><code>description</code></td><td><code>string</code></td><td><p>Optional. A human-readable description of the attribute&rsquo;s purpose.</p></td></tr><tr id=AttributeManifest-AttributeInfo-value_type><td><code>valueType</code></td><td><code><a href=#ValueType>ValueType</a></code></td><td><p>Required. The type of data carried by this attribute.</p></td></tr></tbody></table></section><h2 id=Authentication>Authentication</h2><section><p>Authentication allows the operator to specify the authentication of
connections to out-of-process infrastructure backend.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Authentication-tls class="oneof oneof-start"><td><code>tls</code></td><td><code><a href=#Tls>Tls (oneof)</a></code></td><td><p>Originate a TLS connection to the adapter and present an auth token
in each call for client authentication.</p></td></tr><tr id=Authentication-mutual class=oneof><td><code>mutual</code></td><td><code><a href=#Mutual>Mutual (oneof)</a></code></td><td><p>Secure connections to the adapter using mutual TLS by presenting
client certificates for authentication.</p></td></tr></tbody></table></section><h2 id=Connection>Connection</h2><section><p>Connection allows the operator to specify the endpoint for out-of-process infrastructure backend.
Connection is part of the handler custom resource and is specified alongside adapter specific configuration.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Connection-address><td><code>address</code></td><td><code>string</code></td><td><p>The address of the backend.</p></td></tr><tr id=Connection-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Timeout for remote calls to the backend.</p></td></tr><tr id=Connection-authentication><td><code>authentication</code></td><td><code><a href=#Authentication>Authentication</a></code></td><td><p>Auth config for the connection to the backend. If omitted, plain text will
be used.</p></td></tr></tbody></table></section><h2 id=DNSName>DNSName</h2><section><p>An instance field of type DNSName denotes that the expression for the field must evaluate to
<a href=#ValueType-DNS_NAME>ValueType.DNS_NAME</a></p><p>Objects of type DNSName are also passed to the adapters during request-time for the instance fields of
type DNSName</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=DNSName-value><td><code>value</code></td><td><code>string</code></td><td><p>DNSName encoded as string.</p></td></tr></tbody></table></section><h2 id=DirectHttpResponse>DirectHttpResponse</h2><section><p>Direct HTTP response for a client-facing error message which can be attached
to an RPC error.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=DirectHttpResponse-code><td><code>code</code></td><td><code><a href=#HttpStatusCode>HttpStatusCode</a></code></td><td><p>Optional HTTP status code. If not set, RPC error code is used.</p></td></tr><tr id=DirectHttpResponse-body><td><code>body</code></td><td><code>string</code></td><td><p>HTTP response body.</p></td></tr><tr id=DirectHttpResponse-headers><td><code>headers</code></td><td><code>map&lt;string,&nbsp;string&gt;</code></td><td><p>Optional HTTP response headers.</p></td></tr></tbody></table></section><h2 id=Duration>Duration</h2><section><p>An instance field of type Duration denotes that the expression for the field must evaluate to
<a href=#ValueType-DURATION>ValueType.DURATION</a></p><p>Objects of type Duration are also passed to the adapters during request-time for the instance fields of
type Duration</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Duration-value><td><code>value</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Duration encoded as google.protobuf.Duration.</p></td></tr></tbody></table></section><h2 id=EmailAddress>EmailAddress</h2><section><p>DO NOT USE !! Under Development
An instance field of type EmailAddress denotes that the expression for the field must evaluate to
<a href=#ValueType-EMAIL_ADDRESS>ValueType.EMAIL_ADDRESS</a></p><p>Objects of type EmailAddress are also passed to the adapters during request-time for the instance fields of
type EmailAddress</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=EmailAddress-value><td><code>value</code></td><td><code>string</code></td><td><p>EmailAddress encoded as string.</p></td></tr></tbody></table></section><h2 id=FractionalPercent-DenominatorType>FractionalPercent.DenominatorType</h2><section><p>Fraction percentages support several fixed denominator values.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=FractionalPercent-DenominatorType-HUNDRED><td><code>HUNDRED</code></td><td><p>100.</p><p><strong>Example</strong>: <sup>1</sup>&frasl;<sub>100</sub> = 1%.</p></td></tr><tr id=FractionalPercent-DenominatorType-TEN_THOUSAND><td><code>TEN_THOUSAND</code></td><td><p>10,000.</p><p><strong>Example</strong>: <sup>1</sup>&frasl;<sub>10000</sub> = 0.01%.</p></td></tr></tbody></table></section><h2 id=Handler>Handler</h2><section><p>Handler allows the operator to configure a specific adapter implementation.
Each adapter implementation defines its own <code>params</code> proto.</p><p>In the following example we define a <code>metrics</code> handler for the <code>prometheus</code> adapter.
The example is in the form of a Kubernetes resource:
* The <code>metadata.name</code> is the name of the handler
* The <code>kind</code> refers to the adapter name
* The <code>spec</code> block represents adapter-specific configuration as well as the connection information</p><pre><code class=language-yaml>### Sample-1: No connection specified (for compiled in adapters)
### Note: if connection information is not specified, the adapter configuration is directly inside
### `spec` block. This is going to be DEPRECATED in favor of Sample-2
apiVersion: &quot;config.istio.io/v1alpha2&quot;
kind: prometheus
metadata:
name: handler
namespace: istio-system
spec:
metrics:
- name: request_count
instance_name: requestcount.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
---
### Sample-2: With connection information (for out-of-process adapters)
### Note: Unlike sample-1, the adapter configuration is parallel to `connection` and is nested inside `param` block.
apiVersion: &quot;config.istio.io/v1alpha2&quot;
kind: prometheus
metadata:
name: handler
namespace: istio-system
spec:
param:
metrics:
- name: request_count
instance_name: requestcount.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
connection:
address: localhost:8090
---
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Handler-name><td><code>name</code></td><td><code>string</code></td><td><p>Required. Must be unique in the entire Mixer configuration. Used by <a href=#Action-handler>Actions</a>
to refer to this handler.</p></td></tr><tr id=Handler-compiled_adapter><td><code>compiledAdapter</code></td><td><code>string</code></td><td><p>Required. The name of the compiled in adapter this handler instantiates. For referencing non compiled-in
adapters, use the <code>adapter</code> field instead.</p><p>The value must match the name of the available adapter Mixer is built with. An adapter&rsquo;s name is typically a
constant in its code.</p></td></tr><tr id=Handler-adapter><td><code>adapter</code></td><td><code>string</code></td><td><p>Required. The name of a specific adapter implementation. For referencing compiled-in
adapters, use the <code>compiled_adapter</code> field instead.</p><p>An adapter&rsquo;s implementation name is typically a constant in its code.</p></td></tr><tr id=Handler-params><td><code>params</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>google.protobuf.Struct</a></code></td><td><p>Optional. Depends on adapter implementation. Struct representation of a
proto defined by the adapter implementation; this varies depending on the value of field <code>adapter</code>.</p></td></tr><tr id=Handler-connection><td><code>connection</code></td><td><code><a href=#Connection>Connection</a></code></td><td><p>Optional. Information on how to connect to the out-of-process adapter.
This is used if the adapter is not compiled into Mixer binary and is running as a separate process.</p></td></tr></tbody></table></section><h2 id=HttpStatusCode>HttpStatusCode</h2><section><p>HTTP response codes.
For more details: http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=HttpStatusCode-Empty><td><code>Empty</code></td><td><p>Empty - This code not part of the HTTP status code specification, but it is needed for proto
<code>enum</code> type.</p></td></tr><tr id=HttpStatusCode-Continue><td><code>Continue</code></td><td></td></tr><tr id=HttpStatusCode-OK><td><code>OK</code></td><td></td></tr><tr id=HttpStatusCode-Created><td><code>Created</code></td><td></td></tr><tr id=HttpStatusCode-Accepted><td><code>Accepted</code></td><td></td></tr><tr id=HttpStatusCode-NonAuthoritativeInformation><td><code>NonAuthoritativeInformation</code></td><td></td></tr><tr id=HttpStatusCode-NoContent><td><code>NoContent</code></td><td></td></tr><tr id=HttpStatusCode-ResetContent><td><code>ResetContent</code></td><td></td></tr><tr id=HttpStatusCode-PartialContent><td><code>PartialContent</code></td><td></td></tr><tr id=HttpStatusCode-MultiStatus><td><code>MultiStatus</code></td><td></td></tr><tr id=HttpStatusCode-AlreadyReported><td><code>AlreadyReported</code></td><td></td></tr><tr id=HttpStatusCode-IMUsed><td><code>IMUsed</code></td><td></td></tr><tr id=HttpStatusCode-MultipleChoices><td><code>MultipleChoices</code></td><td></td></tr><tr id=HttpStatusCode-MovedPermanently><td><code>MovedPermanently</code></td><td></td></tr><tr id=HttpStatusCode-Found><td><code>Found</code></td><td></td></tr><tr id=HttpStatusCode-SeeOther><td><code>SeeOther</code></td><td></td></tr><tr id=HttpStatusCode-NotModified><td><code>NotModified</code></td><td></td></tr><tr id=HttpStatusCode-UseProxy><td><code>UseProxy</code></td><td></td></tr><tr id=HttpStatusCode-TemporaryRedirect><td><code>TemporaryRedirect</code></td><td></td></tr><tr id=HttpStatusCode-PermanentRedirect><td><code>PermanentRedirect</code></td><td></td></tr><tr id=HttpStatusCode-BadRequest><td><code>BadRequest</code></td><td></td></tr><tr id=HttpStatusCode-Unauthorized><td><code>Unauthorized</code></td><td></td></tr><tr id=HttpStatusCode-PaymentRequired><td><code>PaymentRequired</code></td><td></td></tr><tr id=HttpStatusCode-Forbidden><td><code>Forbidden</code></td><td></td></tr><tr id=HttpStatusCode-NotFound><td><code>NotFound</code></td><td></td></tr><tr id=HttpStatusCode-MethodNotAllowed><td><code>MethodNotAllowed</code></td><td></td></tr><tr id=HttpStatusCode-NotAcceptable><td><code>NotAcceptable</code></td><td></td></tr><tr id=HttpStatusCode-ProxyAuthenticationRequired><td><code>ProxyAuthenticationRequired</code></td><td></td></tr><tr id=HttpStatusCode-RequestTimeout><td><code>RequestTimeout</code></td><td></td></tr><tr id=HttpStatusCode-Conflict><td><code>Conflict</code></td><td></td></tr><tr id=HttpStatusCode-Gone><td><code>Gone</code></td><td></td></tr><tr id=HttpStatusCode-LengthRequired><td><code>LengthRequired</code></td><td></td></tr><tr id=HttpStatusCode-PreconditionFailed><td><code>PreconditionFailed</code></td><td></td></tr><tr id=HttpStatusCode-PayloadTooLarge><td><code>PayloadTooLarge</code></td><td></td></tr><tr id=HttpStatusCode-URITooLong><td><code>URITooLong</code></td><td></td></tr><tr id=HttpStatusCode-UnsupportedMediaType><td><code>UnsupportedMediaType</code></td><td></td></tr><tr id=HttpStatusCode-RangeNotSatisfiable><td><code>RangeNotSatisfiable</code></td><td></td></tr><tr id=HttpStatusCode-ExpectationFailed><td><code>ExpectationFailed</code></td><td></td></tr><tr id=HttpStatusCode-MisdirectedRequest><td><code>MisdirectedRequest</code></td><td></td></tr><tr id=HttpStatusCode-UnprocessableEntity><td><code>UnprocessableEntity</code></td><td></td></tr><tr id=HttpStatusCode-Locked><td><code>Locked</code></td><td></td></tr><tr id=HttpStatusCode-FailedDependency><td><code>FailedDependency</code></td><td></td></tr><tr id=HttpStatusCode-UpgradeRequired><td><code>UpgradeRequired</code></td><td></td></tr><tr id=HttpStatusCode-PreconditionRequired><td><code>PreconditionRequired</code></td><td></td></tr><tr id=HttpStatusCode-TooManyRequests><td><code>TooManyRequests</code></td><td></td></tr><tr id=HttpStatusCode-RequestHeaderFieldsTooLarge><td><code>RequestHeaderFieldsTooLarge</code></td><td></td></tr><tr id=HttpStatusCode-InternalServerError><td><code>InternalServerError</code></td><td></td></tr><tr id=HttpStatusCode-NotImplemented><td><code>NotImplemented</code></td><td></td></tr><tr id=HttpStatusCode-BadGateway><td><code>BadGateway</code></td><td></td></tr><tr id=HttpStatusCode-ServiceUnavailable><td><code>ServiceUnavailable</code></td><td></td></tr><tr id=HttpStatusCode-GatewayTimeout><td><code>GatewayTimeout</code></td><td></td></tr><tr id=HttpStatusCode-HTTPVersionNotSupported><td><code>HTTPVersionNotSupported</code></td><td></td></tr><tr id=HttpStatusCode-VariantAlsoNegotiates><td><code>VariantAlsoNegotiates</code></td><td></td></tr><tr id=HttpStatusCode-InsufficientStorage><td><code>InsufficientStorage</code></td><td></td></tr><tr id=HttpStatusCode-LoopDetected><td><code>LoopDetected</code></td><td></td></tr><tr id=HttpStatusCode-NotExtended><td><code>NotExtended</code></td><td></td></tr><tr id=HttpStatusCode-NetworkAuthenticationRequired><td><code>NetworkAuthenticationRequired</code></td><td></td></tr></tbody></table></section><h2 id=IPAddress>IPAddress</h2><section><p>An instance field of type IPAddress denotes that the expression for the field must evaluate to
<a href=#ValueType-IP_ADDRESS>ValueType.IP_ADDRESS</a></p><p>Objects of type IPAddress are also passed to the adapters during request-time for the instance fields of
type IPAddress</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=IPAddress-value><td><code>value</code></td><td><code>bytes</code></td><td><p>IPAddress encoded as bytes.</p></td></tr></tbody></table></section><h2 id=Instance>Instance</h2><section><p>An Instance tells Mixer how to create instances for particular template.</p><p>Instance is defined by the operator. Instance is defined relative to a known
template. Their purpose is to tell Mixer how to use attributes or literals to produce
instances of the specified template at runtime.</p><p>The following example instructs Mixer to construct an instance associated with template
&lsquo;istio.mixer.adapter.metric.Metric&rsquo;. It provides a mapping from the template&rsquo;s fields to expressions.
Instances produced with this instance can be referenced by <a href=#Action>Actions</a> using name
&lsquo;RequestCountByService&rsquo;</p><pre><code class=language-yaml>- name: RequestCountByService
template: istio.mixer.adapter.metric.Metric
params:
value: 1
dimensions:
source: source.name
destination_ip: destination.ip
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Instance-name><td><code>name</code></td><td><code>string</code></td><td><p>Required. The name of this instance</p><p>Must be unique amongst other Instances in scope. Used by <a href=#Action>Action</a> to refer
to an instance produced by this instance.</p></td></tr><tr id=Instance-compiled_template><td><code>compiledTemplate</code></td><td><code>string</code></td><td><p>Required. The name of the compiled in template this instance creates instances for. For referencing non compiled-in
templates, use the <code>template</code> field instead.</p><p>The value must match the name of the available template Mixer is built with.</p></td></tr><tr id=Instance-template><td><code>template</code></td><td><code>string</code></td><td><p>Required. The name of the template this instance creates instances for. For referencing compiled-in
templates, use the <code>compiled_template</code> field instead.</p><p>The value must match the name of the available template in scope.</p></td></tr><tr id=Instance-params><td><code>params</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>google.protobuf.Struct</a></code></td><td><p>Required. Depends on referenced template. Struct representation of a
proto defined by the template; this varies depending on the value of field <code>template</code>.</p></td></tr><tr id=Instance-attribute_bindings><td><code>attributeBindings</code></td><td><code>map&lt;string,&nbsp;string&gt;</code></td><td><p>Optional. Defines attribute bindings to map the output of attribute-producing adapters back into
the attribute space. The variable <code>output</code> refers to the output template instance produced
by the adapter.
The following example derives <code>source.namespace</code> from <code>source.uid</code> in the context of Kubernetes:</p><pre><code class=language-yaml>params:
# Pass the required attribute data to the adapter
source_uid: source.uid | &quot;&quot;
attribute_bindings:
# Fill the new attributes from the adapter produced output
source.namespace: output.source_namespace
</code></pre></td></tr></tbody></table></section><h2 id=Mutual>Mutual</h2><section><p>Mutual let operator specify TLS configuration for Mixer as client if mutual TLS is used to
secure connection to adapter backend.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Mutual-private_key><td><code>privateKey</code></td><td><code>string</code></td><td><p>The path to the file holding the private key for mutual TLS. If omitted, the
default Mixer private key will be used.</p></td></tr><tr id=Mutual-client_certificate><td><code>clientCertificate</code></td><td><code>string</code></td><td><p>The path to the file holding client certificate for mutual TLS. If omitted, the
default Mixer certificates will be used.</p></td></tr><tr id=Mutual-ca_certificates><td><code>caCertificates</code></td><td><code>string</code></td><td><p>The path to the file holding additional CA certificates that are needed to
verify the presented adapter certificates. By default Mixer should already
include Istio CA certificates and system certificates in cert pool.</p></td></tr><tr id=Mutual-server_name><td><code>serverName</code></td><td><code>string</code></td><td><p>Used to configure mixer mutual TLS client to supply server name for SNI.
It is not used to verify the hostname of the peer certificate, since
Istio verifies whitelisted SAN fields in mutual TLS.</p></td></tr></tbody></table></section><h2 id=OAuth>OAuth</h2><section><p>OAuth let operator specify config to fetch access token via oauth when using
TLS for connection to the backend.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=OAuth-client_id><td><code>clientId</code></td><td><code>string</code></td><td><p>REQUIRED. OAuth client id for mixer.</p></td></tr><tr id=OAuth-client_secret><td><code>clientSecret</code></td><td><code>string</code></td><td><p>REQUIRED. The path to the file holding the client secret for oauth.</p></td></tr><tr id=OAuth-token_url><td><code>tokenUrl</code></td><td><code>string</code></td><td><p>REQUIRED. The Resource server&rsquo;s token endpoint URL.</p></td></tr><tr id=OAuth-scopes><td><code>scopes</code></td><td><code>string[]</code></td><td><p>List of requested permissions.</p></td></tr><tr id=OAuth-endpoint_params><td><code>endpointParams</code></td><td><code>map&lt;string,&nbsp;string&gt;</code></td><td><p>Additional parameters for requests to the token endpoint.</p></td></tr></tbody></table></section><h2 id=Rule>Rule</h2><section><p>A Rule is a selector and a set of intentions to be executed when the
selector is <code>true</code></p><p>The following example instructs Mixer to invoke <code>prometheus-handler</code> handler for all services and pass it the
instance constructed using the &lsquo;RequestCountByService&rsquo; instance.</p><pre><code class=language-yaml>- match: match(destination.service.host, &quot;*&quot;)
actions:
- handler: prometheus-handler
instances:
- RequestCountByService
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Rule-match><td><code>match</code></td><td><code>string</code></td><td><p>Required. Match is an attribute based predicate. When Mixer receives a
request it evaluates the match expression and executes all the associated <code>actions</code>
if the match evaluates to true.</p><p>A few example match:</p><ul><li>an empty match evaluates to <code>true</code></li><li><code>true</code>, a boolean literal; a rule with this match will always be executed</li><li><code>match(destination.service.host, &quot;ratings.*)</code> selects any request targeting a service whose
name starts with &ldquo;ratings&rdquo;</li><li><code>attr1 == &quot;20&quot; &amp;&amp; attr2 == &quot;30&quot;</code> logical AND, OR, and NOT are also available</li></ul></td></tr><tr id=Rule-actions><td><code>actions</code></td><td><code><a href=#Action>Action[]</a></code></td><td><p>Optional. The actions that will be executed when match evaluates to <code>true</code>.</p></td></tr><tr id=Rule-request_header_operations><td><code>requestHeaderOperations</code></td><td><code><a href=#Rule-HeaderOperationTemplate>Rule.HeaderOperationTemplate[]</a></code></td><td><p>Optional. Templatized operations on the request headers using values produced by the
rule actions. Require the check action result to be OK.</p></td></tr><tr id=Rule-response_header_operations><td><code>responseHeaderOperations</code></td><td><code><a href=#Rule-HeaderOperationTemplate>Rule.HeaderOperationTemplate[]</a></code></td><td><p>Optional. Templatized operations on the response headers using values produced by the
rule actions. Require the check action result to be OK.</p></td></tr></tbody></table></section><h2 id=Rule-HeaderOperationTemplate>Rule.HeaderOperationTemplate</h2><section><p>A template for an HTTP header manipulation. Values in the template are expressions
that may reference action outputs by name. For example, if an action <code>x</code> produces an output
with a field <code>f</code>, then the header value expressions may use attribute <code>x.output.f</code> to reference
the field value:</p><pre><code class=language-yaml>request_header_operations:
- name: x-istio-header
values:
- x.output.f
</code></pre><p>If the header value expression evaluates to an empty string, and the operation is to either replace
or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
adapter to optionally modify the headers.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Rule-HeaderOperationTemplate-name><td><code>name</code></td><td><code>string</code></td><td><p>Required. Header name literal value.</p></td></tr><tr id=Rule-HeaderOperationTemplate-values><td><code>values</code></td><td><code>string[]</code></td><td><p>Optional. Header value expressions.</p></td></tr><tr id=Rule-HeaderOperationTemplate-operation><td><code>operation</code></td><td><code><a href=#Rule-HeaderOperationTemplate-Operation>Rule.HeaderOperationTemplate.Operation</a></code></td><td><p>Optional. Header operation type. Default operation is to replace the value of the header by name.</p></td></tr></tbody></table></section><h2 id=Rule-HeaderOperationTemplate-Operation>Rule.HeaderOperationTemplate.Operation</h2><section><p>Header operation type.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Rule-HeaderOperationTemplate-Operation-REPLACE><td><code>REPLACE</code></td><td><p>Replace a header by name.</p></td></tr><tr id=Rule-HeaderOperationTemplate-Operation-REMOVE><td><code>REMOVE</code></td><td><p>Remove a header by name. Values are ignored.</p></td></tr><tr id=Rule-HeaderOperationTemplate-Operation-APPEND><td><code>APPEND</code></td><td><p>Append values to the existing header values.</p></td></tr></tbody></table></section><h2 id=TimeStamp>TimeStamp</h2><section><p>An instance field of type TimeStamp denotes that the expression for the field must evaluate to
<a href=#ValueType-TIMESTAMP>ValueType.TIMESTAMP</a></p><p>Objects of type TimeStamp are also passed to the adapters during request-time for the instance fields of
type TimeStamp</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TimeStamp-value><td><code>value</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp>google.protobuf.Timestamp</a></code></td><td><p>TimeStamp encoded as google.protobuf.Timestamp.</p></td></tr></tbody></table></section><h2 id=Tls>Tls</h2><section><p>Tls let operator specify client authentication setting when TLS is used for
connection to the backend.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Tls-ca_certificates><td><code>caCertificates</code></td><td><code>string</code></td><td><p>The path to the file holding additional CA certificates to well known
public certs.</p></td></tr><tr id=Tls-token_path class="oneof oneof-start"><td><code>tokenPath</code></td><td><code>string (oneof)</code></td><td><p>The path to the file holding the auth token (password, jwt token, api
key, etc).</p></td></tr><tr id=Tls-oauth class=oneof><td><code>oauth</code></td><td><code><a href=#OAuth>OAuth (oneof)</a></code></td><td><p>Oauth config to fetch access token from auth provider.</p></td></tr><tr id=Tls-auth_header class="oneof oneof-start"><td><code>authHeader</code></td><td><code><a href=#Tls-AuthHeader>Tls.AuthHeader (oneof)</a></code></td><td><p>Access token is passed as authorization header.</p></td></tr><tr id=Tls-custom_header class=oneof><td><code>customHeader</code></td><td><code>string (oneof)</code></td><td><p>Customized header key to hold access token, e.g. x-api-key. Token will be
passed as what it is.</p></td></tr><tr id=Tls-server_name><td><code>serverName</code></td><td><code>string</code></td><td><p>Used to configure mixer TLS client to verify the hostname on the returned
certificates. It is also included in the client&rsquo;s handshake to support SNI.</p></td></tr></tbody></table></section><h2 id=Tls-AuthHeader>Tls.AuthHeader</h2><section><p>AuthHeader specifies how to pass access token with authorization header.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Tls-AuthHeader-PLAIN><td><code>PLAIN</code></td><td><p>Access token is passed in authorization header as what it is
(authorization: some-token).</p></td></tr><tr id=Tls-AuthHeader-BEARER><td><code>BEARER</code></td><td><p>Access token is passed to adapter as bearer token (i.e. authorization:
bearer some-token).</p></td></tr></tbody></table></section><h2 id=Uri>Uri</h2><section><p>DO NOT USE !! Under Development
An instance field of type Uri denotes that the expression for the field must evaluate to
<a href=#ValueType-URI>ValueType.URI</a></p><p>Objects of type Uri are also passed to the adapters during request-time for the instance fields of
type Uri</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Uri-value><td><code>value</code></td><td><code>string</code></td><td><p>Uri encoded as string.</p></td></tr></tbody></table></section><h2 id=Value>Value</h2><section><p>An instance field of type Value denotes that the expression for the field is of dynamic type and can evaluate to any
<a href=#ValueType>ValueType</a> enum values. For example, when
authoring an instance configuration for a template that has a field <code>data</code> of type <code>istio.policy.v1beta1.Value</code>,
both of the following expressions are valid <code>data: source.ip | ip(&quot;0.0.0.0&quot;)</code>, <code>data: request.id | &quot;&quot;</code>;
the resulting type is either ValueType.IP_ADDRESS or ValueType.STRING for the two cases respectively.</p><p>Objects of type Value are also passed to the adapters during request-time. There is a 1:1 mapping between
oneof fields in <code>Value</code> and enum values inside <code>ValueType</code>. Depending on the expression&rsquo;s evaluated <code>ValueType</code>,
the equivalent oneof field in <code>Value</code> is populated by Mixer and passed to the adapters.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Value-string_value class="oneof oneof-start"><td><code>stringValue</code></td><td><code>string (oneof)</code></td><td><p>Used for values of type STRING</p></td></tr><tr id=Value-int64_value class=oneof><td><code>int64Value</code></td><td><code>int64 (oneof)</code></td><td><p>Used for values of type INT64</p></td></tr><tr id=Value-double_value class=oneof><td><code>doubleValue</code></td><td><code>double (oneof)</code></td><td><p>Used for values of type DOUBLE</p></td></tr><tr id=Value-bool_value class=oneof><td><code>boolValue</code></td><td><code>bool (oneof)</code></td><td><p>Used for values of type BOOL</p></td></tr><tr id=Value-ip_address_value class=oneof><td><code>ipAddressValue</code></td><td><code><a href=#IPAddress>IPAddress (oneof)</a></code></td><td><p>Used for values of type IPAddress</p></td></tr><tr id=Value-timestamp_value class=oneof><td><code>timestampValue</code></td><td><code><a href=#TimeStamp>TimeStamp (oneof)</a></code></td><td><p>Used for values of type TIMESTAMP</p></td></tr><tr id=Value-duration_value class=oneof><td><code>durationValue</code></td><td><code><a href=#Duration>Duration (oneof)</a></code></td><td><p>Used for values of type DURATION</p></td></tr><tr id=Value-email_address_value class=oneof><td><code>emailAddressValue</code></td><td><code><a href=#EmailAddress>EmailAddress (oneof)</a></code></td><td><p>Used for values of type EmailAddress</p></td></tr><tr id=Value-dns_name_value class=oneof><td><code>dnsNameValue</code></td><td><code><a href=#DNSName>DNSName (oneof)</a></code></td><td><p>Used for values of type DNSName</p></td></tr><tr id=Value-uri_value class=oneof><td><code>uriValue</code></td><td><code><a href=#Uri>Uri (oneof)</a></code></td><td><p>Used for values of type Uri</p></td></tr></tbody></table></section><h2 id=ValueType>ValueType</h2><section><p>ValueType describes the types that values in the Istio system can take. These
are used to describe the type of Attributes at run time, describe the type of
the result of evaluating an expression, and to describe the runtime type of
fields of other descriptors.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ValueType-VALUE_TYPE_UNSPECIFIED><td><code>VALUE_TYPE_UNSPECIFIED</code></td><td><p>Invalid, default value.</p></td></tr><tr id=ValueType-STRING><td><code>STRING</code></td><td><p>An undiscriminated variable-length string.</p></td></tr><tr id=ValueType-INT64><td><code>INT64</code></td><td><p>An undiscriminated 64-bit signed integer.</p></td></tr><tr id=ValueType-DOUBLE><td><code>DOUBLE</code></td><td><p>An undiscriminated 64-bit floating-point value.</p></td></tr><tr id=ValueType-BOOL><td><code>BOOL</code></td><td><p>An undiscriminated boolean value.</p></td></tr><tr id=ValueType-TIMESTAMP><td><code>TIMESTAMP</code></td><td><p>A point in time.</p></td></tr><tr id=ValueType-IP_ADDRESS><td><code>IP_ADDRESS</code></td><td><p>An IP address.</p></td></tr><tr id=ValueType-EMAIL_ADDRESS><td><code>EMAIL_ADDRESS</code></td><td><p>An email address.</p></td></tr><tr id=ValueType-URI><td><code>URI</code></td><td><p>A URI.</p></td></tr><tr id=ValueType-DNS_NAME><td><code>DNS_NAME</code></td><td><p>A DNS name.</p></td></tr><tr id=ValueType-DURATION><td><code>DURATION</code></td><td><p>A span between two points in time.</p></td></tr><tr id=ValueType-STRING_MAP><td><code>STRING_MAP</code></td><td><p>A map string -&gt; string, typically used by headers.</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Configuration state for the Mixer client library." href=/v1.2/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Mixer Client</a></div><div class=right></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Action><a href=#Action>Action</a><li role=none aria-label=AttributeManifest><a href=#AttributeManifest>AttributeManifest</a><li role=none aria-label=AttributeManifest.AttributeInfo><a href=#AttributeManifest-AttributeInfo>AttributeManifest.AttributeInfo</a><ol><li role=none aria-label="Istio Attributes"><a href=#istio-attributes>Istio Attributes</a><li role=none aria-label=Design><a href=#design>Design</a><li role=none aria-label="HTTP Mapping"><a href=#http-mapping>HTTP Mapping</a></ol></li><li role=none aria-label=Authentication><a href=#Authentication>Authentication</a><li role=none aria-label=Connection><a href=#Connection>Connection</a><li role=none aria-label=DNSName><a href=#DNSName>DNSName</a><li role=none aria-label=DirectHttpResponse><a href=#DirectHttpResponse>DirectHttpResponse</a><li role=none aria-label=Duration><a href=#Duration>Duration</a><li role=none aria-label=EmailAddress><a href=#EmailAddress>EmailAddress</a><li role=none aria-label=FractionalPercent.DenominatorType><a href=#FractionalPercent-DenominatorType>FractionalPercent.DenominatorType</a><li role=none aria-label=Handler><a href=#Handler>Handler</a><li role=none aria-label=HttpStatusCode><a href=#HttpStatusCode>HttpStatusCode</a><li role=none aria-label=IPAddress><a href=#IPAddress>IPAddress</a><li role=none aria-label=Instance><a href=#Instance>Instance</a><li role=none aria-label=Mutual><a href=#Mutual>Mutual</a><li role=none aria-label=OAuth><a href=#OAuth>OAuth</a><li role=none aria-label=Rule><a href=#Rule>Rule</a><li role=none aria-label=Rule.HeaderOperationTemplate><a href=#Rule-HeaderOperationTemplate>Rule.HeaderOperationTemplate</a><li role=none aria-label=Rule.HeaderOperationTemplate.Operation><a href=#Rule-HeaderOperationTemplate-Operation>Rule.HeaderOperationTemplate.Operation</a><li role=none aria-label=TimeStamp><a href=#TimeStamp>TimeStamp</a><li role=none aria-label=Tls><a href=#Tls>Tls</a><li role=none aria-label=Tls.AuthHeader><a href=#Tls-AuthHeader>Tls.AuthHeader</a><li role=none aria-label=Uri><a href=#Uri>Uri</a><li role=none aria-label=Value><a href=#Value>Value</a><li role=none aria-label=ValueType><a href=#ValueType>ValueType</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.2.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink