istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.24/docs/reference/config/istio.mesh.v1alpha1/index.html

765 lines
276 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Global Mesh Options"><meta name=description content="Configuration affecting the service mesh as a whole."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Global Mesh Options"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting the service mesh as a whole."><meta property="og:url" content="/v1.24/docs/reference/config/istio.mesh.v1alpha1/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.24 / Global Mesh Options</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=G-5XBWY4YJ1E"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-5XBWY4YJ1E")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.24/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.24/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.24/feed.xml><link rel="shortcut icon" href=/v1.24/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.24/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.24/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.24/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.24/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.24/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.24/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.24/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.24/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.24/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.24/favicons/favicon.svg><link rel=icon type=image/png href=/v1.24/favicons/favicon.png><link rel=mask-icon href=/v1.24/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.24/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.24/css/style.min.38f1afbdf6f8efdb4fe991ff2a53ca1c801b5c4602dea2963da44df7ceaacfb8.css integrity="sha256-OPGvvfb479tP6ZH/KlPKHIAbXEYC3qKWPaRN986qz7g=" crossorigin=anonymous><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.24/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.24",docTitle="Global Mesh Options",iconFile="/v1.24//img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.24/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.24/ aria-label=logotype><span class=logo><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.24/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.24/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/training class=main-navigation-links-link>Training</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.24/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.24/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.24/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.24/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.24/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.24/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/istio-day/ class=banner data-title="Istio Day Europe-2025-01-31 00:00:00 +0000 UTC" data-period-start=1738281600000 data-period-end=1743465600000 data-max-impressions data-timeout><div class=content><p>Join us for Istio Day Europe, a KubeCon + CloudNativeCon Europe Co-located Event. 01 April 2025, London, England. Register now!</p></div><div class=frame></div></a></div><main class="primary container has-sidebar has-toc docs"><div id=sidebar-container class=sidebar-container><nav id=sidebar aria-label="Section Navigation"><button id=sidebar-close class="main-navigation-toggle sidebar-close" aria-label="Close sidebar"><svg class="icon menu-close"><use xlink:href="/v1.24/img/icons.svg#menu-close"/></svg></button><div class=sidebar-nav><div class=search><form id=search-docs-form name=cse role=search><input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-docs-url value=/v1.24//search>
<input id=search-docs-textbox class=form-control name=docs-search type=search aria-label='Search this site' placeholder=Search>
<button id=search-show2 class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.24/img/icons.svg#magnifier"/></svg></button></form></div><div class=card><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label=Overview><a class=main title="A high-level introduction to Istio and service mesh." href=/v1.24/docs/overview/>Overview</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Find out what Istio can do for you." href=/v1.24/docs/overview/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Compare Istio to other service mesh solutions." href=/v1.24/docs/overview/why-choose-istio/>Why choose Istio?</a></li><li role=none><a role=treeitem title="Learn about Istio's two dataplane modes and which you should use." href=/v1.24/docs/overview/dataplane-modes/>Sidecar or ambient?</a></li></ul></li><li role=treeitem aria-label=Concepts><a class=main title="Learn about the different parts of the Istio system and the abstractions it uses." href=/v1.24/docs/concepts/>Concepts</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.24/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.24/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.24/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.24/docs/concepts/wasm/>Extensibility</a></li></ul></li><li role=treeitem aria-label="Sidecar Mode"><a class=main title="Information for setting up and operating Istio in sidecar mode." href=/v1.24/docs/setup/>Sidecar Mode</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.24/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true tabindex=-1></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.24/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to set up an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.24/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to set up Istio on Amazon EKS in AWS cloud." href=/v1.24/docs/setup/platform-setup/amazon-eks/>Amazon EKS</a></li><li role=none><a role=treeitem title="Instructions to set up an Azure cluster for Istio." href=/v1.24/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to set up Docker Desktop for Istio." href=/v1.24/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to set up a Google Kubernetes Engine cluster for Istio." href=/v1.24/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to set up an Huawei Cloud kubernetes cluster for Istio." href=/v1.24/docs/setup/platform-setup/huaweicloud/>Huawei Cloud</a></li><li role=none><a role=treeitem title="Instructions to set up an IBM Cloud cluster for Istio." href=/v1.24/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to set up k3d for Istio." href=/v1.24/docs/setup/platform-setup/k3d/>k3d</a></li><li role=none><a role=treeitem title="Instructions to set up kind for Istio." href=/v1.24/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to set up Kops for use with Istio." href=/v1.24/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="Instructions to set up a Gardener cluster for Istio." href=/v1.24/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to set up a KubeSphere Container Platform for Istio." href=/v1.24/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to set up MicroK8s for use with Istio." href=/v1.24/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to set up minikube for Istio." href=/v1.24/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to set up an OpenShift cluster for Istio." href=/v1.24/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to prepare a cluster for Istio using Oracle Container Engine for Kubernetes (OKE)." href=/v1.24/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li><li role=none><a role=treeitem title="Instructions to set up Istio quickly in Tencent Cloud." href=/v1.24/docs/setup/platform-setup/tencent-cloud-mesh/>Tencent Cloud</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true tabindex=-1></button><a title="Choose the guide that best suits your needs and platform." href=/v1.24/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.24/docs/setup/install/istioctl/>Install with Istioctl</a></li><li role=none><a role=treeitem title="Instructions to install and configure Istio in a Kubernetes cluster using Helm." href=/v1.24/docs/setup/install/helm/>Install with Helm</a></li><li role=treeitem aria-label="Install Multicluster"><button aria-hidden=true tabindex=-1></button><a title="Install an Istio mesh across multiple Kubernetes clusters." href=/v1.24/docs/setup/install/multicluster/>Install Multicluster</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before installing Istio on multiple clusters." href=/v1.24/docs/setup/install/multicluster/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters." href=/v1.24/docs/setup/install/multicluster/multi-primary/>Install Multi-Primary</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters." href=/v1.24/docs/setup/install/multicluster/primary-remote/>Install Primary-Remote</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple primary clusters on different networks." href=/v1.24/docs/setup/install/multicluster/multi-primary_multi-network/>Install Multi-Primary on different networks</a></li><li role=none><a role=treeitem title="Install an Istio mesh across primary and remote clusters on different networks." href=/v1.24/docs/setup/install/multicluster/primary-remote_multi-network/>Install Primary-Remote on different networks</a></li><li role=none><a role=treeitem title="Verify that Istio has been installed properly on multiple clusters." href=/v1.24/docs/setup/install/multicluster/verify/>Verify the installation</a></li></ul></li><li role=none><a role=treeitem title="Install Istio with an external control plane and a remote cluster data plane." href=/v1.24/docs/setup/install/external-controlplane/>Install Istio with an External Control Plane</a></li><li role=none><a role=treeitem title="Install multiple Istio control planes in a single cluster using revisions and discoverySelectors." href=/v1.24/docs/setup/install/multiple-controlplanes/>Install Multiple Istio Control Planes in a Single Cluster</a></li><li role=none><a role=treeitem title="Deploy Istio and connect a workload running within a virtual machine to it." href=/v1.24/docs/setup/install/virtual-machine/>Virtual Machine Installation</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true tabindex=-1></button><a title="Upgrade, downgrade, and manage Istio across multiple control plane revisions." href=/v1.24/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade Istio by first running a canary deployment of a new control plane." href=/v1.24/docs/setup/upgrade/canary/>Canary Upgrades</a></li><li role=none><a role=treeitem title="Upgrade or downgrade Istio in place." href=/v1.24/docs/setup/upgrade/in-place/>In-place Upgrades</a></li><li role=none><a role=treeitem title="Instructions to upgrade Istio using Helm." href=/v1.24/docs/setup/upgrade/helm/>Upgrade with Helm</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true tabindex=-1></button><a title="More information on additional setup tasks." href=/v1.24/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Get the files required to install and explore Istio." href=/v1.24/docs/setup/additional-setup/download-istio-release/>Download the Istio release</a></li><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.24/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title='How to configure "compatibility versions", to decouple behavioral changes from releases.' href=/v1.24/docs/setup/additional-setup/compatibility-versions/>Compatibility Versions</a></li><li role=none><a role=treeitem title="Install and customize Istio Gateways." href=/v1.24/docs/setup/additional-setup/gateway/>Installing Gateways</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.24/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Describes how to customize installation configuration options." href=/v1.24/docs/setup/additional-setup/customize-installation/>Customizing the installation configuration</a></li><li role=none><a role=treeitem title="Describes how to customize installation configuration options when installing with helm." href=/v1.24/docs/setup/additional-setup/customize-installation-helm/>Advanced Helm Chart Customization</a></li><li role=none><a role=treeitem title="Install and use Istio in Dual-Stack mode running on a Dual-Stack Kubernetes cluster." href=/v1.24/docs/setup/additional-setup/dual-stack/>Install Istio in Dual-Stack mode</a></li><li role=none><a role=treeitem title="Install and use Istio with the Pod Security admission controller." href=/v1.24/docs/setup/additional-setup/pod-security-admission/>Install Istio with Pod Security Admission</a></li><li role=none><a role=treeitem title="Install and use the Istio CNI node agent, allowing operators to deploy workloads with lower privilege." href=/v1.24/docs/setup/additional-setup/cni/>Install the Istio CNI node agent</a></li><li role=none><a role=treeitem title="Try Istios features with the legacy Istio APIs." href=/v1.24/docs/setup/additional-setup/getting-started-istio-apis/>Getting Started without the Gateway API</a></li></ul></li></ul></li><li role=treeitem aria-label="Ambient Mode"><a class=main title="Information for setting up and operating Istio with support for ambient mode." href=/v1.24/docs/ambient/>Ambient Mode</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="An overview of Istio's ambient data plane mode." href=/v1.24/docs/ambient/overview/>Overview</a></li><li role=treeitem aria-label="Getting Started"><button aria-hidden=true tabindex=-1></button><a title="How to deploy and install Istio in ambient mode." href=/v1.24/docs/ambient/getting-started/>Getting Started</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Deploy the Bookinfo sample application." href=/v1.24/docs/ambient/getting-started/deploy-sample-app/>Deploy a sample application</a></li><li role=none><a role=treeitem title="Enable ambient mode and secure the communication between applications." href=/v1.24/docs/ambient/getting-started/secure-and-visualize/>Secure and visualize the application</a></li><li role=none><a role=treeitem title="Enforce Layer 4 and Layer 7 authorization policies in an ambient mesh." href=/v1.24/docs/ambient/getting-started/enforce-auth-policies/>Enforce authorization policies</a></li><li role=none><a role=treeitem title="Manage traffic between services in the ambient mode." href=/v1.24/docs/ambient/getting-started/manage-traffic/>Manage traffic</a></li><li role=none><a role=treeitem title="Delete Istio and associated resources." href=/v1.24/docs/ambient/getting-started/cleanup/>Clean up</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true tabindex=-1></button><a title="Installation guides for Istio in ambient mode." href=/v1.24/docs/ambient/install/>Install</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Platform-specific prerequisites for installing Istio in ambient mode." href=/v1.24/docs/ambient/install/platform-prerequisites/>Platform-Specific Prerequisites</a></li><li role=none><a role=treeitem title="Install Istio with support for ambient mode with Helm." href=/v1.24/docs/ambient/install/helm/>Install with Helm</a></li><li role=none><a role=treeitem title="Install Istio with support for ambient mode using the istioctl command line tool." href=/v1.24/docs/ambient/install/istioctl/>Install with istioctl</a></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true tabindex=-1></button><a title="Upgrade guides for Istio in ambient mode." href=/v1.24/docs/ambient/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrading an ambient mode installation with Helm." href=/v1.24/docs/ambient/upgrade/helm/>Upgrade with Helm</a></li></ul></li><li role=treeitem aria-label="User Guides"><button aria-hidden=true tabindex=-1></button><a title="How to configure your mesh to take advantage of ambient mode." href=/v1.24/docs/ambient/usage/>User Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Understand how to add workloads to an ambient mesh." href=/v1.24/docs/ambient/usage/add-workloads/>Add workloads to the mesh</a></li><li role=none><a role=treeitem title="Understand how to verify mTLS is enabled among workloads in an ambient mesh." href=/v1.24/docs/ambient/usage/verify-mtls-enabled/>Verify mutual TLS is enabled</a></li><li role=none><a role=treeitem title="Understanding how CNI-enforced L4 Kubernetes NetworkPolicy interacts with Istio's ambient mode." href=/v1.24/docs/ambient/usage/networkpolicy/>Ambient and Kubernetes NetworkPolicy</a></li><li role=none><a role=treeitem title="Supported security features when only using the secure L4 overlay." href=/v1.24/docs/ambient/usage/l4-policy/>Use Layer 4 security policy</a></li><li role=none><a role=treeitem title="Gain the full set of Istio features with optional Layer 7 proxies." href=/v1.24/docs/ambient/usage/waypoint/>Configure waypoint proxies</a></li><li role=none><a role=treeitem title="Supported features when using a L7 waypoint proxy." href=/v1.24/docs/ambient/usage/l7-features/>Use Layer 7 features</a></li><li role=none><a role=treeitem title="Describes how to make remote WebAssembly modules available for ambient mode (Alpha)" href=/v1.24/docs/ambient/usage/extend-waypoint-wasm/>Extend waypoints with WebAssembly plugins *</a></li><li role=none><a role=treeitem title="How to validate the node proxies have the correct configuration." href=/v1.24/docs/ambient/usage/troubleshoot-ztunnel/>Troubleshoot connectivity issues with ztunnel</a></li><li role=none><a role=treeitem title="How to investigate problems routing through waypoint proxies." href=/v1.24/docs/ambient/usage/troubleshoot-waypoint/>Troubleshoot issues with waypoints</a></li></ul></li><li role=treeitem aria-label=Architecture><button aria-hidden=true tabindex=-1></button><a title="A deep dive into the architecture of ambient mode." href=/v1.24/docs/ambient/architecture/>Architecture</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Understand how ambient interacts with the Istio control plane." href=/v1.24/docs/ambient/architecture/control-plane/>Ambient and the Istio control plane</a></li><li role=none><a role=treeitem title="Understand how the ambient data plane routes traffic between workloads in an ambient mesh." href=/v1.24/docs/ambient/architecture/data-plane/>Ambient data plane</a></li><li role=none><a role=treeitem title="Understanding Istio's secure tunneling protocol." href=/v1.24/docs/ambient/architecture/hbone/>HBONE</a></li><li role=none><a role=treeitem title="Understand how traffic is redirected between pods and the ztunnel node proxy." href=/v1.24/docs/ambient/architecture/traffic-redirection/>Ztunnel traffic redirection</a></li></ul></li></ul></li><li role=treeitem aria-label=Tasks><a class=main title="How to do single specific targeted activities with the Istio system." href=/v1.24/docs/tasks/>Tasks</a><ul role=group aria-expanded=true><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true tabindex=-1></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.24/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.24/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.24/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.24/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.24/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to set up request timeouts in Envoy using Istio." href=/v1.24/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.24/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.24/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label="Locality Load Balancing"><button aria-hidden=true tabindex=-1></button><a title="This series of tasks demonstrate how to configure locality load balancing in Istio." href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/>Locality Load Balancing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Initial steps before configuring locality load balancing." href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/before-you-begin/>Before you begin</a></li><li role=none><a role=treeitem title="This task demonstrates how to configure your mesh for locality failover." href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/failover/>Locality failover</a></li><li role=none><a role=treeitem title="This guide demonstrates how to configure locality distribution." href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/distribute/>Locality weighted distribution</a></li><li role=none><a role=treeitem title="Cleanup steps for locality load balancing." href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/cleanup/>Cleanup</a></li></ul></li><li role=treeitem aria-label=Ingress><button aria-hidden=true tabindex=-1></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.24/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.24/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.24/docs/tasks/traffic-management/ingress/secure-ingress/>Secure Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.24/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to terminate TLS traffic at a sidecar without using an Ingress Gateway." href=/v1.24/docs/tasks/traffic-management/ingress/ingress-sidecar-tls-termination/>Ingress Sidecar TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure a Kubernetes Ingress object to expose a service outside of the service mesh." href=/v1.24/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="Describes how to configure the Kubernetes Gateway API with Istio." href=/v1.24/docs/tasks/traffic-management/ingress/gateway-api/>Kubernetes Gateway API</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true tabindex=-1></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.24/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.24/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.24/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.24/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.24/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.24/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.24/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.24/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true tabindex=-1></button><a title="Demonstrates how to secure the mesh." href=/v1.24/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Certificate Management"><button aria-hidden=true tabindex=-1></button><a title="Management of the certificates in Istio." href=/v1.24/docs/tasks/security/cert-management/>Certificate Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with a root certificate, signing certificate and key." href=/v1.24/docs/tasks/security/cert-management/plugin-ca-cert/>Plug in CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to use a Custom Certificate Authority (that integrates with the Kubernetes CSR API) to provision Istio workload certificates (Experimental)" href=/v1.24/docs/tasks/security/cert-management/custom-ca-k8s/>Custom CA Integration using Kubernetes CSR *</a></li></ul></li><li role=treeitem aria-label=Authentication><button aria-hidden=true tabindex=-1></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.24/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to set up mutual TLS and basic end-user authentication." href=/v1.24/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to route requests based on JWT claims (Alpha)" href=/v1.24/docs/tasks/security/authentication/jwt-route/>JWT claim based routing *</a></li><li role=none><a role=treeitem title="Shows how users can copy their JWT claims to HTTP headers (Experimental)" href=/v1.24/docs/tasks/security/authentication/claim-to-header/>Copy JWT Claims to HTTP Headers *</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.24/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true tabindex=-1></button><a title="Shows how to control access to Istio services." href=/v1.24/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.24/docs/tasks/security/authorization/authz-http/>HTTP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for TCP traffic." href=/v1.24/docs/tasks/security/authorization/authz-tcp/>TCP Traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for JWT token." href=/v1.24/docs/tasks/security/authorization/authz-jwt/>JWT Token</a></li><li role=none><a role=treeitem title="Shows how to integrate and delegate access control to an external authorization system." href=/v1.24/docs/tasks/security/authorization/authz-custom/>External Authorization</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.24/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></li><li role=none><a role=treeitem title="Shows how to set up access control on an ingress gateway." href=/v1.24/docs/tasks/security/authorization/authz-ingress/>Ingress Access Control</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.24/docs/tasks/security/authorization/authz-td-migration/>Trust Domain Migration</a></li><li role=none><a role=treeitem title="Shows how to dry-run an authorization policy without enforcing it (Alpha)" href=/v1.24/docs/tasks/security/authorization/authz-dry-run/>Dry Run *</a></li></ul></li><li role=treeitem aria-label="TLS Configuration"><button aria-hidden=true tabindex=-1></button><a title="TLS configuration in Istio." href=/v1.24/docs/tasks/security/tls-configuration/>TLS Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to configure the minimum TLS version for Istio workloads." href=/v1.24/docs/tasks/security/tls-configuration/workload-min-tls-version/>Istio Workload Minimum TLS Version Configuration</a></li></ul></li></ul></li><li role=treeitem aria-label="Policy Enforcement"><button aria-hidden=true tabindex=-1></button><a title="Demonstrates policy enforcement features." href=/v1.24/docs/tasks/policy-enforcement/>Policy Enforcement</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to dynamically limit the traffic to a service." href=/v1.24/docs/tasks/policy-enforcement/rate-limit/>Enabling Rate Limits using Envoy</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true tabindex=-1></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.24/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure the Telemetry API." href=/v1.24/docs/tasks/observability/telemetry/>Telemetry API</a></li><li role=treeitem aria-label=Metrics><button aria-hidden=true tabindex=-1></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.24/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics with Telemetry API." href=/v1.24/docs/tasks/observability/metrics/telemetry-api/>Customizing Istio Metrics with Telemetry API</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.24/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to customize the Istio metrics." href=/v1.24/docs/tasks/observability/metrics/customize-metrics/>Customizing Istio Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to improve telemetry by grouping requests and responses by their type." href=/v1.24/docs/tasks/observability/metrics/classify-metrics/>Classifying Metrics Based on Request or Response</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.24/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to set up and use the Istio Dashboard to monitor mesh traffic." href=/v1.24/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true tabindex=-1></button><a title="Demonstrates the collection of logs within Istio." href=/v1.24/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to send access logs with Telemetry API." href=/v1.24/docs/tasks/observability/logs/telemetry-api/>Configure access logs with Telemetry API</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.24/docs/tasks/observability/logs/access-log/>Envoy Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to send access logs with OpenTelemetry collector." href=/v1.24/docs/tasks/observability/logs/otel-provider/>OpenTelemetry</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true tabindex=-1></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.24/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.24/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="How to configure tracing options using Telemetry API." href=/v1.24/docs/tasks/observability/distributed-tracing/telemetry-api/>Configure tracing with Telemetry API</a></li><li role=none><a role=treeitem title="How to configure tracing options using MeshConfig and pod annotations." href=/v1.24/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/>Configure tracing using MeshConfig and pod annotations</a></li><li role=none><a role=treeitem title="Learn the different approaches on how to configure trace sampling on the proxies." href=/v1.24/docs/tasks/observability/distributed-tracing/sampling/>Configure trace sampling</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send traces in OpenTelemetry format." href=/v1.24/docs/tasks/observability/distributed-tracing/opentelemetry/>OpenTelemetry</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.24/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.24/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Apache SkyWalking." href=/v1.24/docs/tasks/observability/distributed-tracing/skywalking/>Apache SkyWalking</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.24/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.24/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li><li role=treeitem aria-label=Extensibility><button aria-hidden=true tabindex=-1></button><a title="Demonstrates how to extend mesh behavior." href=/v1.24/docs/tasks/extensibility/>Extensibility</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to make remote WebAssembly modules available in the mesh (Alpha)" href=/v1.24/docs/tasks/extensibility/wasm-module-distribution/>Distributing WebAssembly Modules *</a></li></ul></li></ul></li><li role=treeitem aria-label=Examples><a class=main title="A variety of fully working example uses for Istio that you can experiment with." href=/v1.24/docs/examples/>Examples</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.24/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.24/docs/examples/virtual-machines/>Bookinfo with a Virtual Machine</a></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true tabindex=-1></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.24/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/setup-kubernetes-cluster/>Set up a Kubernetes Cluster</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/setup-local-computer/>Set up a Local Computer</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem title href=/v1.24/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></li><li role=treeitem aria-label=Operations><a class=main title="Concepts, tools, and techniques to deploy and manage an Istio mesh." href=/v1.24/docs/ops/>Operations</a><ul role=group aria-expanded=true><li role=treeitem aria-label=Deployment><button aria-hidden=true tabindex=-1></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.24/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Platform requirements for Istio." href=/v1.24/docs/ops/deployment/platform-requirements/>Platform Requirements</a></li><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.24/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes Istio's security model." href=/v1.24/docs/ops/deployment/security-model/>Security Model</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.24/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Describes Istio's high-level architecture for virtual machines." href=/v1.24/docs/ops/deployment/vm-architecture/>Virtual Machine Architecture</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.24/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Requirements of applications deployed in an Istio-enabled cluster." href=/v1.24/docs/ops/deployment/application-requirements/>Application Requirements</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true tabindex=-1></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.24/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true tabindex=-1></button><a title="Helps you manage the global mesh configuration." href=/v1.24/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.24/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.24/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li><li role=none><a role=treeitem title="Shows how to scope configuration in Istio, for operational and performance benefits." href=/v1.24/docs/ops/configuration/mesh/configuration-scoping/>Configuration Scoping</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true tabindex=-1></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.24/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.24/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="How to configure certificates within your mesh." href=/v1.24/docs/ops/configuration/traffic-management/manage-mesh-certificates/>Managing In-Mesh Certificates</a></li><li role=none><a role=treeitem title="How to configure TLS settings to secure network traffic." href=/v1.24/docs/ops/configuration/traffic-management/tls-configuration/>TLS Configuration</a></li><li role=none><a role=treeitem title="How Istio routes traffic through the mesh." href=/v1.24/docs/ops/configuration/traffic-management/traffic-routing/>Traffic Routing</a></li><li role=none><a role=treeitem title="How DNS interacts with Istio." href=/v1.24/docs/ops/configuration/traffic-management/dns/>DNS</a></li><li role=none><a role=treeitem title="How to configure gateway network topology (Alpha)" href=/v1.24/docs/ops/configuration/traffic-management/network-topologies/>Configuring Gateway Network Topology *</a></li><li role=none><a role=treeitem title="How to configure DNS proxying." href=/v1.24/docs/ops/configuration/traffic-management/dns-proxy/>DNS Proxying</a></li><li role=none><a role=treeitem title="How to configure how traffic is distributed among clusters in the mesh." href=/v1.24/docs/ops/configuration/traffic-management/multicluster/>Multi-cluster Traffic Management</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true tabindex=-1></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.24/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows common examples of using Istio security policy." href=/v1.24/docs/ops/configuration/security/security-policy-examples/>Security policy examples</a></li><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.24/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true tabindex=-1></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.24/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.24/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="Configure Prometheus to monitor multicluster Istio." href=/v1.24/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>Monitoring Multicluster Istio with Prometheus</a></li></ul></li><li role=treeitem aria-label=Extensibility><button aria-hidden=true tabindex=-1></button><a title="Helps you manage extensions to the service mesh." href=/v1.24/docs/ops/configuration/extensibility/>Extensibility</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how Istio determines whether to pull Wasm modules or use cached versions (Alpha)" href=/v1.24/docs/ops/configuration/extensibility/wasm-pull-policy/>Pull Policy for WebAssembly Modules *</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true tabindex=-1></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.24/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.24/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.24/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.24/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Describes how to use image signatures to verify the provenance of Istio images." href=/v1.24/docs/ops/best-practices/image-signing-validation/>Image Signing and Validation</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.24/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true tabindex=-1></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.24/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.24/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.24/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.24/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.24/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.24/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio upgrades." href=/v1.24/docs/ops/common-problems/upgrade-issues/>Upgrade Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true tabindex=-1></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.24/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.24/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.24/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.24/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.24/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Learn how to use istioctl check-inject to confirm if Istio sidecar injection is properly enabled for your deployments." href=/v1.24/docs/ops/diagnostic-tools/check-inject/>Verifying Istio Sidecar Injection with Istioctl Check-Inject</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into a running istiod component." href=/v1.24/docs/ops/diagnostic-tools/controlz/>Istiod Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.24/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues with Virtual Machines." href=/v1.24/docs/ops/diagnostic-tools/virtual-machines/>Debugging Virtual Machines</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues with multicluster and multi-network installations." href=/v1.24/docs/ops/diagnostic-tools/multicluster/>Troubleshooting Multicluster</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose issues using Istio with the CNI plugin." href=/v1.24/docs/ops/diagnostic-tools/cni/>Troubleshooting the Istio CNI plugin</a></li></ul></li><li role=treeitem aria-label=Integrations><button aria-hidden=true tabindex=-1></button><a title="Other software that Istio can integrate with to provide additional functionality." href=/v1.24/docs/ops/integrations/>Integrations</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to integrate with cert-manager." href=/v1.24/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="Information on how to integrate with Grafana to set up Istio dashboards." href=/v1.24/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="How to integrate with Jaeger." href=/v1.24/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Information on how to integrate with Kiali." href=/v1.24/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="How to integrate with Prometheus." href=/v1.24/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="How to configure Istio to integrate with SPIRE to get cryptographic identities through Envoy's SDS API." href=/v1.24/docs/ops/integrations/spire/>SPIRE</a></li><li role=none><a role=treeitem title="How to integrate with Apache SkyWalking." href=/v1.24/docs/ops/integrations/skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="How to integrate with Zipkin." href=/v1.24/docs/ops/integrations/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to integrate Istio with third party load balancers." href=/v1.24/docs/ops/integrations/loadbalancers/>Third Party Load Balancers</a></li></ul></li></ul></li><li role=treeitem aria-label=Releases><a class=main title="Information relating to Istio releases." href=/v1.24/docs/releases/>Releases</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="List of features and their release stages." href=/v1.24/docs/releases/feature-stages/>Feature Status</a></li><li role=none><a role=treeitem title="What to do if you find a bug." href=/v1.24/docs/releases/bugs/>Reporting Bugs</a></li><li role=none><a role=treeitem title="How we handle security vulnerabilities." href=/v1.24/docs/releases/security-vulnerabilities/>Security Vulnerabilities</a></li><li role=none><a role=treeitem title="The currently supported Istio releases." href=/v1.24/docs/releases/supported-releases/>Supported Releases</a></li><li role=treeitem aria-label="Contribute Documentation"><button aria-hidden=true tabindex=-1></button><a title="Details how to create and maintain Istio documentation pages." href=/v1.24/docs/releases/contribute/>Contribute Documentation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use GitHub to contribute to the Istio documentation." href=/v1.24/docs/releases/contribute/github/>Work with GitHub</a></li><li role=none><a role=treeitem title="Details how to contribute new documentation to Istio." href=/v1.24/docs/releases/contribute/add-content/>Add New Documentation</a></li><li role=none><a role=treeitem title="Details how to contribute retired documentation to Istio." href=/v1.24/docs/releases/contribute/remove-content/>Remove Retired Documentation</a></li><li role=none><a role=treeitem title="Explains how to locally build, test, serve, and preview the website." href=/v1.24/docs/releases/contribute/build/>Build and serve the website locally</a></li><li role=none><a role=treeitem title="Explains the front matter used in our documentation and the fields available." href=/v1.24/docs/releases/contribute/front-matter/>Front matter</a></li><li role=none><a role=treeitem title="Shows you how changes to the Istio documentation and website are reviewed and approved." href=/v1.24/docs/releases/contribute/review/>Documentation Review Process</a></li><li role=none><a role=treeitem title="Explains how to include code in your documentation." href=/v1.24/docs/releases/contribute/code-blocks/>Add Code Blocks</a></li><li role=none><a role=treeitem title="Explains the shortcodes available and how to use them." href=/v1.24/docs/releases/contribute/shortcodes/>Use Shortcodes</a></li><li role=none><a role=treeitem title="Explains the standard markup used to format Istio documentation." href=/v1.24/docs/releases/contribute/formatting/>Follow Formatting Standards</a></li><li role=none><a role=treeitem title="Explains the style conventions used in the Istio documentation." href=/v1.24/docs/releases/contribute/style-guide/>Style Guide</a></li><li role=none><a role=treeitem title="Explains the terminology standards used in the Istio documentation." href=/v1.24/docs/releases/contribute/terminology/>Terminology Standards</a></li><li role=none><a role=treeitem title="Provides assets and instructions to create diagrams for the Istio documentation." href=/v1.24/docs/releases/contribute/diagrams/>Diagram Creation Guidelines</a></li></ul></li><li role=none><a role=treeitem title="List of recent changes to this website." href=/v1.24/docs/releases/log/>Website Content Changes</a></li></ul></li><li role=treeitem aria-label=Reference><a class=main title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." href=/v1.24/docs/reference/>Reference</a><ul role=group aria-expanded=true><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true tabindex=-1></button><a title="Detailed information on configuration options." href=/v1.24/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.24/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.24/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.24/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title="Describes the role of the `status` field in configuration workflow." href=/v1.24/docs/reference/config/config-status/>Configuration Status Field</a></li><li role=treeitem aria-label="Proxy Extensions"><button aria-hidden=true tabindex=-1></button><a title="Describes how to configure Istio proxy extensions." href=/v1.24/docs/reference/config/proxy_extensions/>Proxy Extensions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Extend the functionality provided by the Istio proxy through WebAssembly filters." href=/v1.24/docs/reference/config/proxy_extensions/wasm-plugin/>Wasm Plugin</a></li><li role=none><a role=treeitem title="Configuration for Stats Filter." href=/v1.24/docs/reference/config/proxy_extensions/stats/>Stats Config</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true tabindex=-1></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.24/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.24/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.24/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.24/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Provides configuration for individual workloads." href=/v1.24/docs/reference/config/networking/proxy-config/>ProxyConfig</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.24/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.24/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.24/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.24/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.24/docs/reference/config/networking/workload-group/>Workload Group</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true tabindex=-1></button><a title="Describes how to configure Istio's security features." href=/v1.24/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.24/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.24/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.24/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.24/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li><li role=none><a role=treeitem title="Describes the supported normalizations in authorization policies." href=/v1.24/docs/reference/config/security/normalization/>Authorization Policy Normalization</a></li></ul></li><li role=none><a role=treeitem title="Telemetry configuration for workloads." href=/v1.24/docs/reference/config/telemetry/>Telemetry</a></li><li role=treeitem aria-label="Common Types"><button aria-hidden=true tabindex=-1></button><a title="Describes common types in Istio API." href=/v1.24/docs/reference/config/type/>Common Types</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.24/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.24/docs/reference/config/metrics/>Istio Standard Metrics</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.24/docs/reference/config/annotations/>Resource Annotations</a></li><li role=none><a role=treeitem title="Resource labels used by Istio." href=/v1.24/docs/reference/config/labels/>Resource Labels</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true tabindex=-1></button><a title="Documents the individual error and warning messages produced during configuration analysis." href=/v1.24/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0136/>AlphaAnnotation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0159/>ConflictingTelemetryWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0137/>DeploymentConflictingPorts</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0135/>DeprecatedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0153/>EnvoyFilterUsesAddOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0151/>EnvoyFilterUsesRelativeOperation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0155/>EnvoyFilterUsesRelativeOperationWithProxyVersion</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0154/>EnvoyFilterUsesRemoveOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0152/>EnvoyFilterUsesReplaceOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0164/>ExternalControlPlaneAddressIsNotAHostname</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0150/>ExternalNameServiceTypeInvalidPortName</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0162/>GatewayPortNotDefinedOnService</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0167/>IneffectivePolicy</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0166/>IneffectiveSelector</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0144/>InvalidApplicationUID</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0163/>InvalidExternalControlPlaneConfig</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0161/>InvalidGatewayCredential</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0157/>InvalidTelemetryProvider</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0143/>LocalhostListener</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0160/>MultipleTelemetriesWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0158/>PodsIstioProxyImageMismatchInNamespace</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0134/>ServiceEntryAddressesRequired</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0132/>VirtualServiceHostNotFoundInGateway</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem title href=/v1.24/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true tabindex=-1></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.24/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition." href=/v1.24/docs/reference/commands/install-cni/>install-cni</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.24/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.24/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.24/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.24/docs/reference/glossary/>Glossary</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button id=sidebar-toggle class=main-navigation-toggle aria-label="Open sidebar">
<svg class="icon hamburger-sidebar"><use xlink:href="/v1.24/img/icons.svg#hamburger-sidebar"/></svg>
Contents</button><article aria-labelledby=title><nav aria-label=Breadcrumb><ol><li><a href=/v1.24/docs/ title="Learn how to deploy, use, and operate Istio.">Documentation</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.24/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.24/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.24/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.24/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.24/img/icons.svg#breadcrumb-arrow"/></svg></li><li>Global Mesh Options</li></ol></nav><div class=title-area><div style=width:100%><h1 id=title>Global Mesh Options</h1><p class=byline><span class=reading-time title="10928 words"><svg class="icon clock"><use xlink:href="/v1.24/img/icons.svg#clock"/></svg><span>&nbsp;</span>52 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><ol><li role=none aria-label=OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a><ol><li role=none aria-label=Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></ol></li><li role=none aria-label=InboundTrafficPolicy><a href=#MeshConfig-InboundTrafficPolicy>InboundTrafficPolicy</a><ol><li role=none aria-label=Mode><a href=#MeshConfig-InboundTrafficPolicy-Mode>Mode</a></ol></li><li role=none aria-label=CertificateData><a href=#MeshConfig-CertificateData>CertificateData</a><li role=none aria-label=CA><a href=#MeshConfig-CA>CA</a><li role=none aria-label=ExtensionProvider><a href=#MeshConfig-ExtensionProvider>ExtensionProvider</a><ol><li role=none aria-label=EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider</a><li role=none aria-label=LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>LightstepTracingProvider</a><li role=none aria-label=DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider</a><li role=none aria-label=SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider</a><li role=none aria-label=StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider</a><ol><li role=none aria-label=Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</a></ol></li><li role=none aria-label=OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>OpenCensusAgentTracingProvider</a><ol><li role=none aria-label=TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext</a></ol></li><li role=none aria-label=PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider</a><li role=none aria-label=EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider</a><ol><li role=none aria-label=LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</a></ol></li><li role=none aria-label=EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider</a><ol><li role=none aria-label=LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</a></ol></li><li role=none aria-label=OpenTelemetryTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider</a><ol><li role=none aria-label=DynatraceSampler><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler>DynatraceSampler</a><ol><li role=none aria-label=DynatraceApi><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi>DynatraceApi</a></ol></li></ol></li><li role=none aria-label=HttpService><a href=#MeshConfig-ExtensionProvider-HttpService>HttpService</a><li role=none aria-label=HttpHeader><a href=#MeshConfig-ExtensionProvider-HttpHeader>HttpHeader</a><li role=none aria-label=ResourceDetectors><a href=#MeshConfig-ExtensionProvider-ResourceDetectors>ResourceDetectors</a><ol><li role=none aria-label=EnvironmentResourceDetector><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-EnvironmentResourceDetector>EnvironmentResourceDetector</a><li role=none aria-label=DynatraceResourceDetector><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-DynatraceResourceDetector>DynatraceResourceDetector</a></ol></li><li role=none aria-label=GrpcService><a href=#MeshConfig-ExtensionProvider-GrpcService>GrpcService</a></ol></li><li role=none aria-label=DefaultProviders><a href=#MeshConfig-DefaultProviders>DefaultProviders</a><li role=none aria-label=ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>ProxyPathNormalization</a><ol><li role=none aria-label=NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</a></ol></li><li role=none aria-label=TLSConfig><a href=#MeshConfig-TLSConfig>TLSConfig</a><ol><li role=none aria-label=TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</a><li role=none aria-label=Settings><a href=#MeshConfig-ServiceSettings-Settings>Settings</a></ol></li><li role=none aria-label=IngressControllerMode><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a><li role=none aria-label=AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a><li role=none aria-label=H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></ol></li><li role=none aria-label=LabelSelector><a href=#LabelSelector>LabelSelector</a><li role=none aria-label=LabelSelectorRequirement><a href=#LabelSelectorRequirement>LabelSelectorRequirement</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><ol><li role=none aria-label=Zipkin><a href=#Tracing-Zipkin>Zipkin</a><li role=none aria-label=Datadog><a href=#Tracing-Datadog>Datadog</a><li role=none aria-label=Stackdriver><a href=#Tracing-Stackdriver>Stackdriver</a><li role=none aria-label=OpenCensusAgent><a href=#Tracing-OpenCensusAgent>OpenCensusAgent</a><ol><li role=none aria-label=TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>TraceContext</a></ol></li></ol></li><li role=none aria-label=Topology><a href=#Topology>Topology</a><ol><li role=none aria-label=ProxyProtocolConfiguration><a href=#Topology-ProxyProtocolConfiguration>ProxyProtocolConfiguration</a></ol></li><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><ol><li role=none aria-label=CryptoMb><a href=#PrivateKeyProvider-CryptoMb>CryptoMb</a><li role=none aria-label=QAT><a href=#PrivateKeyProvider-QAT>QAT</a></ol></li><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><ol><li role=none aria-label=ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</a><li role=none aria-label=ProxyHeaders><a href=#ProxyConfig-ProxyHeaders>ProxyHeaders</a><ol><li role=none aria-label=Server><a href=#ProxyConfig-ProxyHeaders-Server>Server</a><li role=none aria-label=RequestId><a href=#ProxyConfig-ProxyHeaders-RequestId>RequestId</a><li role=none aria-label=AttemptCount><a href=#ProxyConfig-ProxyHeaders-AttemptCount>AttemptCount</a><li role=none aria-label=EnvoyDebugHeaders><a href=#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders>EnvoyDebugHeaders</a><li role=none aria-label=MetadataExchangeHeaders><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeHeaders>MetadataExchangeHeaders</a><li role=none aria-label=SetCurrentClientCertDetails><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails>SetCurrentClientCertDetails</a><li role=none aria-label=MetadataExchangeMode><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeMode>MetadataExchangeMode</a></ol></li><li role=none aria-label=TracingServiceName><a href=#ProxyConfig-TracingServiceName>TracingServiceName</a><li role=none aria-label=InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></ol></li><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Network><a href=#Network>Network</a><ol><li role=none aria-label=NetworkEndpoints><a href=#Network-NetworkEndpoints>NetworkEndpoints</a><li role=none aria-label=IstioNetworkGateway><a href=#Network-IstioNetworkGateway>IstioNetworkGateway</a></ol></li><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=ForwardClientCertDetails><a href=#ForwardClientCertDetails>ForwardClientCertDetails</a></ol><hr></div></nav><p>Configuration affecting the service mesh as a whole.</p><h2 id=MeshConfig>MeshConfig</h2><section><p>MeshConfig defines mesh-wide settings for the Istio service mesh.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-proxy_listen_port><td><div class=field><div class=name><code><a href=#MeshConfig-proxy_listen_port>proxyListenPort</a></code></div><div class=type>int32</div></div></td><td><p>Port on which Envoy should listen for all outbound traffic to other services.
Default port is 15001.</p></td></tr><tr id=MeshConfig-proxy_inbound_listen_port><td><div class=field><div class=name><code><a href=#MeshConfig-proxy_inbound_listen_port>proxyInboundListenPort</a></code></div><div class=type>int32</div></div></td><td><p>Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
Default port is 15006.</p></td></tr><tr id=MeshConfig-proxy_http_port><td><div class=field><div class=name><code><a href=#MeshConfig-proxy_http_port>proxyHttpPort</a></code></div><div class=type>int32</div></div></td><td><p>Port on which Envoy should listen for HTTP PROXY requests if set.</p></td></tr><tr id=MeshConfig-connect_timeout><td><div class=field><div class=name><code><a href=#MeshConfig-connect_timeout>connectTimeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>Connection timeout used by Envoy. (MUST be >=1ms)
Default timeout is 10s.</p></td></tr><tr id=MeshConfig-tcp_keepalive><td><div class=field><div class=name><code><a href=#MeshConfig-tcp_keepalive>tcpKeepalive</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></div></div></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td></tr><tr id=MeshConfig-ingress_class><td><div class=field><div class=name><code><a href=#MeshConfig-ingress_class>ingressClass</a></code></div><div class=type>string</div></div></td><td><p>Class of ingress resources to be processed by Istio ingress
controller. This corresponds to the value of
<code>kubernetes.io/ingress.class</code> annotation.</p></td></tr><tr id=MeshConfig-ingress_service><td><div class=field><div class=name><code><a href=#MeshConfig-ingress_service>ingressService</a></code></div><div class=type>string</div></div></td><td><p>Name of the Kubernetes service used for the istio ingress controller.
If no ingress controller is specified, the default value <code>istio-ingressgateway</code> is used.</p></td></tr><tr id=MeshConfig-ingress_controller_mode><td><div class=field><div class=name><code><a href=#MeshConfig-ingress_controller_mode>ingressControllerMode</a></code></div><div class=type><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a></div></div></td><td><p>Defines whether to use Istio ingress controller for annotated or all ingress resources.
Default mode is <code>STRICT</code>.</p></td></tr><tr id=MeshConfig-ingress_selector><td><div class=field><div class=name><code><a href=#MeshConfig-ingress_selector>ingressSelector</a></code></div><div class=type>string</div></div></td><td><p>Defines which gateway deployment to use as the Ingress controller. This field corresponds to
the Gateway.selector field, and will be set as <code>istio: INGRESS_SELECTOR</code>.
By default, <code>ingressgateway</code> is used, which will select the default IngressGateway as it has the
<code>istio: ingressgateway</code> labels.
It is recommended that this is the same value as ingressService.</p></td></tr><tr id=MeshConfig-enable_tracing><td><div class=field><div class=name><code><a href=#MeshConfig-enable_tracing>enableTracing</a></code></div><div class=type>bool</div></div></td><td><p>Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.</p></td></tr><tr id=MeshConfig-access_log_file><td><div class=field><div class=name><code><a href=#MeshConfig-access_log_file>accessLogFile</a></code></div><div class=type>string</div></div></td><td><p>File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.</p></td></tr><tr id=MeshConfig-access_log_format><td><div class=field><div class=name><code><a href=#MeshConfig-access_log_format>accessLogFormat</a></code></div><div class=type>string</div></div></td><td><p>Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format</p></td></tr><tr id=MeshConfig-access_log_encoding><td><div class=field><div class=name><code><a href=#MeshConfig-access_log_encoding>accessLogEncoding</a></code></div><div class=type><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a></div></div></td><td><p>Encoding for the proxy access log (<code>TEXT</code> or <code>JSON</code>).
Default value is <code>TEXT</code>.</p></td></tr><tr id=MeshConfig-enable_envoy_access_log_service><td><div class=field><div class=name><code><a href=#MeshConfig-enable_envoy_access_log_service>enableEnvoyAccessLogService</a></code></div><div class=type>bool</div></div></td><td><p>This flag enables Envoy&rsquo;s gRPC Access Log Service.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto>Access Log Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.
Default value is <code>false</code>.</p></td></tr><tr id=MeshConfig-disable_envoy_listener_log><td><div class=field><div class=name><code><a href=#MeshConfig-disable_envoy_listener_log>disableEnvoyListenerLog</a></code></div><div class=type>bool</div></div></td><td><p>This flag disables Envoy Listener logs.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log>Listener Access Log</a>
Istio Enables Envoy&rsquo;s listener access logs on &ldquo;NoRoute&rdquo; response flag.
Default value is <code>false</code>.</p></td></tr><tr id=MeshConfig-default_config><td><div class=field><div class=name><code><a href=#MeshConfig-default_config>defaultConfig</a></code></div><div class=type><a href=#ProxyConfig>ProxyConfig</a></div></div></td><td><p>Default proxy config used by gateway and sidecars.
In case of Kubernetes, the proxy config is applied once during the injection process,
and remain constant for the duration of the pod. The rest of the mesh config can be changed
at runtime and config gets distributed dynamically.
On Kubernetes, this can be overridden on individual pods with the <code>proxy.istio.io/config</code> annotation.</p></td></tr><tr id=MeshConfig-outbound_traffic_policy><td><div class=field><div class=name><code><a href=#MeshConfig-outbound_traffic_policy>outboundTrafficPolicy</a></code></div><div class=type><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a></div></div></td><td><p>Set the default behavior of the sidecar for handling outbound
traffic from the application.</p><p>Can be overridden at a Sidecar level by setting the <code>OutboundTrafficPolicy</code> in the
<a href=/v1.24/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy>Sidecar API</a>.</p><p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p></td></tr><tr id=MeshConfig-inbound_traffic_policy><td><div class=field><div class=name><code><a href=#MeshConfig-inbound_traffic_policy>inboundTrafficPolicy</a></code></div><div class=type><a href=#MeshConfig-InboundTrafficPolicy>InboundTrafficPolicy</a></div></div></td><td><p>Set the default behavior of the sidecar for handling inbound
traffic to the application. If your application listens on
localhost, you will need to set this to <code>LOCALHOST</code>.</p></td></tr><tr id=MeshConfig-config_sources><td><div class=field><div class=name><code><a href=#MeshConfig-config_sources>configSources</a></code></div><div class=type><a href=#ConfigSource>ConfigSource[]</a></div></div></td><td><p>ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.</p></td></tr><tr id=MeshConfig-enable_auto_mtls><td><div class=field><div class=name><code><a href=#MeshConfig-enable_auto_mtls>enableAutoMtls</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>This flag is used to enable mutual <code>TLS</code> automatically for service to service communication
within the mesh, default true.
If set to true, and a given service does not have a corresponding <code>DestinationRule</code> configured,
or its <code>DestinationRule</code> does not have ClientTLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in <code>STRICT</code> mode, use Istio provisioned certificate
for mutual <code>TLS</code> to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual <code>TLS</code> when server sides are capable of accepting mutual <code>TLS</code> traffic.
If service <code>DestinationRule</code> exists and has <code>ClientTLSSettings</code> specified, that is always used instead.</p></td></tr><tr id=MeshConfig-trust_domain><td><div class=field><div class=name><code><a href=#MeshConfig-trust_domain>trustDomain</a></code></div><div class=type>string</div></div></td><td><p>The trust domain corresponds to the trust root of a system.
Refer to <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain>SPIFFE-ID</a></p></td></tr><tr id=MeshConfig-trust_domain_aliases><td><div class=field><div class=name><code><a href=#MeshConfig-trust_domain_aliases>trustDomainAliases</a></code></div><div class=type>string[]</div></div></td><td><p>The trust domain aliases represent the aliases of <code>trustDomain</code>.
For example, if we have</p><pre><code class=language-yaml>trustDomain: td1
trustDomainAliases: [&quot;td2&quot;, &quot;td3&quot;]
</code></pre><p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p></td></tr><tr id=MeshConfig-ca_certificates><td><div class=field><div class=name><code><a href=#MeshConfig-ca_certificates>caCertificates</a></code></div><div class=type><a href=#MeshConfig-CertificateData>CertificateData[]</a></div></div></td><td><p>The extra root certificates for workload-to-workload communication.
The plugin certificates (the &lsquo;cacerts&rsquo; secret) or self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are automatically added by Istiod.
The CA certificate that signs the workload certificates is automatically added by Istio Agent.</p></td></tr><tr id=MeshConfig-default_service_export_to><td><div class=field><div class=name><code><a href=#MeshConfig-default_service_export_to>defaultServiceExportTo</a></code></div><div class=type>string[]</div></div></td><td><p>The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:</p><pre><code>* - All Namespaces
. - Current Namespace
~ - No Namespace
</code></pre><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
services are exported to all namespaces.</p><p><code>All namespaces</code> is a reasonable default for implementations that don&rsquo;t
need to restrict access or visibility of services across namespace
boundaries. If that requirement is present it is generally good practice to
make the default <code>Current namespace</code> so that services are only visible
within their own namespaces by default. Operators can then expand the
visibility of services to other namespaces as needed. Use of <code>No Namespace</code>
is expected to be rare but can have utility for deployments where
dependency management needs to be precise even within the scope of a single
namespace.</p><p>For further discussion see the reference documentation for <code>ServiceEntry</code>,
<code>Sidecar</code>, and <code>Gateway</code>.</p></td></tr><tr id=MeshConfig-default_virtual_service_export_to><td><div class=field><div class=name><code><a href=#MeshConfig-default_virtual_service_export_to>defaultVirtualServiceExportTo</a></code></div><div class=type>string[]</div></div></td><td><p>The default value for the VirtualService.exportTo field. Has the same
syntax as <code>defaultServiceExportTo</code>.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
virtual services are exported to all namespaces</p></td></tr><tr id=MeshConfig-default_destination_rule_export_to><td><div class=field><div class=name><code><a href=#MeshConfig-default_destination_rule_export_to>defaultDestinationRuleExportTo</a></code></div><div class=type>string[]</div></div></td><td><p>The default value for the <code>DestinationRule.exportTo</code> field. Has the same
syntax as <code>defaultServiceExportTo</code>.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
destination rules are exported to all namespaces</p></td></tr><tr id=MeshConfig-root_namespace><td><div class=field><div class=name><code><a href=#MeshConfig-root_namespace>rootNamespace</a></code></div><div class=type>string</div></div></td><td><p>The namespace to treat as the administrative root namespace for
Istio configuration. When processing a leaf namespace Istio will search for
declarations in that namespace first and if none are found it will
search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.</p><p>The precise semantics of this processing are documented on each resource
type.</p></td></tr><tr id=MeshConfig-locality_lb_setting><td><div class=field><div class=name><code><a href=#MeshConfig-locality_lb_setting>localityLbSetting</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a></div></div></td><td><p>Locality based load balancing distribution or failover settings.
If unspecified, locality based load balancing will be enabled by default.
However, this requires outlierDetection to actually take effect for a particular
service, see <a href=/v1.24/docs/tasks/traffic-management/locality-load-balancing/failover/>https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/</a></p></td></tr><tr id=MeshConfig-dns_refresh_rate><td><div class=field><div class=name><code><a href=#MeshConfig-dns_refresh_rate>dnsRefreshRate</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>Configures DNS refresh rate for Envoy clusters of type <code>STRICT_DNS</code>
Default refresh rate is <code>60s</code>.</p></td></tr><tr id=MeshConfig-h2_upgrade_policy><td><div class=field><div class=name><code><a href=#MeshConfig-h2_upgrade_policy>h2UpgradePolicy</a></code></div><div class=type><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></div></div></td><td><p>Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to <code>UPGRADE</code>.
If one or more services or namespaces do not have sidecar(s), then this should be set to <code>DO_NOT_UPGRADE</code>.
It can be enabled by destination using the <code>destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy</code> override.</p></td></tr><tr id=MeshConfig-inbound_cluster_stat_name><td><div class=field><div class=name><code><a href=#MeshConfig-inbound_cluster_stat_name>inboundClusterStatName</a></code></div><div class=type>string</div></div></td><td><p>Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>inbound|&lt;port>|&lt;port-name>|&lt;service-FQDN></code>.
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li><li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%TARGET_PORT%</code> - Will be substituted with the target port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td></tr><tr id=MeshConfig-outbound_cluster_stat_name><td><div class=field><div class=name><code><a href=#MeshConfig-outbound_cluster_stat_name>outboundClusterStatName</a></code></div><div class=type>string</div></div></td><td><p>Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>outbound|&lt;port>|&lt;subsetname>|&lt;service-FQDN></code>.
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with short hostname of the service.</li><li><code>%SERVICE_NAME%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li><li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use <code>reviews.prod.svc.cluster.local_7443</code> as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td></tr><tr id=MeshConfig-enable_prometheus_merge><td><div class=field><div class=name><code><a href=#MeshConfig-enable_prometheus_merge>enablePrometheusMerge</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
<code>prometheus.io/path</code> annotations.
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
In this case, it is recommended to disable aggregation on that deployment with the
<code>prometheus.istio.io/merge-metrics: "false"</code> annotation.
If not specified, this will be enabled by default.</p></td></tr><tr id=MeshConfig-extension_providers><td><div class=field><div class=name><code><a href=#MeshConfig-extension_providers>extensionProviders</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider>ExtensionProvider[]</a></div></div></td><td><p>Defines a list of extension providers that extend Istio&rsquo;s functionality. For example, the AuthorizationPolicy
can be used with an extension provider to delegate the authorization decision to a custom authorization system.</p></td></tr><tr id=MeshConfig-default_providers><td><div class=field><div class=name><code><a href=#MeshConfig-default_providers>defaultProviders</a></code></div><div class=type><a href=#MeshConfig-DefaultProviders>DefaultProviders</a></div></div></td><td><p>Specifies extension providers to use by default in Istio configuration resources.</p></td></tr><tr id=MeshConfig-discovery_selectors><td><div class=field><div class=name><code><a href=#MeshConfig-discovery_selectors>discoverySelectors</a></code></div><div class=type><a href=#LabelSelector>LabelSelector[]</a></div></div></td><td><p>A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
computing configuration updates for sidecars. This can be used to reduce Istio&rsquo;s computational load
by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
The following example selects any namespace that matches either below:</p><ol><li>The namespace has both of these labels: <code>env: prod</code> and <code>region: us-east1</code></li><li>The namespace has label <code>app</code> equal to <code>cassandra</code> or <code>spark</code>.</li></ol><pre><code class=language-yaml>discoverySelectors:
- matchLabels:
env: prod
region: us-east1
- matchExpressions:
- key: app
operator: In
values:
- cassandra
- spark
</code></pre><p>Refer to the <a href=https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors>Kubernetes selector docs</a>
for additional detail on selector semantics.</p></td></tr><tr id=MeshConfig-path_normalization><td><div class=field><div class=name><code><a href=#MeshConfig-path_normalization>pathNormalization</a></code></div><div class=type><a href=#MeshConfig-ProxyPathNormalization>ProxyPathNormalization</a></div></div></td><td><p>ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
normalized by the sidecars and gateways.
The normalized paths will be used in all aspects through the requests&rsquo; lifetime on the
sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
authorization policy match and enforcement in inbound direction (server proxy), and the URL
path proxied to the upstream service.
If not set, the NormalizationType.DEFAULT configuration will be used.</p></td></tr><tr id=MeshConfig-default_http_retry_policy><td><div class=field><div class=name><code><a href=#MeshConfig-default_http_retry_policy>defaultHttpRetryPolicy</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/virtual-service/#HTTPRetry>HTTPRetry</a></div></div></td><td><p>Configure the default HTTP retry policy.
The default number of retry attempts is set at 2 for these errors:
&ldquo;connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes&rdquo;.
Setting the number of attempts to 0 disables retry policy globally.
This setting can be overridden on a per-host basis using the Virtual Service
API.
All settings in the retry policy except <code>perTryTimeout</code> can currently be
configured globally via this field.</p></td></tr><tr id=MeshConfig-mesh_mTLS><td><div class=field><div class=name><code><a href=#MeshConfig-mesh_mTLS>meshMTLS</a></code></div><div class=type><a href=#MeshConfig-TLSConfig>TLSConfig</a></div></div></td><td><p>The below configuration parameters can be used to specify TLSConfig for mesh traffic.
For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:</p><pre><code class=language-yaml>meshConfig:
meshMTLS:
minProtocolVersion: TLSV1_3
tlsDefaults:
Note: applicable only for non ISTIO_MUTUAL scenarios
ecdhCurves:
- P-256
- P-512
</code></pre><p>Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.</p><p>Note: Mesh mTLS does not respect ECDH curves.</p></td></tr><tr id=MeshConfig-tls_defaults><td><div class=field><div class=name><code><a href=#MeshConfig-tls_defaults>tlsDefaults</a></code></div><div class=type><a href=#MeshConfig-TLSConfig>TLSConfig</a></div></div></td><td><p>Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.</p></td></tr></tbody></table></section><h3 id=MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</h3><section><p><code>OutboundTrafficPolicy</code> sets the default behavior of the sidecar for
handling unknown outbound traffic from the application.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-mode><td><div class=field><div class=name><code><a href=#MeshConfig-OutboundTrafficPolicy-mode>mode</a></code></div><div class=type><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></div></div></td><td></td></tr></tbody></table></section><h4 id=MeshConfig-OutboundTrafficPolicy-Mode>Mode</h4><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY>REGISTRY_ONLY</a></code></td><td><p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p><p>Note: Istio <a href=/v1.24/docs/ops/best-practices/security/#understand-traffic-capture-limitations>does not offer an outbound traffic security policy</a>.
This option does not act as one, or as any form of an outbound firewall.
Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p></td></tr><tr id=MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY>ALLOW_ANY</a></code></td><td><p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
Unknown destination traffic will have limited functionality, however, such as reduced observability.
This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
to arbitrary destinations.</p></td></tr></tbody></table></section><h3 id=MeshConfig-InboundTrafficPolicy>InboundTrafficPolicy</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-InboundTrafficPolicy-mode><td><div class=field><div class=name><code><a href=#MeshConfig-InboundTrafficPolicy-mode>mode</a></code></div><div class=type><a href=#MeshConfig-InboundTrafficPolicy-Mode>Mode</a></div></div></td><td></td></tr></tbody></table></section><h4 id=MeshConfig-InboundTrafficPolicy-Mode>Mode</h4><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-InboundTrafficPolicy-Mode-PASSTHROUGH><td><code><a href=#MeshConfig-InboundTrafficPolicy-Mode-PASSTHROUGH>PASSTHROUGH</a></code></td><td><p>inbound traffic will be passed through to the destination listening
on Pod IP. This matches the behavior without Istio enabled at all
allowing proxy to be transparent.</p></td></tr><tr id=MeshConfig-InboundTrafficPolicy-Mode-LOCALHOST><td><code><a href=#MeshConfig-InboundTrafficPolicy-Mode-LOCALHOST>LOCALHOST</a></code></td><td><p>inbound traffic will be sent to the destinations listening on localhost.</p></td></tr></tbody></table></section><h3 id=MeshConfig-CertificateData>CertificateData</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-CertificateData-pem class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#MeshConfig-CertificateData-pem>pem</a></code></div><div class=type>string (oneof)</div></div></td><td><p>The PEM data of the certificate.</p></td></tr><tr id=MeshConfig-CertificateData-spiffe_bundle_url class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-CertificateData-spiffe_bundle_url>spiffeBundleUrl</a></code></div><div class=type>string (oneof)</div></div></td><td><p>The SPIFFE bundle endpoint URL that complies to:
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle</a>
The endpoint should support authentication based on Web PKI:
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki</a>
The certificate is retrieved from the endpoint.</p></td></tr><tr id=MeshConfig-CertificateData-cert_signers><td><div class=field><div class=name><code><a href=#MeshConfig-CertificateData-cert_signers>certSigners</a></code></div><div class=type>string[]</div></div></td><td><p>Specify the kubernetes signers (External CA) that use this trustAnchor
when Istiod is acting as RA(registration authority)
If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.</p></td></tr><tr id=MeshConfig-CertificateData-trust_domains><td><div class=field><div class=name><code><a href=#MeshConfig-CertificateData-trust_domains>trustDomains</a></code></div><div class=type>string[]</div></div></td><td><p>Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.</p></td></tr></tbody></table></section><h3 id=MeshConfig-CA>CA</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-CA-address><td><div class=field><div class=name><code><a href=#MeshConfig-CA-address>address</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
Can be IP address or a fully qualified DNS name with port
Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000</p></td></tr><tr id=MeshConfig-CA-tls_settings><td><div class=field><div class=name><code><a href=#MeshConfig-CA-tls_settings>tlsSettings</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></div></div></td><td><p>Use the tlsSettings to specify the tls mode to use.
Regarding tlsSettings:</p><ul><li>DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing</li><li>TLS MUTUAL MODE be on by default. If the CA certificates
(cert bundle to verify the CA server&rsquo;s certificate) is omitted, Istiod will
use the system root certs to verify the CA server&rsquo;s certificate.</li></ul></td></tr><tr id=MeshConfig-CA-request_timeout><td><div class=field><div class=name><code><a href=#MeshConfig-CA-request_timeout>requestTimeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>timeout for forward CSR requests from Istiod to External CA
Default: 10s</p></td></tr><tr id=MeshConfig-CA-istiod_side><td><div class=field><div class=name><code><a href=#MeshConfig-CA-istiod_side>istiodSide</a></code></div><div class=type>bool</div></div></td><td><p>Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true</p></td></tr></tbody></table></section><h3 id=MeshConfig-ExtensionProvider>ExtensionProvider</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-name><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-name>name</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. A unique name identifying the extension provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_http class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_ext_authz_http>envoyExtAuthzHttp</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider (oneof)</a></div></div></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_grpc class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_ext_authz_grpc>envoyExtAuthzGrpc</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider (oneof)</a></div></div></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.</p></td></tr><tr id=MeshConfig-ExtensionProvider-zipkin class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-zipkin>zipkin</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider (oneof)</a></div></div></td><td><p>Configures a tracing provider that uses the Zipkin API.</p></td></tr><tr id=MeshConfig-ExtensionProvider-datadog class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-datadog>datadog</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider (oneof)</a></div></div></td><td><p>Configures a Datadog tracing provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-stackdriver class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-stackdriver>stackdriver</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider (oneof)</a></div></div></td><td><p>Configures a Stackdriver provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-skywalking class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-skywalking>skywalking</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider (oneof)</a></div></div></td><td><p>Configures a Apache SkyWalking provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-opentelemetry class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-opentelemetry>opentelemetry</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider (oneof)</a></div></div></td><td><p>Configures an OpenTelemetry tracing provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-prometheus class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-prometheus>prometheus</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider (oneof)</a></div></div></td><td><p>Configures a Prometheus metrics provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_file_access_log class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_file_access_log>envoyFileAccessLog</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider (oneof)</a></div></div></td><td><p>Configures an Envoy File Access Log provider.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_http_als class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_http_als>envoyHttpAls</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider (oneof)</a></div></div></td><td><p>Configures an Envoy Access Logging Service provider for HTTP traffic.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_tcp_als class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_tcp_als>envoyTcpAls</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider (oneof)</a></div></div></td><td><p>Configures an Envoy Access Logging Service provider for TCP traffic.</p></td></tr><tr id=MeshConfig-ExtensionProvider-envoy_otel_als class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-envoy_otel_als>envoyOtelAls</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider (oneof)</a></div></div></td><td><p>Configures an Envoy Open Telemetry Access Logging Service provider.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-max_request_bytes><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-max_request_bytes>maxRequestBytes</a></code></div><div class=type>uint32</div></div></td><td><p>Sets the maximum size of a message body that the ext-authz filter will hold in memory.
If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
failOpen is set to true.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-allow_partial_message><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-allow_partial_message>allowPartialMessage</a></code></div><div class=type>bool</div></div></td><td><p>When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A &ldquo;x-envoy-auth-partial-body: false|true&rdquo; metadata header will be added to the authorization request message
indicating if the body data is partial.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-pack_as_bytes><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-pack_as_bytes>packAsBytes</a></code></div><div class=type>bool</div></div></td><td><p>If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the <a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153>raw_body field</a>.
Otherwise, it will be filled with UTF-8 string in the <a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147>body field</a>.
This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-timeout><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-timeout>timeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>failOpen</code> field.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-path_prefix><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-path_prefix>pathPrefix</a></code></div><div class=type>string</div></div></td><td><p>Sets a prefix to the value of authorization request header <em>Path</em>.
For example, setting this to &ldquo;/check&rdquo; for an original user request at path &ldquo;/admin&rdquo; will cause the
authorization check request to be sent to the authorization service at the path &ldquo;/check/admin&rdquo; instead of &ldquo;/admin&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-fail_open><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-fail_open>failOpen</a></code></div><div class=type>bool</div></div></td><td><p>If true, the user request will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false and the request will be rejected with &ldquo;Forbidden&rdquo; response.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-status_on_error><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-status_on_error>statusOnError</a></code></div><div class=type>string</div></div></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_headers_in_check><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_headers_in_check>includeRequestHeadersInCheck</a></code></div><div class=type>string[]</div></div></td><td><p>List of client request headers that should be included in the authorization request sent to the authorization service.
Note that in addition to the headers specified here following headers are included by default:</p><ol><li><em>Host</em>, <em>Method</em>, <em>Path</em> and <em>Content-Length</em> are automatically sent.</li><li><em>Content-Length</em> will be set to 0 and the request will not have a message body. However, the authorization
request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.</li></ol><p>Exact, prefix and suffix matches are supported (similar to the
<a href=/v1.24/docs/reference/config/security/authorization-policy/#Rule>authorization policy rule syntax</a>
except the presence match):</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_additional_headers_in_check><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_additional_headers_in_check>includeAdditionalHeadersInCheck</a></code></div><div class=type>map&lt;string,&nbsp;string></div></div></td><td><p>Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_body_in_check><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_body_in_check>includeRequestBodyInCheck</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></div></div></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_upstream_on_allow><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_upstream_on_allow>headersToUpstreamOnAllow</a></code></div><div class=type>string[]</div></div></td><td><p>List of headers from the authorization service that should be added or overridden in the original request and
forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the
<a href=/v1.24/docs/reference/config/security/authorization-policy/#Rule>authorization policy rule syntax</a>
except the presence match):</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_deny><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_deny>headersToDownstreamOnDeny</a></code></div><div class=type>string[]</div></div></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is not allowed (HTTP code other than 200).
If not specified, all the authorization response headers, except <em>Authority (Host)</em> will be in the response to
the downstream.
When a header is included in this list, <em>Path</em>, <em>Status</em>, <em>Content-Length</em>, <em>WWWAuthenticate</em> and <em>Location</em> are
automatically added.
Note, the body from the authorization service is always included in the response to downstream.</p><p>Exact, prefix and suffix matches are supported (similar to the
<a href=/v1.24/docs/reference/config/security/authorization-policy/#Rule>authorization policy rule syntax</a>
except the presence match):</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_allow><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_allow>headersToDownstreamOnAllow</a></code></div><div class=type>string[]</div></div></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is allowed (HTTP code 200).
If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the
<a href=/v1.24/docs/reference/config/security/authorization-policy/#Rule>authorization policy rule syntax</a>
except the presence match):</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_headers_in_check class=deprecated><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_headers_in_check>includeHeadersInCheck</a></code></div><div class=type>string[]</div></div></td><td><p>DEPRECATED. Use includeRequestHeadersInCheck instead.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-timeout><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-timeout>timeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>failOpen</code> field.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-fail_open><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-fail_open>failOpen</a></code></div><div class=type>bool</div></div></td><td><p>If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-status_on_error><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-status_on_error>statusOnError</a></code></div><div class=type>string</div></div></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-include_request_body_in_check><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-include_request_body_in_check>includeRequestBodyInCheck</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></div></div></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider</h4><section><p>Defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that the Zipkin API.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;zipkin.default.svc.cluster.local&rdquo; or &ldquo;bar/zipkin.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-enable_64bit_trace_id><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider-enable_64bit_trace_id>enable64bitTraceId</a></code></div><div class=type>bool</div></div></td><td><p>A 128 bit trace id will be used in Istio.
If true, will result in a 64 bit trace id being used.</p></td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-path><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider-path>path</a></code></div><div class=type>string</div></div></td><td><p>Specifies the endpoint of Zipkin API.
The default value is &ldquo;/api/v2/spans&rdquo;.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-LightstepTracingProvider>LightstepTracingProvider</h4><section><p>Defines configuration for a Lightstep tracer.
Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
will generate OpenTelemetry-compatible configuration when using this option.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service for the Lightstep collector.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;lightstep.default.svc.cluster.local&rdquo; or &ldquo;bar/lightstep.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-access_token><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider-access_token>accessToken</a></code></div><div class=type>string</div></div></td><td><p>The Lightstep access token.</p></td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider</h4><section><p>Defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service for the Datadog agent.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;datadog.default.svc.cluster.local&rdquo; or &ldquo;bar/datadog.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider</h4><section><p>Defines configuration for a SkyWalking tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service for the SkyWalking receiver.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;skywalking.default.svc.cluster.local&rdquo; or &ldquo;bar/skywalking.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-access_token><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-access_token>accessToken</a></code></div><div class=type>string</div></div></td><td><p>The SkyWalking OAP access token.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider</h4><section><p>Defines configuration for Stackdriver.</p><p>WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
driver in Envoy.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-logging><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-logging>logging</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</a></div></div></td><td><p>Controls Stackdriver logging behavior.</p></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</h5><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging-labels><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging-labels>labels</a></code></div><div class=type>map&lt;string,&nbsp;string></div></div></td><td><p>Collection of tag names and tag expressions to include in the log
entry. Conflicts are resolved by the tag name by overriding previously
supplied values.</p><p>Example:
labels:
path: request.url_path
foo: request.headers[&lsquo;x-foo&rsquo;]</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>OpenCensusAgentTracingProvider</h4><section><p>Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.</p><p>WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
OpenCensus providers CANNOT be changed during the course of proxy&rsquo;s lifetime due to a limitation
in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
configuration MUST be accompanied by a restart of all proxies that will use that configuration.</p><p>NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
alongside OpenCensus provider configuration.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service for the OpenCensusAgent.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;ocagent.default.svc.cluster.local&rdquo; or &ldquo;bar/ocagent.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-context><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-context>context</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext[]</a></div></div></td><td><p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext</h5><section><p>TraceContext selects the context propagation headers used for
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-W3C_TRACE_CONTEXT><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-W3C_TRACE_CONTEXT>W3C_TRACE_CONTEXT</a></code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-GRPC_BIN><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-GRPC_BIN>GRPC_BIN</a></code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-CLOUD_TRACE_CONTEXT><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-CLOUD_TRACE_CONTEXT>CLOUD_TRACE_CONTEXT</a></code></td><td><p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-B3><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-B3>B3</a></code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
for details.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider</h4><section></section><h4 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider</h4><section><p>Defines configuration for Envoy-based access logging that writes to
local files (and/or standard streams).</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-path><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-path>path</a></code></div><div class=type>string</div></div></td><td><p>Path to a local file to write the access log entries.
This may be used to write to streams, via <code>/dev/stderr</code> and <code>/dev/stdout</code>
If unspecified, defaults to <code>/dev/stdout</code>.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-log_format><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-log_format>logFormat</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</a></div></div></td><td><p>Allows overriding of the default access log format.</p></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</h5><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-text class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-text>text</a></code></div><div class=type>string (oneof)</div></div></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
provides more information.</p><p>NOTE: Istio will insert a newline (&rsquo;\n&rsquo;) on all formats (if missing).</p><p>Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-labels class=oneof><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-labels>labels</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct (oneof)</a></div></div></td><td><p>JSON structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. <code>FILTER_STATE</code> or <code>DYNAMIC_METADATA</code>).
Use <code>labels: {}</code> for default envoy JSON log format.</p><p>Example:</p><pre><code>labels:
status: &quot;%RESPONSE_CODE%&quot;
message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider</h4><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
integration for HTTP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-log_name><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-log_name>logName</a></code></div><div class=type>string</div></div></td><td><p>The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;http_envoy_accesslog&rdquo;</li><li>&ldquo;listener_envoy_accesslog&rdquo;</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-filter_state_objects_to_log><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-filter_state_objects_to_log>filterStateObjectsToLog</a></code></div><div class=type>string[]</div></div></td><td><p>Additional filter state objects to log.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_request_headers_to_log><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_request_headers_to_log>additionalRequestHeadersToLog</a></code></div><div class=type>string[]</div></div></td><td><p>Additional request headers to log.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_headers_to_log><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_headers_to_log>additionalResponseHeadersToLog</a></code></div><div class=type>string[]</div></div></td><td><p>Additional response headers to log.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_trailers_to_log><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_trailers_to_log>additionalResponseTrailersToLog</a></code></div><div class=type>string[]</div></div></td><td><p>Additional response trailers to log.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider</h4><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
integration for TCP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-log_name><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-log_name>logName</a></code></div><div class=type>string</div></div></td><td><p>The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;tcp_envoy_accesslog&rdquo;</li><li>&ldquo;listener_envoy_accesslog&rdquo;</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-filter_state_objects_to_log><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-filter_state_objects_to_log>filterStateObjectsToLog</a></code></div><div class=type>string[]</div></div></td><td><p>Additional filter state objects to log.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider</h4><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>OpenTelemetry (gRPC) Access Log</a></p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_name><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_name>logName</a></code></div><div class=type>string</div></div></td><td><p>The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;otel_envoy_accesslog&rdquo;</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_format><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_format>logFormat</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</a></div></div></td><td><p>Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format, following Envoy access logging formatting.</p></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</h5><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-text><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-text>text</a></code></div><div class=type>string</div></div></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
provides more information.
Alias to <code>body</code> field in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a>
Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-labels><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-labels>labels</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct</a></div></div></td><td><p>Additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
Alias to <code>attributes</code> field in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a></p><p>Example:</p><pre><code>labels:
status: &quot;%RESPONSE_CODE%&quot;
message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider</h4><section><p>Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;otlp.default.svc.cluster.local&rdquo; or &ldquo;bar/otlp.example.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-max_tag_length><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-max_tag_length>maxTagLength</a></code></div><div class=type>uint32</div></div></td><td><p>Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-http><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-http>http</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-HttpService>HttpService</a></div></div></td><td><p>Specifies the configuration for exporting OTLP traces via HTTP.
When empty, traces will be exported via gRPC.</p><p>The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:</p><ol><li>Add/change the OpenTelemetry extension provider in <code>MeshConfig</code></li></ol><pre><code class=language-yaml>- name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
http:
path: &quot;/api/otlp/traces&quot;
timeout: 10s
headers:
- name: &quot;my-custom-header&quot;
value: &quot;some value&quot;
</code></pre><ol start=2><li>Deploy a <code>ServiceEntry</code> for the observability back-end</li></ol><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: my-olly-backend
spec:
hosts:
- my.olly-backend.com
ports:
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-olly-backend
spec:
host: my.olly-backend.com
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
</code></pre></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-grpc><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-grpc>grpc</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-GrpcService>GrpcService</a></div></div></td><td><p>Specifies the configuration for exporting OTLP traces via GRPC.
When empty, traces will check whether HTTP is set.
If not, traces will use default GRPC configurations.</p><p>The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:</p><ol><li>Add/change the OpenTelemetry extension provider in <code>MeshConfig</code></li></ol><pre><code class=language-yaml>- name: opentelemetry
opentelemetry:
port: 8090
service: tracing.example.com
grpc:
timeout: 10s
initialMetadata:
- name: &quot;Authentication&quot;
value: &quot;token-xxxxx&quot;
</code></pre><ol start=2><li>Deploy a <code>ServiceEntry</code> for the observability back-end</li></ol><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: tracing-grpc
spec:
hosts:
- tracing.example.com
ports:
- number: 8090
name: grpc-port
protocol: GRPC
resolution: DNS
location: MESH_EXTERNAL
</code></pre></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-resource_detectors><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-resource_detectors>resourceDetectors</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-ResourceDetectors>ResourceDetectors</a></div></div></td><td><p>Specifies <a href=https://opentelemetry.io/docs/specs/otel/resource/sdk/>Resource Detectors</a>
to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
according to the OpenTelemetry <a href=https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge>Resource specification</a>.</p><p>The following example shows how to configure the Environment Resource Detector, that will
read the attributes from the environment variable <code>OTEL_RESOURCE_ATTRIBUTES</code>:</p><pre><code class=language-yaml>- name: otel-tracing
opentelemetry:
port: 443
service: my.olly-backend.com
resourceDetectors:
environment: {}
</code></pre></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-dynatrace_sampler class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-dynatrace_sampler>dynatraceSampler</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler>DynatraceSampler (oneof)</a></div></div></td><td><p>The Dynatrace adaptive traffic management (ATM) sampler.</p><p>Example configuration:</p><pre><code class=language-yaml>- name: otel-tracing
opentelemetry:
port: 443
service: &quot;{your-environment-id}.live.dynatrace.com&quot;
http:
path: &quot;/api/v2/otlp/v1/traces&quot;
timeout: 10s
headers:
- name: &quot;Authorization&quot;
value: &quot;Api-Token dt0c01.&quot;
resourceDetectors:
dynatrace: {}
dynatraceSampler:
tenant: &quot;{your-environment-id}&quot;
clusterId: 1234</code></pre></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler>DynatraceSampler</h5><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-tenant><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-tenant>tenant</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. The Dynatrace customer&rsquo;s tenant identifier.</p><p>The value can be obtained from the Istio deployment page in Dynatrace.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-cluster_id><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-cluster_id>clusterId</a></code></div><div class=type>int32</div></div></td><td><p>REQUIRED. The identifier of the cluster in the Dynatrace platform.
The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.</p><p>The value can be obtained from the Istio deployment page in Dynatrace.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-root_spans_per_minute><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-root_spans_per_minute>rootSpansPerMinute</a></code></div><div class=type>uint32</div></div></td><td><p>Number of sampled spans per minute to be used
when the adaptive value cannot be obtained from the Dynatrace API.</p><p>A default value of <code>1000</code> is used when:</p><ul><li><code>rootSpansPerMinute</code> is unset</li><li><code>rootSpansPerMinute</code> is set to 0</li></ul></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-http_service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-http_service>httpService</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi>DynatraceApi</a></div></div></td><td><p>Dynatrace HTTP API to obtain sampling configuration.</p><p>When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter
(<code>service</code>, <code>port</code> and <code>http</code>), including the access token.</p></td></tr></tbody></table></section><h6 id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi>DynatraceApi</h6><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-service><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-service>service</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration.
The format is <code>&lt;Hostname></code>, where <code>&lt;Hostname></code> is the fully qualified Dynatrace environment
host name defined in the ServiceEntry.</p><p>Example: &ldquo;{your-environment-id}.live.dynatrace.com&rdquo;.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-port><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-port>port</a></code></div><div class=type>uint32</div></div></td><td><p>REQUIRED. Specifies the port of the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-http><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi-http>http</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-HttpService>HttpService</a></div></div></td><td><p>REQUIRED. Specifies sampling configuration URI.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-HttpService>HttpService</h4><section><p>Defines configuration for an HTTP service that can be used by an Extension Provider.
that does communication via HTTP.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-HttpService-path><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-HttpService-path>path</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. Specifies the path on the service.</p></td></tr><tr id=MeshConfig-ExtensionProvider-HttpService-timeout><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-HttpService-timeout>timeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>Specifies the timeout for the HTTP request.
If not specified, the default is 3s.</p></td></tr><tr id=MeshConfig-ExtensionProvider-HttpService-headers><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-HttpService-headers>headers</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-HttpHeader>HttpHeader[]</a></div></div></td><td><p>Allows specifying custom HTTP headers that will be added
to each HTTP request sent.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-HttpHeader>HttpHeader</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-HttpHeader-name><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-HttpHeader-name>name</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. The HTTP header name.</p></td></tr><tr id=MeshConfig-ExtensionProvider-HttpHeader-value><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-HttpHeader-value>value</a></code></div><div class=type>string</div></div></td><td><p>REQUIRED. The HTTP header value.</p></td></tr></tbody></table></section><h4 id=MeshConfig-ExtensionProvider-ResourceDetectors>ResourceDetectors</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-ResourceDetectors-environment><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-environment>environment</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-EnvironmentResourceDetector>EnvironmentResourceDetector</a></div></div></td><td></td></tr><tr id=MeshConfig-ExtensionProvider-ResourceDetectors-dynatrace><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-dynatrace>dynatrace</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-DynatraceResourceDetector>DynatraceResourceDetector</a></div></div></td><td></td></tr></tbody></table></section><h5 id=MeshConfig-ExtensionProvider-ResourceDetectors-EnvironmentResourceDetector>EnvironmentResourceDetector</h5><section><p>OpenTelemetry Environment Resource Detector.
The resource detector reads attributes from the environment variable <code>OTEL_RESOURCE_ATTRIBUTES</code>
and adds them to the OpenTelemetry resource.</p><p>See: <a href=https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable>Resource specification</a></p></section><h5 id=MeshConfig-ExtensionProvider-ResourceDetectors-DynatraceResourceDetector>DynatraceResourceDetector</h5><section><p>Dynatrace Resource Detector.
The resource detector reads from the Dynatrace enrichment files
and adds host/process related attributes to the OpenTelemetry resource.</p><p>See: <a href=https://docs.dynatrace.com/docs/shortlink/enrichment-files>Enrich ingested data with Dynatrace-specific dimensions</a></p></section><h4 id=MeshConfig-ExtensionProvider-GrpcService>GrpcService</h4><section><p>Defines configuration for an GRPC service that can be used by an Extension Provider.
that does communication via GRPC.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-GrpcService-timeout><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-GrpcService-timeout>timeout</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>Specifies the timeout for the GRPC request.</p></td></tr><tr id=MeshConfig-ExtensionProvider-GrpcService-initial_metadata><td><div class=field><div class=name><code><a href=#MeshConfig-ExtensionProvider-GrpcService-initial_metadata>initialMetadata</a></code></div><div class=type><a href=#MeshConfig-ExtensionProvider-HttpHeader>HttpHeader[]</a></div></div></td><td><p>Additional metadata to include in streams initiated to the GrpcService. This can be used for
scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to
be injected.</p></td></tr></tbody></table></section><h3 id=MeshConfig-DefaultProviders>DefaultProviders</h3><section><p>Holds the name references to the providers that will be used by default
in other Istio configuration resources if the provider is not specified.</p><p>These names must match a provider defined in <code>extensionProviders</code> that is
one of the supported tracing providers.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-DefaultProviders-tracing><td><div class=field><div class=name><code><a href=#MeshConfig-DefaultProviders-tracing>tracing</a></code></div><div class=type>string[]</div></div></td><td><p>Name of the default provider(s) for tracing.</p></td></tr><tr id=MeshConfig-DefaultProviders-metrics><td><div class=field><div class=name><code><a href=#MeshConfig-DefaultProviders-metrics>metrics</a></code></div><div class=type>string[]</div></div></td><td><p>Name of the default provider(s) for metrics.</p></td></tr><tr id=MeshConfig-DefaultProviders-access_logging><td><div class=field><div class=name><code><a href=#MeshConfig-DefaultProviders-access_logging>accessLogging</a></code></div><div class=type>string[]</div></div></td><td><p>Name of the default provider(s) for access logging.</p></td></tr></tbody></table></section><h3 id=MeshConfig-ProxyPathNormalization>ProxyPathNormalization</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-normalization><td><div class=field><div class=name><code><a href=#MeshConfig-ProxyPathNormalization-normalization>normalization</a></code></div><div class=type><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</a></div></div></td><td></td></tr></tbody></table></section><h4 id=MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</h4><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DEFAULT><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType-DEFAULT>DEFAULT</a></code></td><td><p>Apply default normalizations. Currently, this is BASE.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-NONE><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType-NONE>NONE</a></code></td><td><p>No normalization, paths are used as is.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-BASE><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType-BASE>BASE</a></code></td><td><p>Normalize according to <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a>.
For Envoy proxies, this is the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html><code>normalize_path</code></a> option.
For example, <code>/a/../b</code> normalizes to <code>/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-MERGE_SLASHES><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType-MERGE_SLASHES>MERGE_SLASHES</a></code></td><td><p>In addition to the <code>BASE</code> normalization, consecutive slashes are also merged.
For example, <code>/a//b</code> normalizes to <code>a/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DECODE_AND_MERGE_SLASHES><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType-DECODE_AND_MERGE_SLASHES>DECODE_AND_MERGE_SLASHES</a></code></td><td><p>In addition to normalization in <code>MERGE_SLASHES</code>, slash characters are UTF-8 decoded (case insensitive) prior to merging.
This means <code>%2F</code>, <code>%2f</code>, <code>%5C</code>, and <code>%5c</code> sequences in the request path will be rewritten to <code>/</code> or <code>\</code>.
For example, <code>/a%2f/b</code> normalizes to <code>a/b</code>.</p></td></tr></tbody></table></section><h3 id=MeshConfig-TLSConfig>TLSConfig</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-min_protocol_version><td><div class=field><div class=name><code><a href=#MeshConfig-TLSConfig-min_protocol_version>minProtocolVersion</a></code></div><div class=type><a href=#MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</a></div></div></td><td><p>the minimum TLS protocol version. The default minimum
TLS version will be TLS 1.2. As servers may not be Envoy and be
set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
minimum TLS version for clients may also be TLS 1.2.
In the current Istio implementation, the maximum TLS protocol version
is TLS 1.3.</p></td></tr><tr id=MeshConfig-TLSConfig-ecdh_curves><td><div class=field><div class=name><code><a href=#MeshConfig-TLSConfig-ecdh_curves>ecdhCurves</a></code></div><div class=type>string[]</div></div></td><td><p>Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
<a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto>Ecdh Curves</a>.</p></td></tr><tr id=MeshConfig-TLSConfig-cipher_suites><td><div class=field><div class=name><code><a href=#MeshConfig-TLSConfig-cipher_suites>cipherSuites</a></code></div><div class=type>string[]</div></div></td><td><p>Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
If not specified, the following cipher suites will be used:</p><pre><code>ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-GCM-SHA256
</code></pre></td></tr></tbody></table></section><h4 id=MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</h4><section><p>TLS protocol versions.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-TLSProtocol-TLS_AUTO><td><code><a href=#MeshConfig-TLSConfig-TLSProtocol-TLS_AUTO>TLS_AUTO</a></code></td><td><p>Automatically choose the optimal TLS version.</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_2><td><code><a href=#MeshConfig-TLSConfig-TLSProtocol-TLSV1_2>TLSV1_2</a></code></td><td><p>TLS version 1.2</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_3><td><code><a href=#MeshConfig-TLSConfig-TLSProtocol-TLSV1_3>TLSV1_3</a></code></td><td><p>TLS version 1.3</p></td></tr></tbody></table></section><h4 id=MeshConfig-ServiceSettings-Settings>Settings</h4><section><p>Settings for the selected services.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ServiceSettings-Settings-cluster_local><td><div class=field><div class=name><code><a href=#MeshConfig-ServiceSettings-Settings-cluster_local>clusterLocal</a></code></div><div class=type>bool</div></div></td><td><p>If true, specifies that the client and service endpoints must reside in the same cluster.
By default, in multi-cluster deployments, the Istio control plane assumes all service
endpoints to be reachable from any client in any of the clusters which are part of the
mesh. This configuration option limits the set of service endpoints visible to a client
to be cluster scoped.</p><p>There are some common scenarios when this can be useful:</p><ul><li>A service (or group of services) is inherently local to the cluster and has local storage
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li><li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
having services cluster-local and then slowly transition them to mesh-wide. They could do
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
(e.g. *.myns.svc.cluster.local).</li></ul><p>By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
services in the kube-system namespace to be cluster-local, unless explicitly overridden here.</p></td></tr></tbody></table></section><h3 id=MeshConfig-IngressControllerMode>IngressControllerMode</h3><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-IngressControllerMode-UNSPECIFIED><td><code><a href=#MeshConfig-IngressControllerMode-UNSPECIFIED>UNSPECIFIED</a></code></td><td><p>Unspecified Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-OFF><td><code><a href=#MeshConfig-IngressControllerMode-OFF>OFF</a></code></td><td><p>Disables Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-DEFAULT><td><code><a href=#MeshConfig-IngressControllerMode-DEFAULT>DEFAULT</a></code></td><td><p>Istio ingress controller will act on ingress resources that do not
contain any annotation or whose annotations match the value
specified in the ingressClass parameter described earlier. Use this
mode if Istio ingress controller will be the default ingress
controller for the entire Kubernetes cluster.</p></td></tr><tr id=MeshConfig-IngressControllerMode-STRICT><td><code><a href=#MeshConfig-IngressControllerMode-STRICT>STRICT</a></code></td><td><p>Istio ingress controller will only act on ingress resources whose
annotations match the value specified in the ingressClass parameter
described earlier. Use this mode if Istio ingress controller will be
a secondary ingress controller (e.g., in addition to a
cloud-provided ingress controller).</p></td></tr></tbody></table></section><h3 id=MeshConfig-AccessLogEncoding>AccessLogEncoding</h3><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-AccessLogEncoding-TEXT><td><code><a href=#MeshConfig-AccessLogEncoding-TEXT>TEXT</a></code></td><td><p>text encoding for the proxy access log</p></td></tr><tr id=MeshConfig-AccessLogEncoding-JSON><td><code><a href=#MeshConfig-AccessLogEncoding-JSON>JSON</a></code></td><td><p>json encoding for the proxy access log</p></td></tr></tbody></table></section><h3 id=MeshConfig-H2UpgradePolicy>H2UpgradePolicy</h3><section><p>Default Policy for upgrading http1.1 connections to http2.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE><td><code><a href=#MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE>DO_NOT_UPGRADE</a></code></td><td><p>Do not upgrade connections to http2.</p></td></tr><tr id=MeshConfig-H2UpgradePolicy-UPGRADE><td><code><a href=#MeshConfig-H2UpgradePolicy-UPGRADE>UPGRADE</a></code></td><td><p>Upgrade the connections to http2.</p></td></tr></tbody></table></section><h2 id=LabelSelector>LabelSelector</h2><section><p>A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=LabelSelector-matchLabels><td><div class=field><div class=name><code><a href=#LabelSelector-matchLabels>matchLabels</a></code></div><div class=type>map&lt;string,&nbsp;string></div></div></td><td><p>matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is &ldquo;key&rdquo;, the
operator is &ldquo;In&rdquo;, and the values array contains only &ldquo;value&rdquo;. The requirements are ANDed.</p></td></tr><tr id=LabelSelector-matchExpressions><td><div class=field><div class=name><code><a href=#LabelSelector-matchExpressions>matchExpressions</a></code></div><div class=type><a href=#LabelSelectorRequirement>LabelSelectorRequirement[]</a></div></div></td><td><p>matchExpressions is a list of label selector requirements. The requirements are ANDed.</p></td></tr></tbody></table></section><h2 id=LabelSelectorRequirement>LabelSelectorRequirement</h2><section><p>A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=LabelSelectorRequirement-key><td><div class=field><div class=name><code><a href=#LabelSelectorRequirement-key>key</a></code></div><div class=type>string</div></div></td><td><p>key is the label key that the selector applies to.</p></td></tr><tr id=LabelSelectorRequirement-operator><td><div class=field><div class=name><code><a href=#LabelSelectorRequirement-operator>operator</a></code></div><div class=type>string</div></div></td><td><p>operator represents a key&rsquo;s relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.</p></td></tr><tr id=LabelSelectorRequirement-values><td><div class=field><div class=name><code><a href=#LabelSelectorRequirement-values>values</a></code></div><div class=type>string[]</div></div></td><td><p>values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.</p></td></tr></tbody></table></section><h2 id=ConfigSource>ConfigSource</h2><section><p>ConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ConfigSource-address><td><div class=field><div class=name><code><a href=#ConfigSource-address>address</a></code></div><div class=type>string</div></div></td><td><p>Address of the server implementing the Istio Mesh Configuration
protocol (MCP). Can be IP address or a fully qualified DNS name.
Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
fs:/// to specify a file-based backend with absolute path to the directory.</p></td></tr><tr id=ConfigSource-tls_settings><td><div class=field><div class=name><code><a href=#ConfigSource-tls_settings>tlsSettings</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></div></div></td><td><p>Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=ConfigSource-subscribed_resources><td><div class=field><div class=name><code><a href=#ConfigSource-subscribed_resources>subscribedResources</a></code></div><div class=type><a href=#Resource>Resource[]</a></div></div></td><td><p>Describes the source of configuration, if nothing is specified default is MCP</p></td></tr></tbody></table></section><h2 id=Tracing>Tracing</h2><section><p>Tracing defines configuration for the tracing performed by Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Tracing-zipkin class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#Tracing-zipkin>zipkin</a></code></div><div class=type><a href=#Tracing-Zipkin>Zipkin (oneof)</a></div></div></td><td><p>Use a Zipkin tracer.</p></td></tr><tr id=Tracing-lightstep class=oneof><td><div class=field><div class=name><code><a href=#Tracing-lightstep>lightstep</a></code></div><div class=type><a href=#Tracing-Lightstep>Lightstep (oneof)</a></div></div></td><td><p>Use a Lightstep tracer.
NOTE: For Istio 1.15+, this configuration option will result
in using OpenTelemetry-based Lightstep integration.</p></td></tr><tr id=Tracing-datadog class=oneof><td><div class=field><div class=name><code><a href=#Tracing-datadog>datadog</a></code></div><div class=type><a href=#Tracing-Datadog>Datadog (oneof)</a></div></div></td><td><p>Use a Datadog tracer.</p></td></tr><tr id=Tracing-stackdriver class=oneof><td><div class=field><div class=name><code><a href=#Tracing-stackdriver>stackdriver</a></code></div><div class=type><a href=#Tracing-Stackdriver>Stackdriver (oneof)</a></div></div></td><td><p>Use a Stackdriver tracer.</p></td></tr><tr id=Tracing-open_census_agent class=oneof><td><div class=field><div class=name><code><a href=#Tracing-open_census_agent>openCensusAgent</a></code></div><div class=type><a href=#Tracing-OpenCensusAgent>OpenCensusAgent (oneof)</a></div></div></td><td><p>Use an OpenCensus tracer exporting to an OpenCensus agent.</p></td></tr><tr id=Tracing-sampling><td><div class=field><div class=name><code><a href=#Tracing-sampling>sampling</a></code></div><div class=type>double</div></div></td><td><p>The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
if not requested by the client or not forced. Default is 1.0.</p></td></tr><tr id=Tracing-tls_settings><td><div class=field><div class=name><code><a href=#Tracing-tls_settings>tlsSettings</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></div></div></td><td><p>Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td></tr></tbody></table></section><h3 id=Tracing-Zipkin>Zipkin</h3><section><p>Zipkin defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Tracing-Zipkin-address><td><div class=field><div class=name><code><a href=#Tracing-Zipkin-address>address</a></code></div><div class=type>string</div></div></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p></td></tr></tbody></table></section><h3 id=Tracing-Datadog>Datadog</h3><section><p>Datadog defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Tracing-Datadog-address><td><div class=field><div class=name><code><a href=#Tracing-Datadog-address>address</a></code></div><div class=type>string</div></div></td><td><p>Address of the Datadog Agent.</p></td></tr></tbody></table></section><h3 id=Tracing-Stackdriver>Stackdriver</h3><section><p>Stackdriver defines configuration for a Stackdriver tracer.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a> for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody></tbody></table></section><h3 id=Tracing-OpenCensusAgent>OpenCensusAgent</h3><section><p>OpenCensusAgent defines configuration for an OpenCensus tracer writing to
an OpenCensus agent backend. See
<a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a>
for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-address><td><div class=field><div class=name><code><a href=#Tracing-OpenCensusAgent-address>address</a></code></div><div class=type>string</div></div></td><td><p>gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
unix:path). See <a href=https://github.com/grpc/grpc/blob/master/doc/naming.md>gRPC naming
docs</a> for
details.</p></td></tr><tr id=Tracing-OpenCensusAgent-context><td><div class=field><div class=name><code><a href=#Tracing-OpenCensusAgent-context>context</a></code></div><div class=type><a href=#Tracing-OpenCensusAgent-TraceContext>TraceContext[]</a></div></div></td><td><p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p></td></tr></tbody></table></section><h4 id=Tracing-OpenCensusAgent-TraceContext>TraceContext</h4><section><p>TraceContext selects the context propagation headers used for
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-TraceContext-W3C_TRACE_CONTEXT><td><code><a href=#Tracing-OpenCensusAgent-TraceContext-W3C_TRACE_CONTEXT>W3C_TRACE_CONTEXT</a></code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-GRPC_BIN><td><code><a href=#Tracing-OpenCensusAgent-TraceContext-GRPC_BIN>GRPC_BIN</a></code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-CLOUD_TRACE_CONTEXT><td><code><a href=#Tracing-OpenCensusAgent-TraceContext-CLOUD_TRACE_CONTEXT>CLOUD_TRACE_CONTEXT</a></code></td><td><p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-B3><td><code><a href=#Tracing-OpenCensusAgent-TraceContext-B3>B3</a></code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
for details.</p></td></tr></tbody></table></section><h2 id=Topology>Topology</h2><section><p>Topology describes the configuration for relative location of a proxy with
respect to intermediate trusted proxies and the client. These settings
control how the client attributes are retrieved from the incoming traffic by
the gateway proxy and propagated to the upstream services in the cluster.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Topology-num_trusted_proxies><td><div class=field><div class=name><code><a href=#Topology-num_trusted_proxies>numTrustedProxies</a></code></div><div class=type>uint32</div></div></td><td><p>Number of trusted proxies deployed in front of the Istio gateway proxy.
When this option is set to value N greater than zero, the trusted client
address is assumed to be the Nth address from the right end of the
X-Forwarded-For (XFF) header from the incoming request. If the
X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
gateway proxy falls back to using the immediate downstream connection&rsquo;s
source address as the trusted client address.
Note that the gateway proxy will append the downstream connection&rsquo;s source
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
The default value of numTrustedProxies is 0.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for>Envoy XFF</a>
header handling for more details.</p></td></tr><tr id=Topology-forward_client_cert_details><td><div class=field><div class=name><code><a href=#Topology-forward_client_cert_details>forwardClientCertDetails</a></code></div><div class=type><a href=#ForwardClientCertDetails>ForwardClientCertDetails</a></div></div></td><td><p>Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
header in the incoming request.</p></td></tr><tr id=Topology-proxy_protocol><td><div class=field><div class=name><code><a href=#Topology-proxy_protocol>proxyProtocol</a></code></div><div class=type><a href=#Topology-ProxyProtocolConfiguration>ProxyProtocolConfiguration</a></div></div></td><td><p>Enables <a href=http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt>PROXY protocol</a> for
downstream connections on a gateway.</p></td></tr></tbody></table></section><h3 id=Topology-ProxyProtocolConfiguration>ProxyProtocolConfiguration</h3><section><p>PROXY protocol configuration.</p></section><h2 id=PrivateKeyProvider>PrivateKeyProvider</h2><section><p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
mesh-wide or individual per-workload basis.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=PrivateKeyProvider-cryptomb class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-cryptomb>cryptomb</a></code></div><div class=type><a href=#PrivateKeyProvider-CryptoMb>CryptoMb (oneof)</a></div></div></td><td><p>Use CryptoMb private key provider</p></td></tr><tr id=PrivateKeyProvider-qat class=oneof><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-qat>qat</a></code></div><div class=type><a href=#PrivateKeyProvider-QAT>QAT (oneof)</a></div></div></td><td><p>Use QAT private key provider</p></td></tr></tbody></table></section><h3 id=PrivateKeyProvider-CryptoMb>CryptoMb</h3><section><p>CryptoMb PrivateKeyProvider configuration</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=PrivateKeyProvider-CryptoMb-poll_delay><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-CryptoMb-poll_delay>pollDelay</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>How long to wait until the per-thread processing queue should be processed. If the processing queue
gets full (eight sign or decrypt requests are received) it is processed immediately.
However, if the queue is not filled before the delay has expired, the requests already in the queue
are processed, even if the queue is not full.
In effect, this value controls the balance between latency and throughput.
The duration needs to be set to a value greater than or equal to 1 millisecond.</p></td></tr><tr id=PrivateKeyProvider-CryptoMb-fallback><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-CryptoMb-fallback>fallback</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>If the private key provider isnt available (eg. the required hardware capability doesnt existed)
Envoy will fallback to the BoringSSL default implementation when the fallback is true.
The default value is false.</p></td></tr></tbody></table></section><h3 id=PrivateKeyProvider-QAT>QAT</h3><section><p>QAT (QuickAssist Technology) PrivateKeyProvider configuration</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=PrivateKeyProvider-QAT-poll_delay><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-QAT-poll_delay>pollDelay</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>How long to wait before polling the hardware accelerator after a request has been submitted there.
Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
leading to potentially larger CPU usage.
The duration needs to be set to a value greater than or equal to 1 millisecond.</p></td></tr><tr id=PrivateKeyProvider-QAT-fallback><td><div class=field><div class=name><code><a href=#PrivateKeyProvider-QAT-fallback>fallback</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>If the private key provider isnt available (eg. the required hardware capability doesnt existed)
Envoy will fallback to the BoringSSL default implementation when the fallback is true.
The default value is false.</p></td></tr></tbody></table></section><h2 id=ProxyConfig>ProxyConfig</h2><section><p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
as well as by the mesh-wide defaults.
To set the mesh-wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p><pre><code>meshConfig:
defaultConfig:
discoveryAddress: istiod:15012
</code></pre><p>This can also be configured on a per-workload basis by configuring the <code>proxy.istio.io/config</code> annotation on the pod. For example:</p><pre><code>annotations:
proxy.istio.io/config: |
discoveryAddress: istiod:15012
</code></pre><p>If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
This is different than a deep merge provided by protobuf.
For example, <code>"tracing": { "sampling": 5 }</code> would completely override a setting configuring a tracing provider
such as <code>"tracing": { "zipkin": { "address": "..." } }</code>.</p><p>Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-config_path><td><div class=field><div class=name><code><a href=#ProxyConfig-config_path>configPath</a></code></div><div class=type>string</div></div></td><td><p>Path to the generated configuration file directory.
Proxy agent generates the actual configuration and stores it in this directory.</p></td></tr><tr id=ProxyConfig-binary_path><td><div class=field><div class=name><code><a href=#ProxyConfig-binary_path>binaryPath</a></code></div><div class=type>string</div></div></td><td><p>Path to the proxy binary</p></td></tr><tr id=ProxyConfig-service_cluster class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#ProxyConfig-service_cluster>serviceCluster</a></code></div><div class=type>string (oneof)</div></div></td><td><p>Service cluster defines the name for the <code>service_cluster</code> that is
shared by all Envoy instances. This setting corresponds to
<code>--service-cluster</code> flag in Envoy. In a typical Envoy deployment, the
<code>service-cluster</code> flag is used to identify the caller, for
source-based routing scenarios.</p><p>Since Istio does not assign a local <code>service/service</code> version to each
Envoy instance, the name is same for all of them. However, the
source/caller&rsquo;s identity (e.g., IP address) is encoded in the
<code>--service-node</code> flag when launching Envoy. When the RDS service
receives API calls from Envoy, it uses the value of the <code>service-node</code>
flag to compute routes that are relative to the service instances
located at that IP address.</p></td></tr><tr id=ProxyConfig-tracing_service_name class=oneof><td><div class=field><div class=name><code><a href=#ProxyConfig-tracing_service_name>tracingServiceName</a></code></div><div class=type><a href=#ProxyConfig-TracingServiceName>TracingServiceName (oneof)</a></div></div></td><td><p>Used by Envoy proxies to assign the values for the service names in trace
spans.</p></td></tr><tr id=ProxyConfig-drain_duration><td><div class=field><div class=name><code><a href=#ProxyConfig-drain_duration>drainDuration</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>The time in seconds that Envoy will drain connections during a hot
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)
Default drain duration is <code>45s</code>.</p></td></tr><tr id=ProxyConfig-discovery_address><td><div class=field><div class=name><code><a href=#ProxyConfig-discovery_address>discoveryAddress</a></code></div><div class=type>string</div></div></td><td><p>Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.</p></td></tr><tr id=ProxyConfig-statsd_udp_address><td><div class=field><div class=name><code><a href=#ProxyConfig-statsd_udp_address>statsdUdpAddress</a></code></div><div class=type>string</div></div></td><td><p>IP Address and Port of a statsd UDP listener (e.g. <code>10.75.241.127:9125</code>).</p></td></tr><tr id=ProxyConfig-proxy_admin_port><td><div class=field><div class=name><code><a href=#ProxyConfig-proxy_admin_port>proxyAdminPort</a></code></div><div class=type>int32</div></div></td><td><p>Port on which Envoy should listen for administrative commands.
Default port is <code>15000</code>.</p></td></tr><tr id=ProxyConfig-control_plane_auth_policy><td><div class=field><div class=name><code><a href=#ProxyConfig-control_plane_auth_policy>controlPlaneAuthPolicy</a></code></div><div class=type><a href=#AuthenticationPolicy>AuthenticationPolicy</a></div></div></td><td><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
Default is set to <code>MUTUAL_TLS</code>.</p></td></tr><tr id=ProxyConfig-custom_config_file><td><div class=field><div class=name><code><a href=#ProxyConfig-custom_config_file>customConfigFile</a></code></div><div class=type>string</div></div></td><td><p>File path of custom proxy configuration, currently used by proxies
in front of istiod.</p></td></tr><tr id=ProxyConfig-stat_name_length><td><div class=field><div class=name><code><a href=#ProxyConfig-stat_name_length>statNameLength</a></code></div><div class=type>int32</div></div></td><td><p>Maximum length of name field in Envoy&rsquo;s metrics. The length of the name field
is determined by the length of a name field in a service and the set of labels that
comprise a particular version of the service. The default value is set to 189 characters.
Envoy&rsquo;s internal metrics take up 67 characters, for a total of 256 character name per metric.
Increase the value of this field if you find that the metrics from Envoys are truncated.</p></td></tr><tr id=ProxyConfig-concurrency><td><div class=field><div class=name><code><a href=#ProxyConfig-concurrency>concurrency</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value>Int32Value</a></div></div></td><td><p>The number of worker threads to run.
If unset, which is recommended, this will be automatically determined based on CPU requests/limits.
If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance
issues if CPU limits are also set.</p></td></tr><tr id=ProxyConfig-proxy_bootstrap_template_path><td><div class=field><div class=name><code><a href=#ProxyConfig-proxy_bootstrap_template_path>proxyBootstrapTemplatePath</a></code></div><div class=type>string</div></div></td><td><p>Path to the proxy bootstrap template file</p></td></tr><tr id=ProxyConfig-interception_mode><td><div class=field><div class=name><code><a href=#ProxyConfig-interception_mode>interceptionMode</a></code></div><div class=type><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></div></div></td><td><p>The mode used to redirect inbound traffic to Envoy.</p></td></tr><tr id=ProxyConfig-tracing><td><div class=field><div class=name><code><a href=#ProxyConfig-tracing>tracing</a></code></div><div class=type><a href=#Tracing>Tracing</a></div></div></td><td><p>Tracing configuration to be used by the proxy.</p></td></tr><tr id=ProxyConfig-envoy_access_log_service><td><div class=field><div class=name><code><a href=#ProxyConfig-envoy_access_log_service>envoyAccessLogService</a></code></div><div class=type><a href=#RemoteService>RemoteService</a></div></div></td><td><p>Address of the service to which access logs from Envoys should be
sent. (e.g. <code>accesslog-service:15000</code>). See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto>Access Log
Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.</p></td></tr><tr id=ProxyConfig-envoy_metrics_service><td><div class=field><div class=name><code><a href=#ProxyConfig-envoy_metrics_service>envoyMetricsService</a></code></div><div class=type><a href=#RemoteService>RemoteService</a></div></div></td><td><p>Address of the Envoy Metrics Service implementation (e.g. <code>metrics-service:15000</code>).
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto>Metric Service</a>
for details about Envoy&rsquo;s Metrics Service API.</p></td></tr><tr id=ProxyConfig-proxy_metadata><td><div class=field><div class=name><code><a href=#ProxyConfig-proxy_metadata>proxyMetadata</a></code></div><div class=type>map&lt;string,&nbsp;string></div></div></td><td><p>Additional environment variables for the proxy.
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap and sent to the XDS server.</p></td></tr><tr id=ProxyConfig-runtime_values><td><div class=field><div class=name><code><a href=#ProxyConfig-runtime_values>runtimeValues</a></code></div><div class=type>map&lt;string,&nbsp;string></div></div></td><td><p>Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime>runtime configuration</a> to set during bootstrapping.
This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.</p></td></tr><tr id=ProxyConfig-status_port><td><div class=field><div class=name><code><a href=#ProxyConfig-status_port>statusPort</a></code></div><div class=type>int32</div></div></td><td><p>Port on which the agent should listen for administrative commands such as readiness probe.
Default is set to port <code>15020</code>.</p></td></tr><tr id=ProxyConfig-extra_stat_tags><td><div class=field><div class=name><code><a href=#ProxyConfig-extra_stat_tags>extraStatTags</a></code></div><div class=type>string[]</div></div></td><td><p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
and exposed as Prometheus metrics.
Deprecated: <code>istio.stats</code> is a native filter now, this field is no longer needed.</p></td></tr><tr id=ProxyConfig-gateway_topology><td><div class=field><div class=name><code><a href=#ProxyConfig-gateway_topology>gatewayTopology</a></code></div><div class=type><a href=#Topology>Topology</a></div></div></td><td><p>Topology encapsulates the configuration which describes where the proxy is
located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
to the internet. This configuration only effects gateways and is applied
to all the gateways in the cluster unless overridden via annotations of the
gateway workloads.</p></td></tr><tr id=ProxyConfig-termination_drain_duration><td><div class=field><div class=name><code><a href=#ProxyConfig-termination_drain_duration>terminationDrainDuration</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></div></div></td><td><p>The amount of time allowed for connections to complete on proxy shutdown.
On receiving <code>SIGTERM</code> or <code>SIGINT</code>, <code>istio-agent</code> tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
sleeps for the <code>terminationDrainDuration</code> and then kills any remaining active Envoy processes.
If not set, a default of <code>5s</code> will be applied.</p></td></tr><tr id=ProxyConfig-mesh_id><td><div class=field><div class=name><code><a href=#ProxyConfig-mesh_id>meshId</a></code></div><div class=type>string</div></div></td><td><p>The unique identifier for the <a href=/v1.24/docs/reference/glossary/#service-mesh>service mesh</a>
All control planes running in the same service mesh should specify the same mesh ID.
Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.</p></td></tr><tr id=ProxyConfig-readiness_probe><td><div class=field><div class=name><code><a href=#ProxyConfig-readiness_probe>readinessProbe</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/workload-group/#ReadinessProbe>ReadinessProbe</a></div></div></td><td><p>VM Health Checking readiness probe. This health check config exactly mirrors the
kubernetes readiness probe configuration both in schema and logic.
Only one health check method of 3 can be set at a time.</p></td></tr><tr id=ProxyConfig-proxy_stats_matcher><td><div class=field><div class=name><code><a href=#ProxyConfig-proxy_stats_matcher>proxyStatsMatcher</a></code></div><div class=type><a href=#ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</a></div></div></td><td><p>Proxy stats matcher defines configuration for reporting custom Envoy stats.
To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
default create and expose only a subset of Envoy stats. This option is to
control creation of additional Envoy stats with prefix, suffix, and regex
expressions match on the name of the stats. This replaces the stats
inclusion annotations
(<code>sidecar.istio.io/statsInclusionPrefixes</code>,
<code>sidecar.istio.io/statsInclusionRegexps</code>, and
<code>sidecar.istio.io/statsInclusionSuffixes</code>). For example, to enable stats
for circuit breakers, request retries, upstream connections, and request timeouts,
you can specify stats matcher as follows:</p><pre><code class=language-yaml>proxyStatsMatcher:
inclusionRegexps:
- .*outlier_detection.*
- .*upstream_rq_retry.*
- .*upstream_cx_.*
inclusionSuffixes:
- upstream_rq_timeout
</code></pre><p>Note including more Envoy stats might increase number of time series
collected by prometheus significantly. Care needs to be taken on Prometheus
resource provision and configuration to reduce cardinality.</p></td></tr><tr id=ProxyConfig-hold_application_until_proxy_starts><td><div class=field><div class=name><code><a href=#ProxyConfig-hold_application_until_proxy_starts>holdApplicationUntilProxyStarts</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
This feature adds hooks to delay application startup until the pod proxy
is ready to accept traffic, mitigating some startup race conditions.
Default value is &lsquo;false&rsquo;.</p></td></tr><tr id=ProxyConfig-ca_certificates_pem><td><div class=field><div class=name><code><a href=#ProxyConfig-ca_certificates_pem>caCertificatesPem</a></code></div><div class=type>string[]</div></div></td><td><p>The PEM data of the extra root certificates for workload-to-workload communication.
This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
The plugin certificates (the &lsquo;cacerts&rsquo; secret), self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are added automatically by Istiod.</p></td></tr><tr id=ProxyConfig-image><td><div class=field><div class=name><code><a href=#ProxyConfig-image>image</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/proxy-config/#ProxyImage>ProxyImage</a></div></div></td><td><p>Specifies the details of the proxy image.</p></td></tr><tr id=ProxyConfig-private_key_provider><td><div class=field><div class=name><code><a href=#ProxyConfig-private_key_provider>privateKeyProvider</a></code></div><div class=type><a href=#PrivateKeyProvider>PrivateKeyProvider</a></div></div></td><td><p>Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.</p></td></tr><tr id=ProxyConfig-proxy_headers><td><div class=field><div class=name><code><a href=#ProxyConfig-proxy_headers>proxyHeaders</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders>ProxyHeaders</a></div></div></td><td><p>Define the set of headers to add/modify for HTTP request/responses.</p><p>To enable an optional header, simply set the field. If no specific configuration is required, an empty object (<code>{}</code>) will enable it.
Note: currently all headers are enabled by default.</p><p>Below shows an example of customizing the <code>server</code> header and disabling the <code>X-Envoy-Attempt-Count</code> header:</p><pre><code class=language-yaml>proxyHeaders:
server:
value: &quot;my-custom-server&quot;
# Explicitly enable Request IDs.
# As this is the default, this has no effect.
requestId: {}
attemptCount:
disabled: true
</code></pre><p>Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:</p><pre><code class=language-yaml>proxyHeaders:
forwardedClientCert: SANITIZE
server:
disabled: true
requestId:
disabled: true
attemptCount:
disabled: true
envoyDebugHeaders:
disabled: true
metadataExchangeHeaders:
mode: IN_MESH
</code></pre></td></tr><tr id=ProxyConfig-zipkin_address class=deprecated><td><div class=field><div class=name><code><a href=#ProxyConfig-zipkin_address>zipkinAddress</a></code></div><div class=type>string</div></div></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
DEPRECATED: Use <a href=#ProxyConfig-tracing>tracing</a> instead.</p></td></tr></tbody></table></section><h3 id=ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</h3><section><p>Proxy stats name matchers for stats creation. Note this is in addition to
the minimum Envoy stats that Istio generates by default.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_prefixes><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyStatsMatcher-inclusion_prefixes>inclusionPrefixes</a></code></div><div class=type>string[]</div></div></td><td><p>Proxy stats name prefix matcher for inclusion.</p></td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_suffixes><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyStatsMatcher-inclusion_suffixes>inclusionSuffixes</a></code></div><div class=type>string[]</div></div></td><td><p>Proxy stats name suffix matcher for inclusion.</p></td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_regexps><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyStatsMatcher-inclusion_regexps>inclusionRegexps</a></code></div><div class=type>string[]</div></div></td><td><p>Proxy stats name regexps matcher for inclusion.</p></td></tr></tbody></table></section><h3 id=ProxyConfig-ProxyHeaders>ProxyHeaders</h3><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-forwarded_client_cert><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-forwarded_client_cert>forwardedClientCert</a></code></div><div class=type><a href=#ForwardClientCertDetails>ForwardClientCertDetails</a></div></div></td><td><p>Controls the <code>X-Forwarded-Client-Cert</code> header for inbound sidecar requests. To set this on gateways, use the <code>Topology</code> setting.
To disable the header, configure either <code>SANITIZE</code> (to always remove the header, if present) or <code>FORWARD_ONLY</code> (to leave the header as-is).
By default, <code>APPEND_FORWARD</code> will be used.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-set_current_client_cert_details><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-set_current_client_cert_details>setCurrentClientCertDetails</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails>SetCurrentClientCertDetails</a></div></div></td><td><p>This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
and the client connection is mTLS. It specifies the fields in
the client certificate to be forwarded. Note that <code>Hash</code> is always set, and
<code>By</code> is always set when the client certificate presents the URI type Subject Alternative Name value.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-request_id><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-request_id>requestId</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-RequestId>RequestId</a></div></div></td><td><p>Controls the <code>X-Request-Id</code> header. If enabled, a request ID is generated for each request if one is not already set.
This applies to all types of traffic (inbound, outbound, and gateways).
If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
This header is enabled by default if not configured.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-server><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-server>server</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-Server>Server</a></div></div></td><td><p>Controls the <code>server</code> header. If enabled, the <code>Server: istio-envoy</code> header is set in response headers for inbound traffic (including gateways).
If disabled, the <code>Server</code> header is not modified. If it is already present, it will be preserved.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-attempt_count><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-attempt_count>attemptCount</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-AttemptCount>AttemptCount</a></div></div></td><td><p>Controls the <code>X-Envoy-Attempt-Count</code> header.
If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
If disabled, this header will not be set. If it is already present, it will be preserved.
This header is enabled by default if not configured.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-envoy_debug_headers><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-envoy_debug_headers>envoyDebugHeaders</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders>EnvoyDebugHeaders</a></div></div></td><td><p>Controls various <code>X-Envoy-*</code> headers, such as <code>X-Envoy-Overloaded</code> and <code>X-Envoy-Upstream-Service-Time</code>. If enabled,
these headers will be included.
If disabled, these headers will not be set. If they are already present, they will be preserved.
See the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers>Envoy documentation</a> for more details.
These headers are enabled by default if not configured.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-metadata_exchange_headers><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-metadata_exchange_headers>metadataExchangeHeaders</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeHeaders>MetadataExchangeHeaders</a></div></div></td><td><p>Controls Istio metadata exchange headers <code>X-Envoy-Peer-Metadata</code> and <code>X-Envoy-Peer-Metadata-Id</code>.
By default, the behavior is unspecified.
If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.</p></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-Server>Server</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-Server-disabled><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-Server-disabled>disabled</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td></td></tr><tr id=ProxyConfig-ProxyHeaders-Server-value><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-Server-value>value</a></code></div><div class=type>string</div></div></td><td><p>If set, and the server header is enabled, this value will be set as the server header. By default, <code>istio-envoy</code> will be used.</p></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-RequestId>RequestId</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-RequestId-disabled><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-RequestId-disabled>disabled</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-AttemptCount>AttemptCount</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-AttemptCount-disabled><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-AttemptCount-disabled>disabled</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-EnvoyDebugHeaders>EnvoyDebugHeaders</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-EnvoyDebugHeaders-disabled><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders-disabled>disabled</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-MetadataExchangeHeaders>MetadataExchangeHeaders</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-MetadataExchangeHeaders-mode><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeHeaders-mode>mode</a></code></div><div class=type><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeMode>MetadataExchangeMode</a></div></div></td><td></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails>SetCurrentClientCertDetails</h4><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-subject><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-subject>subject</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Whether to forward the subject of the client cert. Defaults to true.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-cert><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-cert>cert</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
XFCC header comma separated from other values with the value Cert=&ldquo;PEM&rdquo;.
Defaults to false.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-chain><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-chain>chain</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
format. This will appear in the XFCC header comma separated from other values with the value
Chain=&ldquo;PEM&rdquo;.
Defaults to false.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-dns><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-dns>dns</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Whether to forward the DNS type Subject Alternative Names of the client cert.
Defaults to true.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-uri><td><div class=field><div class=name><code><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails-uri>uri</a></code></div><div class=type><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></div></div></td><td><p>Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
true.</p></td></tr></tbody></table></section><h4 id=ProxyConfig-ProxyHeaders-MetadataExchangeMode>MetadataExchangeMode</h4><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-ProxyHeaders-MetadataExchangeMode-UNDEFINED><td><code><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeMode-UNDEFINED>UNDEFINED</a></code></td><td><p>Existing Istio behavior for the metadata exchange headers is unchanged.</p></td></tr><tr id=ProxyConfig-ProxyHeaders-MetadataExchangeMode-IN_MESH><td><code><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeMode-IN_MESH>IN_MESH</a></code></td><td><p>Only append the istio metadata exchange headers for services considered in-mesh.
Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means that <code>MESH_EXTERNAL</code> services, unmatched passthrough traffic, and requests to workloads without Istio enabled will be considered out of mesh.</p></td></tr></tbody></table></section><h3 id=ProxyConfig-TracingServiceName>TracingServiceName</h3><section><p>Allows specification of various Istio-supported naming schemes for the
Envoy <code>service_cluster</code> value. The <code>service_cluster</code> value is primarily used
by Envoys to provide service names for tracing spans.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-TracingServiceName-APP_LABEL_AND_NAMESPACE><td><code><a href=#ProxyConfig-TracingServiceName-APP_LABEL_AND_NAMESPACE>APP_LABEL_AND_NAMESPACE</a></code></td><td><p>Default scheme. Uses the <code>app</code> label and workload namespace to construct
a cluster name. If the <code>app</code> label does not exist <code>istio-proxy</code> is used.</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_ONLY><td><code><a href=#ProxyConfig-TracingServiceName-CANONICAL_NAME_ONLY>CANONICAL_NAME_ONLY</a></code></td><td><p>Uses the canonical name for a workload (<em>excluding namespace</em>).</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_AND_NAMESPACE><td><code><a href=#ProxyConfig-TracingServiceName-CANONICAL_NAME_AND_NAMESPACE>CANONICAL_NAME_AND_NAMESPACE</a></code></td><td><p>Uses the canonical name and namespace for a workload.</p></td></tr></tbody></table></section><h3 id=ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</h3><section><p>The mode used to redirect inbound traffic to Envoy.
This setting has no effect on outbound traffic: iptables <code>REDIRECT</code> is always used for
outbound connections.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-InboundInterceptionMode-REDIRECT><td><code><a href=#ProxyConfig-InboundInterceptionMode-REDIRECT>REDIRECT</a></code></td><td><p>The <code>REDIRECT</code> mode uses iptables <code>REDIRECT</code> to <code>NAT</code> and redirect to Envoy. This mode loses
source IP addresses during redirection. This is the default redirection mode.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-TPROXY><td><code><a href=#ProxyConfig-InboundInterceptionMode-TPROXY>TPROXY</a></code></td><td><p>The <code>TPROXY</code> mode uses iptables <code>TPROXY</code> to redirect to Envoy. This mode preserves both the
source and destination IP addresses and ports, so that they can be used for advanced
filtering and manipulation. This mode also configures the sidecar to run with the
<code>CAP_NET_ADMIN</code> capability, which is required to use <code>TPROXY</code>.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-NONE><td><code><a href=#ProxyConfig-InboundInterceptionMode-NONE>NONE</a></code></td><td><p>The <code>NONE</code> mode does not configure redirect to Envoy at all. This is an advanced
configuration that typically requires changes to user applications.</p></td></tr></tbody></table></section><h2 id=RemoteService>RemoteService</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=RemoteService-address><td><div class=field><div class=name><code><a href=#RemoteService-address>address</a></code></div><div class=type>string</div></div></td><td><p>Address of a remove service used for various purposes (access log
receiver, metrics receiver, etc.). Can be IP address or a fully
qualified DNS name.</p></td></tr><tr id=RemoteService-tls_settings><td><div class=field><div class=name><code><a href=#RemoteService-tls_settings>tlsSettings</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></div></div></td><td><p>Use the <code>tlsSettings</code> to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=RemoteService-tcp_keepalive><td><div class=field><div class=name><code><a href=#RemoteService-tcp_keepalive>tcpKeepalive</a></code></div><div class=type><a href=/v1.24/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></div></div></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td></tr></tbody></table></section><h2 id=Network>Network</h2><section><p>Network provides information about the endpoints in a routable L3
network. A single routable L3 network can have one or more service
registries. Note that the network has no relation to the locality of the
endpoint. The endpoint locality will be obtained from the service
registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Network-endpoints><td><div class=field><div class=name><code><a href=#Network-endpoints>endpoints</a></code></div><div class=type><a href=#Network-NetworkEndpoints>NetworkEndpoints[]</a></div><div class=required>Required</div></div></td><td><p>The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
the network are directly accessible to one another.</p></td></tr><tr id=Network-gateways><td><div class=field><div class=name><code><a href=#Network-gateways>gateways</a></code></div><div class=type><a href=#Network-IstioNetworkGateway>IstioNetworkGateway[]</a></div><div class=required>Required</div></div></td><td><p>Set of gateways associated with the network.</p></td></tr></tbody></table></section><h3 id=Network-NetworkEndpoints>NetworkEndpoints</h3><section><p>NetworkEndpoints describes how the network associated with an endpoint
should be inferred. An endpoint will be assigned to a network based on
the following rules:</p><ol><li><p>Implicitly: If the registry explicitly provides information about
the network to which the endpoint belongs to. In some cases, its
possible to indicate the network associated with the endpoint by
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li><li><p>Explicitly:</p><p>a. By matching the registry name with one of the &ldquo;fromRegistry&rdquo;
in the mesh config. A &ldquo;fromRegistry&rdquo; can only be assigned to a
single network.</p><p>b. By matching the IP against one of the CIDR ranges in a mesh
config network. The CIDR ranges must not overlap and be assigned to
a single network.</p></li></ol><p>(2) will override (1) if both are present.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Network-NetworkEndpoints-from_cidr class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#Network-NetworkEndpoints-from_cidr>fromCidr</a></code></div><div class=type>string (oneof)</div></div></td><td><p>A CIDR range for the set of endpoints in this network. The CIDR
ranges for endpoints from different networks must not overlap.</p></td></tr><tr id=Network-NetworkEndpoints-from_registry class=oneof><td><div class=field><div class=name><code><a href=#Network-NetworkEndpoints-from_registry>fromRegistry</a></code></div><div class=type>string (oneof)</div></div></td><td><p>Add all endpoints from the specified registry into this network.
The names of the registries should correspond to the kubeconfig file name
inside the secret that was used to configure the registry (Kubernetes
multicluster) or supplied by MCP server.</p></td></tr></tbody></table></section><h3 id=Network-IstioNetworkGateway>IstioNetworkGateway</h3><section><p>The gateway associated with this network. Traffic from remote networks
will arrive at the specified gateway:port. All incoming traffic must
use mTLS.</p><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=Network-IstioNetworkGateway-registry_service_name class="oneof oneof-start"><td><div class=field><div class=name><code><a href=#Network-IstioNetworkGateway-registry_service_name>registryServiceName</a></code></div><div class=type>string (oneof)</div></div></td><td><p>A fully qualified domain name of the gateway service. istiod will
lookup the service from the service registries in the network and
obtain the endpoint IPs of the gateway from the service
registry. Note that while the service name is a fully qualified
domain name, it need not be resolvable outside the orchestration
platform for the registry. e.g., this could be
istio-ingressgateway.istio-system.svc.cluster.local.</p></td></tr><tr id=Network-IstioNetworkGateway-address class=oneof><td><div class=field><div class=name><code><a href=#Network-IstioNetworkGateway-address>address</a></code></div><div class=type>string (oneof)</div></div></td><td><p>IP address or externally resolvable DNS address associated with the gateway.</p></td></tr><tr id=Network-IstioNetworkGateway-port><td><div class=field><div class=name><code><a href=#Network-IstioNetworkGateway-port>port</a></code></div><div class=type>uint32</div><div class=required>Required</div></div></td><td><p>The port associated with the gateway.</p></td></tr><tr id=Network-IstioNetworkGateway-locality><td><div class=field><div class=name><code><a href=#Network-IstioNetworkGateway-locality>locality</a></code></div><div class=type>string</div></div></td><td><p>The locality associated with an explicitly specified gateway (i.e. ip)</p></td></tr></tbody></table></section><h2 id=MeshNetworks>MeshNetworks</h2><section><p>MeshNetworks (config map) provides information about the set of networks
inside a mesh and how to route to endpoints in each network. For example</p><p>MeshNetworks(file/config map):</p><pre><code class=language-yaml>networks:
network1:
endpoints:
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
- fromCidr: 192.168.100.0/22 #a VM network for example
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 15443
locality: us-east-1a
- address: 192.168.100.1
port: 15443
locality: us-east-1a
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Description</th></tr></thead><tbody><tr id=MeshNetworks-networks><td><div class=field><div class=name><code><a href=#MeshNetworks-networks>networks</a></code></div><div class=type>map&lt;string,&nbsp;<a href=#Network>Network</a>></div><div class=required>Required</div></div></td><td><p>The set of networks inside this mesh. Each network should
have a unique name and information about how to infer the endpoints in
the network as well as the gateways associated with the network.</p></td></tr></tbody></table></section><h2 id=Resource>Resource</h2><section><p>Resource describes the source of configuration</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Resource-SERVICE_REGISTRY><td><code><a href=#Resource-SERVICE_REGISTRY>SERVICE_REGISTRY</a></code></td><td><p>Set to only receive service entries that are generated by the platform.
These auto generated service entries are combination of services and endpoints
that are generated by a specific platform e.g. k8</p></td></tr></tbody></table></section><h2 id=AuthenticationPolicy>AuthenticationPolicy</h2><section><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
Mesh policy cannot be INHERIT.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=AuthenticationPolicy-NONE><td><code><a href=#AuthenticationPolicy-NONE>NONE</a></code></td><td><p>Do not encrypt proxy to control plane traffic.</p></td></tr><tr id=AuthenticationPolicy-MUTUAL_TLS><td><code><a href=#AuthenticationPolicy-MUTUAL_TLS>MUTUAL_TLS</a></code></td><td><p>Proxy to control plane traffic is wrapped into mutual TLS connections.</p></td></tr><tr id=AuthenticationPolicy-INHERIT><td><code><a href=#AuthenticationPolicy-INHERIT>INHERIT</a></code></td><td><p>Use the policy defined by the parent scope. Should not be used for mesh
policy.</p></td></tr></tbody></table></section><h2 id=ForwardClientCertDetails>ForwardClientCertDetails</h2><section><p>ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
header is handled by a proxy.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails>Envoy XFCC</a>
header handling for more details.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ForwardClientCertDetails-UNDEFINED><td><code><a href=#ForwardClientCertDetails-UNDEFINED>UNDEFINED</a></code></td><td><p>Field is not set</p></td></tr><tr id=ForwardClientCertDetails-SANITIZE><td><code><a href=#ForwardClientCertDetails-SANITIZE>SANITIZE</a></code></td><td><p>Do not send the XFCC header to the next hop.</p></td></tr><tr id=ForwardClientCertDetails-FORWARD_ONLY><td><code><a href=#ForwardClientCertDetails-FORWARD_ONLY>FORWARD_ONLY</a></code></td><td><p>When the client connection is mTLS (Mutual TLS), forward the XFCC header
in the request.</p></td></tr><tr id=ForwardClientCertDetails-APPEND_FORWARD><td><code><a href=#ForwardClientCertDetails-APPEND_FORWARD>APPEND_FORWARD</a></code></td><td><p>When the client connection is mTLS, append the client certificate
information to the requests XFCC header and forward it. This is the default value for sidecar proxies.</p></td></tr><tr id=ForwardClientCertDetails-SANITIZE_SET><td><code><a href=#ForwardClientCertDetails-SANITIZE_SET>SANITIZE_SET</a></code></td><td><p>When the client connection is mTLS, reset the XFCC header with the client
certificate information and send it to the next hop. This is the default value for gateway proxies.</p></td></tr><tr id=ForwardClientCertDetails-ALWAYS_FORWARD_ONLY><td><code><a href=#ForwardClientCertDetails-ALWAYS_FORWARD_ONLY>ALWAYS_FORWARD_ONLY</a></code></td><td><p>Always forward the XFCC header in the request, regardless of whether the
client connection is mTLS.</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Describes the structure of messages generated by Istio analyzers." href=/v1.24/docs/reference/config/istio.analysis.v1alpha1/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.24/img/icons.svg#left-arrow"/></svg>Analysis Messages</a></div><div class=right><a title="Configuration affecting Istio control plane installation version and shape." href=/v1.24/docs/reference/config/istio.operator.v1alpha1/ class=next-link>IstioOperator Options<svg class="icon right-arrow"><use xlink:href="/v1.24/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick='sendFeedback("en",1)'>Yes</button>
<button class="btn feedback" onclick='sendFeedback("en",0)'>No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder='Help us improve...' data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><ol><li role=none aria-label=OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a><ol><li role=none aria-label=Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></ol></li><li role=none aria-label=InboundTrafficPolicy><a href=#MeshConfig-InboundTrafficPolicy>InboundTrafficPolicy</a><ol><li role=none aria-label=Mode><a href=#MeshConfig-InboundTrafficPolicy-Mode>Mode</a></ol></li><li role=none aria-label=CertificateData><a href=#MeshConfig-CertificateData>CertificateData</a><li role=none aria-label=CA><a href=#MeshConfig-CA>CA</a><li role=none aria-label=ExtensionProvider><a href=#MeshConfig-ExtensionProvider>ExtensionProvider</a><ol><li role=none aria-label=EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider</a><li role=none aria-label=LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>LightstepTracingProvider</a><li role=none aria-label=DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider</a><li role=none aria-label=SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider</a><li role=none aria-label=StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider</a><ol><li role=none aria-label=Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</a></ol></li><li role=none aria-label=OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>OpenCensusAgentTracingProvider</a><ol><li role=none aria-label=TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext</a></ol></li><li role=none aria-label=PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider</a><li role=none aria-label=EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider</a><ol><li role=none aria-label=LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</a></ol></li><li role=none aria-label=EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider</a><ol><li role=none aria-label=LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</a></ol></li><li role=none aria-label=OpenTelemetryTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider</a><ol><li role=none aria-label=DynatraceSampler><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler>DynatraceSampler</a><ol><li role=none aria-label=DynatraceApi><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider-DynatraceSampler-DynatraceApi>DynatraceApi</a></ol></li></ol></li><li role=none aria-label=HttpService><a href=#MeshConfig-ExtensionProvider-HttpService>HttpService</a><li role=none aria-label=HttpHeader><a href=#MeshConfig-ExtensionProvider-HttpHeader>HttpHeader</a><li role=none aria-label=ResourceDetectors><a href=#MeshConfig-ExtensionProvider-ResourceDetectors>ResourceDetectors</a><ol><li role=none aria-label=EnvironmentResourceDetector><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-EnvironmentResourceDetector>EnvironmentResourceDetector</a><li role=none aria-label=DynatraceResourceDetector><a href=#MeshConfig-ExtensionProvider-ResourceDetectors-DynatraceResourceDetector>DynatraceResourceDetector</a></ol></li><li role=none aria-label=GrpcService><a href=#MeshConfig-ExtensionProvider-GrpcService>GrpcService</a></ol></li><li role=none aria-label=DefaultProviders><a href=#MeshConfig-DefaultProviders>DefaultProviders</a><li role=none aria-label=ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>ProxyPathNormalization</a><ol><li role=none aria-label=NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</a></ol></li><li role=none aria-label=TLSConfig><a href=#MeshConfig-TLSConfig>TLSConfig</a><ol><li role=none aria-label=TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</a><li role=none aria-label=Settings><a href=#MeshConfig-ServiceSettings-Settings>Settings</a></ol></li><li role=none aria-label=IngressControllerMode><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a><li role=none aria-label=AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a><li role=none aria-label=H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></ol></li><li role=none aria-label=LabelSelector><a href=#LabelSelector>LabelSelector</a><li role=none aria-label=LabelSelectorRequirement><a href=#LabelSelectorRequirement>LabelSelectorRequirement</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><ol><li role=none aria-label=Zipkin><a href=#Tracing-Zipkin>Zipkin</a><li role=none aria-label=Datadog><a href=#Tracing-Datadog>Datadog</a><li role=none aria-label=Stackdriver><a href=#Tracing-Stackdriver>Stackdriver</a><li role=none aria-label=OpenCensusAgent><a href=#Tracing-OpenCensusAgent>OpenCensusAgent</a><ol><li role=none aria-label=TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>TraceContext</a></ol></li></ol></li><li role=none aria-label=Topology><a href=#Topology>Topology</a><ol><li role=none aria-label=ProxyProtocolConfiguration><a href=#Topology-ProxyProtocolConfiguration>ProxyProtocolConfiguration</a></ol></li><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><ol><li role=none aria-label=CryptoMb><a href=#PrivateKeyProvider-CryptoMb>CryptoMb</a><li role=none aria-label=QAT><a href=#PrivateKeyProvider-QAT>QAT</a></ol></li><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><ol><li role=none aria-label=ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</a><li role=none aria-label=ProxyHeaders><a href=#ProxyConfig-ProxyHeaders>ProxyHeaders</a><ol><li role=none aria-label=Server><a href=#ProxyConfig-ProxyHeaders-Server>Server</a><li role=none aria-label=RequestId><a href=#ProxyConfig-ProxyHeaders-RequestId>RequestId</a><li role=none aria-label=AttemptCount><a href=#ProxyConfig-ProxyHeaders-AttemptCount>AttemptCount</a><li role=none aria-label=EnvoyDebugHeaders><a href=#ProxyConfig-ProxyHeaders-EnvoyDebugHeaders>EnvoyDebugHeaders</a><li role=none aria-label=MetadataExchangeHeaders><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeHeaders>MetadataExchangeHeaders</a><li role=none aria-label=SetCurrentClientCertDetails><a href=#ProxyConfig-ProxyHeaders-SetCurrentClientCertDetails>SetCurrentClientCertDetails</a><li role=none aria-label=MetadataExchangeMode><a href=#ProxyConfig-ProxyHeaders-MetadataExchangeMode>MetadataExchangeMode</a></ol></li><li role=none aria-label=TracingServiceName><a href=#ProxyConfig-TracingServiceName>TracingServiceName</a><li role=none aria-label=InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></ol></li><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Network><a href=#Network>Network</a><ol><li role=none aria-label=NetworkEndpoints><a href=#Network-NetworkEndpoints>NetworkEndpoints</a><li role=none aria-label=IstioNetworkGateway><a href=#Network-IstioNetworkGateway>IstioNetworkGateway</a></ol></li><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=ForwardClientCertDetails><a href=#ForwardClientCertDetails>ForwardClientCertDetails</a></ol></div></nav></div></main><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.24/img/icons.svg#github"/></svg>
</a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.24/img/icons.svg#drive"/></svg>
</a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.24/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.24/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='Follow us on LinkedIn to get the latest news' href=https://www.linkedin.com/company/istio/ aria-label=LinkedIn><svg class="icon linkedin"><use xlink:href="/v1.24/img/icons.svg#linkedin"/></svg>
</a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.24/img/icons.svg#twitter"/></svg>
</a><a class=channel title='Follow us on Bluesky to get the latest news' href=https://bsky.app/profile/istio.io aria-label=Bluesky><svg class="icon bluesky"><use xlink:href="/v1.24/img/icons.svg#bluesky"/></svg>
</a><a class=channel title='Follow us on Mastodon to get the latest news' href=https://mastodon.social/@istio aria-label=Mastodon rel=me><svg class="icon mastodon"><use xlink:href="/v1.24/img/icons.svg#mastodon"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.24/ aria-label=logotype><svg width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.24/img/icons.svg#tick"/></svg>
English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文
</a><a tabindex=-1 lang=uk id=switch-lang-uk class=footer-languages-item>Українська</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>Trademarks
</a>|
<a class=disabled title="This is an auto-generated file, please edit the source in the https://github.com/istio/api repo.">Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.24.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.24/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink