istio.io/archive/v1.16/zh/docs/reference/config/istio.mesh.v1alpha1/index.html

545 lines
203 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Global Mesh Options"><meta name=description content="Configuration affecting the service mesh as a whole."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Global Mesh Options"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting the service mesh as a whole."><meta property="og:url" content="/v1.16/zh/docs/reference/config/istio.mesh.v1alpha1/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.16 / Global Mesh Options</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.16/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.16/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.16/feed.xml><link rel="shortcut icon" href=/v1.16/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.16/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.16/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.16/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.16/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.16/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.16/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.16/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.16/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.16/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.16/favicons/favicon.svg><link rel=icon type=image/png href=/v1.16/favicons/favicon.png><link rel=mask-icon href=/v1.16/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.16/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.16/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.16/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.16",docTitle="Global Mesh Options",iconFile="/v1.16/img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.16/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.16/zh/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.16/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.16/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.16/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.16/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.16/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=zh>
<input type=hidden id=search-page-url value=/zh/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><main class="primary container has-sidebar has-toc docs"><div id=sidebar-container class=sidebar-container><nav id=sidebar aria-label="Section Navigation"><button id=sidebar-close class="main-navigation-toggle sidebar-close" aria-label="Close sidebar"><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button><div class=sidebar-nav><div class=search><form id=search-docs-form name=cse role=search><input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-docs-url value=/v1.16/search>
<input id=search-docs-textbox class=form-control name=docs-search type=search aria-label='搜索 istio.io' placeholder=搜索>
<button id=search-show2 class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.16/img/icons.svg#magnifier"/></svg></button></form></div><div class=card><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label=概念><a class=main title="一些概念,理解它们有助于您更好地了解 Istio 系统的不同部分及其使用的抽象。" href=/v1.16/zh/docs/concepts/>概念</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="描述 Istio 多样的流量路由和控制特性。" href=/v1.16/zh/docs/concepts/traffic-management/>流量管理</a></li><li role=none><a role=treeitem title="讲述 Istio 的 WebAssembly 插件系统。" href=/v1.16/zh/docs/concepts/wasm/>扩展性</a></li><li role=none><a role=treeitem title="描述 Istio 的授权与认证功能。" href=/v1.16/zh/docs/concepts/security/>安全</a></li><li role=none><a role=treeitem title="描述 Istio 提供的遥测和监控特性。" href=/v1.16/zh/docs/concepts/observability/>可观测性</a></li></ul></li><li role=treeitem aria-label=安装><a class=main title="关于如何在 Kubernetes 集群中安装 Istio 控制平面和添加虚拟机到 mesh 中的说明。" href=/v1.16/zh/docs/setup/>安装</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="快速、轻松地尝试 Istio 特性。" href=/v1.16/zh/docs/setup/getting-started/>入门</a></li><li role=treeitem aria-label=平台安装><button aria-hidden=true tabindex=-1></button><a title="在安装 Istio 之前如何准备各种 Kubernetes 平台。" href=/v1.16/zh/docs/setup/platform-setup/>平台安装</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="在各平台上安装 Istio 的前提条件。" href=/v1.16/zh/docs/setup/platform-setup/prerequisites/>平台前提条件</a></li><li role=none><a role=treeitem title="在阿里云 Kubernetes 集群进行配置以便安装运行 Istio。" href=/v1.16/zh/docs/setup/platform-setup/alicloud/>阿里云</a></li><li role=none><a role=treeitem title="为 Istio 设置一个 Azure 集群的操作说明。" href=/v1.16/zh/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="在 Docker Desktop 中运行 Istio 的设置说明。" href=/v1.16/zh/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="为 Istio 设置 kind 的说明。" href=/v1.16/zh/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="在 Google Kubernetes Engine (GKE) 上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/gke/>使用 Google Kubernetes Engine 快速开始</a></li><li role=none><a role=treeitem title="在 Minikube 上配置 Istio。" href=/v1.16/zh/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="为 Istio 设置一个华为云 Kubernetes 集群的操作说明。" href=/v1.16/zh/docs/setup/platform-setup/huaweicloud/>华为云</a></li><li role=none><a role=treeitem title="在 IBM 公有云或私有云上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/ibm/>IBM Cloud 快速开始</a></li><li role=none><a role=treeitem title="与Istio 一起使用的 Kops 设置说明。" href=/v1.16/zh/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="使用 Gardener 快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/gardener/>Kubernetes Gardener 快速开始</a></li><li role=none><a role=treeitem title="Istio 适配 KubeSphere 容器平台指南。" href=/v1.16/zh/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="配置 MicroK8s 以便使用 Istio。" href=/v1.16/zh/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="在 OpenShift 集群上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="使用 Oracle Container 为 Istio 准备集群的说明。" href=/v1.16/zh/docs/setup/platform-setup/oci/>Oracle Cloud 基础架构</a></li><li role=none><a role=treeitem title="在腾讯云上快速创建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/tencent-cloud-mesh/>腾讯云</a></li></ul></li><li role=treeitem aria-label=安装><button aria-hidden=true tabindex=-1></button><a title=选择最适合你需求和平台的安装指南。 href=/v1.16/zh/docs/setup/install/>安装</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="安装、定制 Istio 配置文件,用于深入评估及生产发布。" href=/v1.16/zh/docs/setup/install/istioctl/>使用 Istioctl 安装</a></li><li role=none><a role=treeitem title="安装、配置并深入评估 Istio。" href=/v1.16/zh/docs/setup/install/helm/>使用 Helm 安装</a></li><li role=treeitem aria-label=多集群安装><button aria-hidden=true tabindex=-1></button><a title="跨多 Kubernetes 集群,安装 Istio 服务网格。" href=/v1.16/zh/docs/setup/install/multicluster/>多集群安装</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="在多个集群上安装 Istio 之前的初始步骤。" href=/v1.16/zh/docs/setup/install/multicluster/before-you-begin/>准备工作</a></li><li role=none><a role=treeitem title="跨多个主集群,安装 Istio 网格。" href=/v1.16/zh/docs/setup/install/multicluster/multi-primary/>多主架构的安装</a></li><li role=none><a role=treeitem title="跨主-从集群,安装 Istio 网格。" href=/v1.16/zh/docs/setup/install/multicluster/primary-remote/>主-从架构的安装</a></li><li role=none><a role=treeitem title="跨网络、多主架构的 Istio 网格安装。" href=/v1.16/zh/docs/setup/install/multicluster/multi-primary_multi-network/>跨网络多主架构的安装</a></li><li role=none><a role=treeitem title="跨网络、主-从架构的 Istio 网格安装。" href=/v1.16/zh/docs/setup/install/multicluster/primary-remote_multi-network/>跨网络主-从架构的安装</a></li><li role=none><a role=treeitem title="验证 Istio 已成功安装到多集群环境中。" href=/v1.16/zh/docs/setup/install/multicluster/verify/>验证安装结果</a></li></ul></li><li role=none><a role=treeitem title="部署 Istio接入虚拟机中运行的工作负载。" href=/v1.16/zh/docs/setup/install/virtual-machine/>虚拟机安装</a></li><li role=none><a role=treeitem title="使用修订和 discoverySelectors 在单集群中安装多个 Istio 控制面。" href=/v1.16/zh/docs/setup/install/multiple-controlplanes/>在单集群中安装多个 Istio 控制面</a></li><li role=none><a role=treeitem title=安装外部控制平面和远程集群。 href=/v1.16/zh/docs/setup/install/external-controlplane/>使用外部控制平面安装 Istio</a></li><li role=none><a role=treeitem title="使用 Istio Operator 在 Kubernetes 集群中安装 Istio 的说明。 (Beta)" href=/v1.16/zh/docs/setup/install/operator/>使用 Istio Operator 安装 *</a></li></ul></li><li role=treeitem aria-label=升级><button aria-hidden=true tabindex=-1></button><a title="跨多个控制平面升级、降级和管理 Istio。" href=/v1.16/zh/docs/setup/upgrade/>升级</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="通过先运行一个金丝雀部署的新控制平面升级 Istio。" href=/v1.16/zh/docs/setup/upgrade/canary/>金丝雀升级</a></li><li role=none><a role=treeitem title=原地升级和回退。 href=/v1.16/zh/docs/setup/upgrade/in-place/>原地升级</a></li><li role=none><a role=treeitem title="深度评估升级和配置 Istio。" href=/v1.16/zh/docs/setup/upgrade/helm/>Upgrade with Helm</a></li></ul></li><li role=treeitem aria-label=更多指南><button aria-hidden=true tabindex=-1></button><a title=有关其他设置任务的更多信息。 href=/v1.16/zh/docs/setup/additional-setup/>更多指南</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 内置的安装配置文件。" href=/v1.16/zh/docs/setup/additional-setup/config-profiles/>安装配置文件</a></li><li role=none><a role=treeitem title="在应用程序 Pod 中使用 Sidecar Injector Webhook 自动安装或使用 Istioctl CLI 手动安装 Istio Sidecar。" href=/v1.16/zh/docs/setup/additional-setup/sidecar-injection/>安装 Sidecar</a></li><li role=none><a role=treeitem title=描述如何定制安装配置选项。 href=/v1.16/zh/docs/setup/additional-setup/customize-installation/>定制安装配置</a></li><li role=none><a role=treeitem title="描述使用 helm 安装时如何自定义安装配置选项。" href=/v1.16/zh/docs/setup/additional-setup/customize-installation-helm/>高级 Helm chart 自定义</a></li><li role=none><a role=treeitem title="安装并使用 Istio CNI 插件,可以让运维人员用更低的权限来部署服务。" href=/v1.16/zh/docs/setup/additional-setup/cni/>安装 Istio CNI 插件</a></li></ul></li></ul></li><li role=treeitem aria-label=任务><a class=main title="如何用 Istio 实现单个特定的目标行为。" href=/v1.16/zh/docs/tasks/>任务</a><ul role=group aria-expanded=true><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 的流量路由功能的任务。" href=/v1.16/zh/docs/tasks/traffic-management/>流量管理</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title=如何将请求动态路由到微服务的多个版本。 href=/v1.16/zh/docs/tasks/traffic-management/request-routing/>配置请求路由</a></li><li role=none><a role=treeitem title=此任务说明如何注入故障并测试应用程序的弹性。 href=/v1.16/zh/docs/tasks/traffic-management/fault-injection/>故障注入</a></li><li role=none><a role=treeitem title=展示如何将流量从旧版本迁移到新版本的服务。 href=/v1.16/zh/docs/tasks/traffic-management/traffic-shifting/>流量转移</a></li><li role=none><a role=treeitem title="展示如何将一个服务的 TCP 流量从旧版本迁移到新版本。" href=/v1.16/zh/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP 流量转移</a></li><li role=none><a role=treeitem title="本任务用于示范如何使用 Istio 在 Envoy 中设置请求超时。" href=/v1.16/zh/docs/tasks/traffic-management/request-timeouts/>设置请求超时</a></li><li role=none><a role=treeitem title=本任务展示如何为连接、请求以及异常检测配置熔断。 href=/v1.16/zh/docs/tasks/traffic-management/circuit-breaking/>熔断</a></li><li role=none><a role=treeitem title="此任务演示了 Istio 的流量镜像/影子功能。" href=/v1.16/zh/docs/tasks/traffic-management/mirroring/>镜像</a></li><li role=treeitem aria-label=地域负载均衡><button aria-hidden=true tabindex=-1></button><a title="本系列任务演示如何在 Istio 中配置地域负载均衡。" href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/>地域负载均衡</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title=配置地域负载均衡前的初始化步骤。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/before-you-begin/>开始之前</a></li><li role=none><a role=treeitem title=本任务演示如何为网格配置地域故障转移。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/failover/>地域故障转移</a></li><li role=none><a role=treeitem title=本指南演示如何配置地域权重分配。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/distribute/>地域权重分布</a></li><li role=none><a role=treeitem title=地域负载均衡的清理步骤。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/cleanup/>清理</a></li></ul></li><li role=treeitem aria-label=Ingress><button aria-hidden=true tabindex=-1></button><a title="控制 Istio 服务网格的入口流量。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何配置 Istio Gateway 对象,以将服务暴露至服务网格之外。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-control/>入口网关</a></li><li role=none><a role=treeitem title="通过 TLS 或 mTLS 将服务暴露到服务网格外。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/secure-ingress/>安全网关</a></li><li role=none><a role=treeitem title="描述了如何在不使用 Ingress Gateway 的情况下,在一个 Sidecar 上终止 TLS 流量。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-sidecar-tls-termination/>Ingress Sidecar TLS 终止</a></li><li role=none><a role=treeitem title="如何为一个 Ingress Gateway 配置 SNI 透传。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>无 TLS 终止的 Ingress Gateway</a></li><li role=none><a role=treeitem title="展示如何配置 Kubernetes Ingress 对象,使得从服务网格外部可以访问网格内服务。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="描述在 Istio 中如何配置 Kubernetes Gateway API。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/gateway-api/>Kubernetes Gateway API</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true tabindex=-1></button><a title="控制 Istio 服务网格的出口流量。" href=/v1.16/zh/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何配置 Istio 以将流量从网格中的服务路由到外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-control/>访问外部服务</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 对来自外部服务的流量执行 TLS 发起。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 通过专用网关服务将流量定向到外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway/>出口网关</a></li><li role=none><a role=treeitem title="描述了如何配置 Egress 网关,使用 Secret Discovery Service 执行 TLS 链接外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/>Egress 网关 TLS 连接 发起的过程 (SDS)</a></li><li role=none><a role=treeitem title="描述如何配置一个 Egress 网关,来向外部服务发起 TLS 连接。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress 网关的 TLS 发起过程</a></li><li role=none><a role=treeitem title="描述如何开启通用域中一组主机的 egress无需单独配置每一台主机。" href=/v1.16/zh/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Wildcard 主机的 egress</a></li><li role=none><a role=treeitem title="描述如何在 TLS Egress 上配置 SNI 监控和策略。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>TLS Egress 监控和策略配置</a></li><li role=none><a role=treeitem title="展示如何配置 Istio Kubernetes 外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Egress 流量服务</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 以允许应用程序使用外部 HTTPS 代理。" href=/v1.16/zh/docs/tasks/traffic-management/egress/http-proxy/>使用外部 HTTPS 代理</a></li></ul></li></ul></li><li role=treeitem aria-label=安全><button aria-hidden=true tabindex=-1></button><a title=演示如何保护网格。 href=/v1.16/zh/docs/tasks/security/>安全</a><ul role=group aria-expanded=false><li role=treeitem aria-label=认证><button aria-hidden=true tabindex=-1></button><a title="管控网格服务间的双向 TLS 和终端用户的身份认证。" href=/v1.16/zh/docs/tasks/security/authentication/>认证</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="演示如何使用基于 JWT 声明路由请求的 Istio 身份验证策略。 (Experimental)" href=/v1.16/zh/docs/tasks/security/authentication/jwt-route/>基于 JWT 声明的路由 *</a></li><li role=none><a role=treeitem title="向您展示如何通过使用 Istio 认证策略来设置双向 TLS 和基本的终端用户认证。" href=/v1.16/zh/docs/tasks/security/authentication/authn-policy/>认证策略</a></li><li role=none><a role=treeitem title="阐述如何将 Istio 服务逐步迁移至双向 TLS 通信模式。" href=/v1.16/zh/docs/tasks/security/authentication/mtls-migration/>双向 TLS 迁移</a></li></ul></li><li role=treeitem aria-label=证书管理><button aria-hidden=true tabindex=-1></button><a title="管理 Istio 的证书。" href=/v1.16/zh/docs/tasks/security/cert-management/>证书管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="系统管理员如何通过根证书、签名证书和密钥来配置 Istio 的 CA。" href=/v1.16/zh/docs/tasks/security/cert-management/plugin-ca-cert/>插入 CA 证书</a></li><li role=none><a role=treeitem title="如何在 Istiod 中配置和管理 DNS 证书。" href=/v1.16/zh/docs/tasks/security/cert-management/dns-cert/>Istio 的 DNS 证书管理</a></li><li role=none><a role=treeitem title="演示如何使用自定义证书颁发机构(与 Kubernetes CSR API 集成)来提供 Istio 工作负载证书。 (Experimental)" href=/v1.16/zh/docs/tasks/security/cert-management/custom-ca-k8s/>使用 Kubernetes CSR 自定义 CA 集成 *</a></li></ul></li><li role=treeitem aria-label=授权><button aria-hidden=true tabindex=-1></button><a title="展示如何控制到 Istio 服务的访问。" href=/v1.16/zh/docs/tasks/security/authorization/>授权</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="展示如何设置 HTTP 流量访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-http/>HTTP 流量</a></li><li role=none><a role=treeitem title="展示如何设置 TCP 流量的访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-tcp/>TCP 流量</a></li><li role=none><a role=treeitem title="演示如何为 JWT 令牌设置访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-jwt/>JWT 令牌</a></li><li role=none><a role=treeitem title=如何集成访问控制并将其委托给外部授权系统。 href=/v1.16/zh/docs/tasks/security/authorization/authz-custom/>外部授权</a></li><li role=none><a role=treeitem title=如何设置访问控制以明确地拒绝流量。 href=/v1.16/zh/docs/tasks/security/authorization/authz-deny/>明确拒绝</a></li><li role=none><a role=treeitem title=展示如何在入口网关上设置访问控制。 href=/v1.16/zh/docs/tasks/security/authorization/authz-ingress/>入口网关</a></li><li role=none><a role=treeitem title=阐述如何在不更改授权策略的前提下从一个信任域迁移到另一个。 href=/v1.16/zh/docs/tasks/security/authorization/authz-td-migration/>信任域迁移</a></li></ul></li><li role=treeitem aria-label="TLS 配置"><button aria-hidden=true tabindex=-1></button><a title="在 Istio 中配置 TLS。" href=/v1.16/zh/docs/tasks/security/tls-configuration/>TLS 配置</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="演示如何为 Istio 工作负载配置最低版本的 TLS。" href=/v1.16/zh/docs/tasks/security/tls-configuration/workload-min-tls-version/>Istio 工作负载的最低 TLS 版本配置</a></li></ul></li></ul></li><li role=treeitem aria-label=策略执行><button aria-hidden=true tabindex=-1></button><a title=演示策略执行特性。 href=/v1.16/zh/docs/tasks/policy-enforcement/>策略执行</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="此任务将展示如何配置 Istio 来动态地限制服务的流量。" href=/v1.16/zh/docs/tasks/policy-enforcement/rate-limit/>使用 Envoy 启用速率限制</a></li></ul></li><li role=treeitem aria-label=可观察性><button aria-hidden=true tabindex=-1></button><a title=演示如何从网格收集遥测信息。 href=/v1.16/zh/docs/tasks/observability/>可观察性</a><ul role=group aria-expanded=false><li role=treeitem aria-label=指标><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 中指标的收集和查询。" href=/v1.16/zh/docs/tasks/observability/metrics/>指标</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="本任务展示了如何配置 Istio 进行 TCP 服务的指标收集。" href=/v1.16/zh/docs/tasks/observability/metrics/tcp-metrics/>收集 TCP 服务指标</a></li><li role=none><a role=treeitem title="此任务向您展示如何自定义 Istio 指标。" href=/v1.16/zh/docs/tasks/observability/metrics/customize-metrics/>自定义 Istio 指标</a></li><li role=none><a role=treeitem title=此任务向您展示如何通过按类型对请求和响应进行分组来改进遥测。 href=/v1.16/zh/docs/tasks/observability/metrics/classify-metrics/>根据请求或响应对指标进行分类</a></li><li role=none><a role=treeitem title="本任务介绍如何通过 Prometheus 查询 Istio 度量指标。" href=/v1.16/zh/docs/tasks/observability/metrics/querying-metrics/>通过 Prometheus 查询度量指标</a></li><li role=none><a role=treeitem title="此任务展示了如何设置和使用 Istio Dashboard 监控网格流量。" href=/v1.16/zh/docs/tasks/observability/metrics/using-istio-dashboard/>使用 Grafana 可视化指标</a></li></ul></li><li role=treeitem aria-label=日志><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 网格日志的配置、收集和处理。" href=/v1.16/zh/docs/tasks/observability/logs/>日志</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="此任务向您展示如何配置 Envoy 代理将访问日志打印到其标准输出。" href=/v1.16/zh/docs/tasks/observability/logs/access-log/>获取 Envoy 访问日志</a></li></ul></li><li role=treeitem aria-label=分布式追踪><button aria-hidden=true tabindex=-1></button><a title="该任务展示了如何为启用了 Istio 支持的应用进行追踪。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/>分布式追踪</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 分布式追踪的概述。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/overview/>概述</a></li><li role=none><a role=treeitem title="了解如何配置代理以向 Jaeger 发送追踪请求。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="了解如何通过配置代理以向 Zipkin 发送追踪请求。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="怎样配置代理才能把追踪请求发送到 LightStep。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/lightstep/>LightStep</a></li><li role=none><a role=treeitem title="如何使用 MeshConfig 和 Pod 注释配置跟踪选项。 (Beta/Experimental)" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/>使用 MeshConfig 和 Pod 注释配置跟踪 *</a></li></ul></li><li role=none><a role=treeitem title="此任务向您展示如何在 Istio 网格中可视化服务。" href=/v1.16/zh/docs/tasks/observability/kiali/>网格可视化</a></li><li role=none><a role=treeitem title="此任务向您展示如何配置从外部访问 Istio 遥测插件。" href=/v1.16/zh/docs/tasks/observability/gateways/>远程访问遥测插件</a></li></ul></li><li role=treeitem aria-label=可扩展性><button aria-hidden=true tabindex=-1></button><a title=演示如何扩展网格行为。 href=/v1.16/zh/docs/tasks/extensibility/>可扩展性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何在网格中使用远程 WebAssembly 模块。 (Alpha)" href=/v1.16/zh/docs/tasks/extensibility/wasm-module-distribution/>WebAssembly 模块分发 *</a></li></ul></li></ul></li><li role=treeitem aria-label=示例><a class=main title="这里包括多个可供 Istio 使用的可完整工作的示例,你可以用来亲自部署和体验这些示例。" href=/v1.16/zh/docs/examples/>示例</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="部署一个用于演示多种 Istio 特性的应用,由四个单独的微服务构成。" href=/v1.16/zh/docs/examples/bookinfo/>Bookinfo 应用</a></li><li role=none><a role=treeitem title="使用在网格内的虚拟机上运行的 MySQL 服务运行 Bookinfo 应用程序。" href=/v1.16/zh/docs/examples/virtual-machines/>在虚拟机上部署 Bookinfo 应用程序</a></li><li role=treeitem aria-label="使用 Kubernetes 和 Istio 学习微服务"><button aria-hidden=true tabindex=-1></button><a title="该模块化教程为新用户提供了一步步将 Istio 应用于常见微服务场景的动手经验。" href=/v1.16/zh/docs/examples/microservices-istio/>使用 Kubernetes 和 Istio 学习微服务</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/prereq/>前提条件</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/setup-kubernetes-cluster/>设置 Kubernetes 集群</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/setup-local-computer/>设置本地计算机</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/single/>本地运行微服务</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/package-service/>在 Docker 中运行 ratings 服务</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/bookinfo-kubernetes/>使用 Kubernetes 运行 Bookinfo</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/production-testing/>生产测试</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/add-new-microservice-version/>添加一个新版本的 reviews</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/add-istio/>在 productpage 启用 Istio</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/enable-istio-all-microservices/>在所有微服务中启用 Istio</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/istio-ingress-gateway/>配置 Istio Ingress Gateway</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/logs-istio/>监控 Istio</a></li></ul></li></ul></li><li role=treeitem aria-label=运维><a class=main title="关于部署和管理 Istio 网格的概念、工具和技术。" href=/v1.16/zh/docs/ops/>运维</a><ul role=group aria-expanded=true><li role=treeitem aria-label=部署><button aria-hidden=true tabindex=-1></button><a title="设置 Istio 部署的要求、概念和注意事项。" href=/v1.16/zh/docs/ops/deployment/>部署</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 的整体架构与设计目标。" href=/v1.16/zh/docs/ops/deployment/architecture/>架构</a></li><li role=none><a role=treeitem title="描述 Istio 部署中的选择和建议。" href=/v1.16/zh/docs/ops/deployment/deployment-models/>部署模型</a></li><li role=none><a role=treeitem title="介绍 Istio 的性能和可扩展性。" href=/v1.16/zh/docs/ops/deployment/performance-and-scalability/>性能和可扩展性</a></li><li role=none><a role=treeitem title="部署在支持 Istio 的集群中的应用程序的要求。" href=/v1.16/zh/docs/ops/deployment/requirements/>应用程序要求</a></li></ul></li><li role=treeitem aria-label=配置><button aria-hidden=true tabindex=-1></button><a title="配置运行中的 Istio 网格的高级概念和功能。" href=/v1.16/zh/docs/ops/configuration/>配置</a><ul role=group aria-expanded=false><li role=treeitem aria-label=网格配置><button aria-hidden=true tabindex=-1></button><a title=帮助您管理全局网格配置。 href=/v1.16/zh/docs/ops/configuration/mesh/>网格配置</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="简要描述 Istio 对 Kubernetes webhook 的使用以及可能出现的相关问题。" href=/v1.16/zh/docs/ops/configuration/mesh/webhook/>动态准入 Webhook 概述</a></li><li role=none><a role=treeitem title=如何等待资源达到给定的就绪状态。 href=/v1.16/zh/docs/ops/configuration/mesh/config-resource-ready/>等待应用的配置资源状态就绪</a></li><li role=none><a role=treeitem title="为您展示如何对 Istio 服务做健康检查。" href=/v1.16/zh/docs/ops/configuration/mesh/app-health-check/>Istio 服务的健康检查</a></li></ul></li><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格的网络方面。 href=/v1.16/zh/docs/ops/configuration/traffic-management/>流量管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title=关于如何声明协议。 href=/v1.16/zh/docs/ops/configuration/traffic-management/protocol-selection/>协议选择</a></li><li role=none><a role=treeitem title=有关如何启用和理解地域负载平衡。 href=/v1.16/zh/docs/ops/configuration/traffic-management/locality-load-balancing/>地域负载均衡</a></li><li role=none><a role=treeitem title="如何使用 TLS 配置设置安全的网络流量。" href=/v1.16/zh/docs/ops/configuration/traffic-management/tls-configuration/>TLS 配置</a></li><li role=none><a role=treeitem title="理解 Istio 如何与 DNS 交互。" href=/v1.16/zh/docs/ops/configuration/traffic-management/dns/>DNS</a></li><li role=none><a role=treeitem title="如何配置 DNS 代理。" href=/v1.16/zh/docs/ops/configuration/traffic-management/dns-proxy/>DNS 代理</a></li><li role=none><a role=treeitem title="如何配置 Gateway 网络拓扑。 (Alpha)" href=/v1.16/zh/docs/ops/configuration/traffic-management/network-topologies/>配置 Gateway 网络拓扑 *</a></li><li role=none><a role=treeitem title=如何配置流量在网格集群之间如何分发的。 href=/v1.16/zh/docs/ops/configuration/traffic-management/multicluster/>多集群流量管理</a></li></ul></li><li role=treeitem aria-label=安全><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格的安全性方面。 href=/v1.16/zh/docs/ops/configuration/security/>安全</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="展示使用 Istio 安全策略的通用示例。" href=/v1.16/zh/docs/ops/configuration/security/security-policy-examples/>安全策略示例</a></li><li role=none><a role=treeitem title="使用加固的容器镜像来减小 Istio 的攻击面。" href=/v1.16/zh/docs/ops/configuration/security/harden-docker-images/>加固 Docker 容器镜像</a></li></ul></li><li role=treeitem aria-label=可观测性><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格中的遥测收集和可视化。 href=/v1.16/zh/docs/ops/configuration/telemetry/>可观测性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="精细化控制 Envoy 的统计信息。" href=/v1.16/zh/docs/ops/configuration/telemetry/envoy-stats/>Envoy 的统计信息</a></li><li role=none><a role=treeitem title="配置 Prometheus 监控 Istio 多集群。" href=/v1.16/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>使用 Prometheus 监控 Istio 多集群</a></li></ul></li><li role=treeitem aria-label=可扩展性><button aria-hidden=true tabindex=-1></button><a title=帮助您管理服务网格的扩展。 href=/v1.16/zh/docs/ops/configuration/extensibility/>可扩展性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 如何决定是拉取 Wasm 模块还是使用缓存的版本。 (Alpha)" href=/v1.16/zh/docs/ops/configuration/extensibility/wasm-pull-policy/>WebAssembly 模块的拉取策略 *</a></li></ul></li></ul></li><li role=treeitem aria-label=最佳实践><button aria-hidden=true tabindex=-1></button><a title="设置和管理 Istio 服务网格的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/>最佳实践</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="设置 Istio 服务网格时的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/deployment/>Deployment 最佳实践</a></li><li role=none><a role=treeitem title=避免网络或流量管理问题的配置最佳实践。 href=/v1.16/zh/docs/ops/best-practices/traffic-management/>流量管理最佳实践</a></li><li role=none><a role=treeitem title="使用 Istio 保护应用的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/security/>安全最佳实践</a></li><li role=none><a role=treeitem title="描述如何使用镜像签名来验证 Istio 镜像的出处。" href=/v1.16/zh/docs/ops/best-practices/image-signing-validation/>镜像签名和验证</a></li><li role=none><a role=treeitem title="使用 Istio 观测应用时的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/observability/>可观察性最佳实践</a></li></ul></li><li role=treeitem aria-label=常见问题><button aria-hidden=true tabindex=-1></button><a title="描述如何辨认和解决 Istio 中的常见问题。" href=/v1.16/zh/docs/ops/common-problems/>常见问题</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="定位常见的 Istio 流量管理和网络问题的技术。" href=/v1.16/zh/docs/ops/common-problems/network-issues/>流量管理问题</a></li><li role=none><a role=treeitem title="定位常见 Istio 认证、授权、安全相关问题的技巧。" href=/v1.16/zh/docs/ops/common-problems/security-issues/>安全问题</a></li><li role=none><a role=treeitem title="处理 Telemetry 收集问题。" href=/v1.16/zh/docs/ops/common-problems/observability-issues/>可观测性问题</a></li><li role=none><a role=treeitem title="解决 Istio 使用 Kubernetes Webhooks 进行 Sidecar 自动注入的常见问题。" href=/v1.16/zh/docs/ops/common-problems/injection/>Sidecar 自动注入问题</a></li><li role=none><a role=treeitem title=如何解决配置验证的问题。 href=/v1.16/zh/docs/ops/common-problems/validation/>配置验证的问题</a></li></ul></li><li role=treeitem aria-label=诊断工具><button aria-hidden=true tabindex=-1></button><a title="帮助解决 Istio 网格问题的工具和技术。" href=/v1.16/zh/docs/ops/diagnostic-tools/>诊断工具</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 自带的一个可以为服务网格部署提供调试和诊断的补充工具。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl/>使用 Istioctl 命令行工具</a></li><li role=none><a role=treeitem title="描述诊断与流量管理相关的 Envoy 配置问题的工具和技术。" href=/v1.16/zh/docs/ops/diagnostic-tools/proxy-cmd/>调试 Envoy 和 Istiod</a></li><li role=none><a role=treeitem title="向您展示如何使用 istioctl describe 来验证您的网格中的 pod 的配置。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl-describe/>通过 Istioctl Describe 理解您的网格</a></li><li role=none><a role=treeitem title="演示如何使用 istioctl analyze 来识别配置中的潜在问题。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl-analyze/>使用 Istioctl Analyze 诊断配置</a></li><li role=none><a role=treeitem title="介绍如何使用 ControlZ 深入了解正在运行的 istiod 组件。" href=/v1.16/zh/docs/ops/diagnostic-tools/controlz/>组件自检</a></li><li role=none><a role=treeitem title=如何使用组件级别日志来深入了解正在运行的组件的行为。 href=/v1.16/zh/docs/ops/diagnostic-tools/component-logging/>组件日志记录</a></li><li role=none><a role=treeitem title=介绍关于虚拟机调试的技术和工具。 href=/v1.16/zh/docs/ops/diagnostic-tools/virtual-machines/>虚拟机调试</a></li><li role=none><a role=treeitem title=介绍用来诊断多集群和多网络下安装问题的工具和技术。 href=/v1.16/zh/docs/ops/diagnostic-tools/multicluster/>多集群下的故障排除</a></li></ul></li><li role=treeitem aria-label=集成><button aria-hidden=true tabindex=-1></button><a title="能够与 Istio 集成以提供额外功能的其他软件。" href=/v1.16/zh/docs/ops/integrations/>集成</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="关于如何与 cert-manager 集成的相关说明。" href=/v1.16/zh/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="关于如何与 Grafana 集成构建 Istio 仪表盘的相关文档。" href=/v1.16/zh/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="如何与 Jaeger 集成。" href=/v1.16/zh/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="有关如何与 Kiali 集成的信息。" href=/v1.16/zh/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="如何集成 Prometheus。" href=/v1.16/zh/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="如何与 Zipkin 进行集成。" href=/v1.16/zh/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></li><li role=treeitem aria-label=发布><a class=main title="与 Istio 发布有关的信息。" href=/v1.16/zh/docs/releases/>发布</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title=特性及其发布阶段的列表。 href=/v1.16/zh/docs/releases/feature-stages/>功能状态</a></li><li role=none><a role=treeitem title=如果发现错误该怎么办。 href=/v1.16/zh/docs/releases/bugs/>报告错误</a></li><li role=none><a role=treeitem title=我们如何处理安全漏洞。 href=/v1.16/zh/docs/releases/security-vulnerabilities/>安全漏洞</a></li><li role=none><a role=treeitem title="当前支持的 Istio 版本。" href=/v1.16/zh/docs/releases/supported-releases/>版本支持</a></li><li role=treeitem aria-label=贡献文档><button aria-hidden=true tabindex=-1></button><a title="详细介绍了如何创建和维护 Istio 文档。" href=/v1.16/zh/docs/releases/contribute/>贡献文档</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="介绍如何为 Istio 贡献新文档。" href=/v1.16/zh/docs/releases/contribute/add-content/>添加新文档</a></li><li role=none><a role=treeitem title="详细说明如何将已停用的文档提交给 Istio。" href=/v1.16/zh/docs/releases/contribute/remove-content/>删除已停用的文档</a></li><li role=none><a role=treeitem title=介绍如何在本地进行本网站的构建,测试,运行和预览。 href=/v1.16/zh/docs/releases/contribute/build/>本地构建和运行本网站</a></li><li role=none><a role=treeitem title=介绍了文档中使用的文章头及其可用字段。 href=/v1.16/zh/docs/releases/contribute/front-matter/>文章头部</a></li><li role=none><a role=treeitem title="向您展示如何审阅和批准对 Istio 文档和网站的更改。" href=/v1.16/zh/docs/releases/contribute/review/>文档审阅流程</a></li><li role=none><a role=treeitem title=介绍如何在您的文档中添加代码。 href=/v1.16/zh/docs/releases/contribute/code-blocks/>添加代码块</a></li><li role=none><a role=treeitem title="介绍可用的 shortcode 及其用法。" href=/v1.16/zh/docs/releases/contribute/shortcodes/>使用 Shortcode</a></li><li role=none><a role=treeitem title="介绍 Istio 文档的格式标准。" href=/v1.16/zh/docs/releases/contribute/formatting/>格式标准</a></li><li role=none><a role=treeitem title="介绍 Istio 文档所使用的风格规则。" href=/v1.16/zh/docs/releases/contribute/style-guide/>风格指南</a></li><li role=none><a role=treeitem title="解释 Istio 文档中使用的术语标准。" href=/v1.16/zh/docs/releases/contribute/terminology/>术语标准</a></li><li role=none><a role=treeitem title="为 Istio 文档创建图表提供素材和说明。" href=/v1.16/zh/docs/releases/contribute/diagrams/>创建图表指南</a></li><li role=none><a role=treeitem title="向您展示如何使用 GitHub 参与贡献 Istio 文档。" href=/v1.16/zh/docs/releases/contribute/github/>使用 GitHub 参与社区活动</a></li></ul></li><li role=none><a role=treeitem title=该网站的最新更改列表。 href=/v1.16/zh/docs/releases/log/>网站内容更改</a></li></ul></li><li role=treeitem aria-label=参考><a class=main title="参考部分包含详细的权威参考资料,如命令行选项、配置选项和 API 调用参数。" href=/v1.16/zh/docs/reference/>参考</a><ul role=group aria-expanded=true><li role=treeitem aria-label=配置><button class=show aria-hidden=true tabindex=-1></button><a title=关于配置选项的详细信息。 href=/v1.16/zh/docs/reference/config/>配置</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Telemetry configuration for workloads." href=/v1.16/zh/docs/reference/config/telemetry/>Telemetry</a></li><li role=none><a role=treeitem title="描述使用 Helm chart 安装 Istio 时的可选项。" href=/v1.16/zh/docs/reference/config/installation-options/>安装选项Helm</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.16/zh/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.16/zh/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.16/zh/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title=描述“状态”字段在配置工作流程中的作用。 href=/v1.16/zh/docs/reference/config/config-status/>状态字段配置</a></li><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title="描述如何配置 HTTP/TCP 路由功能。" href=/v1.16/zh/docs/reference/config/networking/>流量管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.16/zh/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.16/zh/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.16/zh/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Provides configuration for individual workloads." href=/v1.16/zh/docs/reference/config/networking/proxy-config/>ProxyConfig</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.16/zh/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.16/zh/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.16/zh/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.16/zh/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.16/zh/docs/reference/config/networking/workload-group/>Workload Group</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true tabindex=-1></button><a title="如何配置 Istio 的安全功能。" href=/v1.16/zh/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.16/zh/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.16/zh/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.16/zh/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.16/zh/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title=授权策略中支持的条件。 href=/v1.16/zh/docs/reference/config/security/conditions/>授权策略</a></li><li role=none><a role=treeitem title=受支持的约束条件和属性。 href=/v1.16/zh/docs/reference/config/security/constraints-and-properties/>RBAC 约束和属性(不建议使用)</a></li></ul></li><li role=none><a role=treeitem title="通过 Istio 遥测导出的 Istio 标准指标。" href=/v1.16/zh/docs/reference/config/metrics/>Istio 标准指标</a></li><li role=treeitem aria-label=常见类型><button aria-hidden=true tabindex=-1></button><a title="描述 Istio API 中的常见类型。" href=/v1.16/zh/docs/reference/config/type/>常见类型</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.16/zh/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.16/zh/docs/reference/config/annotations/>Resource Annotations</a></li><li role=none><a role=treeitem title="Resource labels used by Istio." href=/v1.16/zh/docs/reference/config/labels/>Resource Labels</a></li><li role=treeitem aria-label=配置分析消息><button aria-hidden=true tabindex=-1></button><a title=记录配置分析期间产生的各个错误和警告消息。 href=/v1.16/zh/docs/reference/config/analysis/>配置分析消息</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0136/>AlphaAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0137/>DeploymentConflictingPorts</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0135/>DeprecatedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0153/>EnvoyFilterUsesAddOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0151/>EnvoyFilterUsesRelativeOperation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0155/>EnvoyFilterUsesRelativeOperationWithProxyVersion</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0154/>EnvoyFilterUsesRemoveOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0152/>EnvoyFilterUsesReplaceOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0150/>ExternalNameServiceTypeInvalidPortName</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0144/>InvalidApplicationUID</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0132/>VirtualServiceHostNotFoundInGateway</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li></ul></li></ul></li><li role=treeitem aria-label=命令><button aria-hidden=true tabindex=-1></button><a title="描述 Istio 命令和工具的用法及选项。" href=/v1.16/zh/docs/reference/commands/>命令</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition." href=/v1.16/zh/docs/reference/commands/install-cni/>install-cni</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.16/zh/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.16/zh/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.16/zh/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.16/zh/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="Istio 常用术语的词汇表。" href=/v1.16/zh/docs/reference/glossary/>术语表</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button id=sidebar-toggle class=main-navigation-toggle aria-label="Open sidebar"><svg class="icon hamburger-sidebar"><use xlink:href="/v1.16/img/icons.svg#hamburger-sidebar"/></svg>
目录</button><article aria-labelledby=title><nav aria-label=Breadcrumb><ol><li><a href=/v1.16/zh/docs/ title="了解如何部署、使用和运维 Istio。">文档</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.16/zh/docs/reference/ title="参考部分包含详细的权威参考资料,如命令行选项、配置选项和 API 调用参数。">参考</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.16/zh/docs/reference/config/ title=关于配置选项的详细信息。>配置</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li>Global Mesh Options</li></ol></nav><div class=title-area><div style=width:100%><h1 id=title>Global Mesh Options</h1><p class=byline><span class=reading-time title="8904 字"><svg class="icon clock"><use xlink:href="/v1.16/img/icons.svg#clock"/></svg><span>&nbsp;</span>阅读大约需要 42 分钟</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.CertificateData><a href=#MeshConfig-CertificateData>MeshConfig.CertificateData</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshConfig.CA><a href=#MeshConfig-CA>MeshConfig.CA</a><li role=none aria-label=MeshConfig.ExtensionProvider><a href=#MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</a><li role=none aria-label=MeshConfig.DefaultProviders><a href=#MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</a><li role=none aria-label=MeshConfig.ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</a><li role=none aria-label=MeshConfig.TLSConfig><a href=#MeshConfig-TLSConfig>MeshConfig.TLSConfig</a><li role=none aria-label=MeshConfig.ServiceSettings.Settings><a href=#MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider.Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</a><li role=none aria-label=k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.OpenCensusAgent><a href=#Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</a><li role=none aria-label=PrivateKeyProvider.CryptoMb><a href=#PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</a><li role=none aria-label=ProxyConfig.ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</a><li role=none aria-label=MeshConfig.ProxyPathNormalization.NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</a><li role=none aria-label=MeshConfig.TLSConfig.TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=Tracing.OpenCensusAgent.TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</a><li role=none aria-label=ProxyConfig.TracingServiceName><a href=#ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a></ol><hr></div></nav><p>Configuration affecting the service mesh as a whole.</p><h2 id=MeshConfig>MeshConfig</h2><section><p>MeshConfig defines mesh-wide settings for the Istio service mesh.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-proxy_listen_port><td><code>proxyListenPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for incoming connections from
other services. Default port is 15001.</p></td><td>No</td></tr><tr id=MeshConfig-proxy_http_port><td><code>proxyHttpPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for HTTP PROXY requests if set.</p></td><td>No</td></tr><tr id=MeshConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Connection timeout used by Envoy. (MUST BE >=1ms)
Default timeout is 10s.</p></td><td>No</td></tr><tr id=MeshConfig-protocol_detection_timeout><td><code>protocolDetectionTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Automatic protocol detection uses a set of heuristics to
determine whether the connection is using TLS or not (on the
server side), as well as the application protocol being used
(e.g., http vs tcp). These heuristics rely on the client sending
the first bits of data. For server first protocols like MySQL,
MongoDB, etc. Envoy will timeout on the protocol detection after
the specified period, defaulting to non mTLS plain TCP
traffic. Set this field to tweak the period that Envoy will wait
for the client to send the first bits of data. (MUST BE >=1ms or
0s to disable). Default detection timeout is 0s (no timeout).</p></td><td>No</td></tr><tr id=MeshConfig-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_class><td><code>ingressClass</code></td><td><code>string</code></td><td><p>Class of ingress resources to be processed by Istio ingress
controller. This corresponds to the value of
<code>kubernetes.io/ingress.class</code> annotation.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_service><td><code>ingressService</code></td><td><code>string</code></td><td><p>Name of the Kubernetes service used for the istio ingress controller.
If no ingress controller is specified, the default value <code>istio-ingressgateway</code> is used.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_controller_mode><td><code>ingressControllerMode</code></td><td><code><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a></code></td><td><p>Defines whether to use Istio ingress controller for annotated or all ingress resources.
Default mode is <code>STRICT</code>.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_selector><td><code>ingressSelector</code></td><td><code>string</code></td><td><p>Defines which gateway deployment to use as the Ingress controller. This field corresponds to
the Gateway.selector field, and will be set as <code>istio: INGRESS_SELECTOR</code>.
By default, <code>ingressgateway</code> is used, which will select the default IngressGateway as it has the
<code>istio: ingressgateway</code> labels.
It is recommended that this is the same value as ingress_service.</p></td><td>No</td></tr><tr id=MeshConfig-enable_tracing><td><code>enableTracing</code></td><td><code>bool</code></td><td><p>Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_file><td><code>accessLogFile</code></td><td><code>string</code></td><td><p>File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_format><td><code>accessLogFormat</code></td><td><code>string</code></td><td><p>Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format</p></td><td>No</td></tr><tr id=MeshConfig-access_log_encoding><td><code>accessLogEncoding</code></td><td><code><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a></code></td><td><p>Encoding for the proxy access log (<code>TEXT</code> or <code>JSON</code>).
Default value is <code>TEXT</code>.</p></td><td>No</td></tr><tr id=MeshConfig-enable_envoy_access_log_service><td><code>enableEnvoyAccessLogService</code></td><td><code>bool</code></td><td><p>This flag enables Envoy&rsquo;s gRPC Access Log Service.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto>Access Log Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.
Default value is <code>false</code>.</p></td><td>No</td></tr><tr id=MeshConfig-disable_envoy_listener_log><td><code>disableEnvoyListenerLog</code></td><td><code>bool</code></td><td><p>This flag disables Envoy Listener logs.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log>Listener Access Log</a>
Istio Enables Envoy&rsquo;s listener access logs on &ldquo;NoRoute&rdquo; response flag.
Default value is <code>false</code>.</p></td><td>No</td></tr><tr id=MeshConfig-default_config><td><code>defaultConfig</code></td><td><code><a href=#ProxyConfig>ProxyConfig</a></code></td><td><p>Default proxy config used by gateway and sidecars.
In case of Kubernetes, the proxy config is applied once during the injection process,
and remain constant for the duration of the pod. The rest of the mesh config can be changed
at runtime and config gets distributed dynamically.
On Kubernetes, this can be overridden on individual pods with the <code>proxy.istio.io/config</code> annotation.</p></td><td>No</td></tr><tr id=MeshConfig-outbound_traffic_policy><td><code>outboundTrafficPolicy</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a></code></td><td><p>Set the default behavior of the sidecar for handling outbound
traffic from the application. If your application uses one or
more external services that are not known apriori, setting the
policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown
traffic originating from the application to its requested
destination. Users are strongly encouraged to use ServiceEntries
to explicitly declare any external dependencies, instead of using
<code>ALLOW_ANY</code>, so that traffic to these services can be
monitored. Can be overridden at a Sidecar level by setting the
<code>OutboundTrafficPolicy</code> in the <a href=/v1.16/zh/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy>Sidecar
API</a>.
Default mode is <code>ALLOW_ANY</code> which means outbound traffic to unknown destinations will be allowed.</p></td><td>No</td></tr><tr id=MeshConfig-config_sources><td><code>configSources</code></td><td><code><a href=#ConfigSource>ConfigSource[]</a></code></td><td><p>ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.</p></td><td>No</td></tr><tr id=MeshConfig-enable_auto_mtls><td><code>enableAutoMtls</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>This flag is used to enable mutual <code>TLS</code> automatically for service to service communication
within the mesh, default true.
If set to true, and a given service does not have a corresponding <code>DestinationRule</code> configured,
or its <code>DestinationRule</code> does not have ClientTLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in <code>STRICT</code> mode, use Istio provisioned certificate
for mutual <code>TLS</code> to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual <code>TLS</code> when server sides are capable of accepting mutual <code>TLS</code> traffic.
If service <code>DestinationRule</code> exists and has <code>ClientTLSSettings</code> specified, that is always used instead.</p></td><td>No</td></tr><tr id=MeshConfig-trust_domain><td><code>trustDomain</code></td><td><code>string</code></td><td><p>The trust domain corresponds to the trust root of a system.
Refer to <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain>SPIFFE-ID</a></p></td><td>No</td></tr><tr id=MeshConfig-trust_domain_aliases><td><code>trustDomainAliases</code></td><td><code>string[]</code></td><td><p>The trust domain aliases represent the aliases of <code>trust_domain</code>.
For example, if we have</p><pre><code class=language-yaml>trustDomain: td1
trustDomainAliases: [&quot;td2&quot;, &quot;td3&quot;]
</code></pre><p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p></td><td>No</td></tr><tr id=MeshConfig-ca_certificates><td><code>caCertificates</code></td><td><code><a href=#MeshConfig-CertificateData>CertificateData[]</a></code></td><td><p>The extra root certificates for workload-to-workload communication.
The plugin certificates (the &lsquo;cacerts&rsquo; secret) or self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are automatically added by Istiod.
The CA certificate that signs the workload certificates is automatically added by Istio Agent.</p></td><td>No</td></tr><tr id=MeshConfig-default_service_export_to><td><code>defaultServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the ServiceEntry.export_to field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:</p><pre><code>* - All Namespaces
. - Current Namespace
~ - No Namespace
</code></pre><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
services are exported to all namespaces.</p><p><code>All namespaces</code> is a reasonable default for implementations that don&rsquo;t
need to restrict access or visibility of services across namespace
boundaries. If that requirement is present it is generally good practice to
make the default <code>Current namespace</code> so that services are only visible
within their own namespaces by default. Operators can then expand the
visibility of services to other namespaces as needed. Use of <code>No Namespace</code>
is expected to be rare but can have utility for deployments where
dependency management needs to be precise even within the scope of a single
namespace.</p><p>For further discussion see the reference documentation for <code>ServiceEntry</code>,
<code>Sidecar</code>, and <code>Gateway</code>.</p></td><td>No</td></tr><tr id=MeshConfig-default_virtual_service_export_to><td><code>defaultVirtualServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the VirtualService.export_to field. Has the same
syntax as <code>default_service_export_to</code>.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
virtual services are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-default_destination_rule_export_to><td><code>defaultDestinationRuleExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the <code>DestinationRule.export_to</code> field. Has the same
syntax as <code>default_service_export_to</code>.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
destination rules are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-root_namespace><td><code>rootNamespace</code></td><td><code>string</code></td><td><p>The namespace to treat as the administrative root namespace for
Istio configuration. When processing a leaf namespace Istio will search for
declarations in that namespace first and if none are found it will
search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.</p><p>The precise semantics of this processing are documented on each resource
type.</p></td><td>No</td></tr><tr id=MeshConfig-locality_lb_setting><td><code>localityLbSetting</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a></code></td><td><p>Locality based load balancing distribution or failover settings.</p></td><td>No</td></tr><tr id=MeshConfig-dns_refresh_rate><td><code>dnsRefreshRate</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Configures DNS refresh rate for Envoy clusters of type <code>STRICT_DNS</code>
Default refresh rate is <code>5s</code>.</p></td><td>No</td></tr><tr id=MeshConfig-h2_upgrade_policy><td><code>h2UpgradePolicy</code></td><td><code><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></code></td><td><p>Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to <code>UPGRADE</code>.
If one or more services or namespaces do not have sidecar(s), then this should be set to <code>DO_NOT_UPGRADE</code>.
It can be enabled by destination using the <code>destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy</code> override.</p></td><td>No</td></tr><tr id=MeshConfig-inbound_cluster_stat_name><td><code>inboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>inbound|&lt;port>|&lt;port-name>|&lt;service-FQDN></code>.
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-outbound_cluster_stat_name><td><code>outboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
network filters like TCP and Redis.
By default, Istio emits statistics with the pattern <code>outbound|&lt;port>|&lt;subsetname>|&lt;service-FQDN></code>.
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li><li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use <code>reviews.prod.svc.cluster.local_7443</code> as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-thrift_config><td><code>thriftConfig</code></td><td><code><a href=#MeshConfig-ThriftConfig>ThriftConfig</a></code></td><td><p>Set configuration for Thrift protocol</p></td><td>No</td></tr><tr id=MeshConfig-enable_prometheus_merge><td><code>enablePrometheusMerge</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
<code>prometheus.io/path</code> annotations.
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
In this case, it is recommended to disable aggregation on that deployment with the
<code>prometheus.istio.io/merge-metrics: "false"</code> annotation.
If not specified, this will be enabled by default.</p></td><td>No</td></tr><tr id=MeshConfig-extension_providers><td><code>extensionProviders</code></td><td><code><a href=#MeshConfig-ExtensionProvider>ExtensionProvider[]</a></code></td><td><p>Defines a list of extension providers that extend Istio&rsquo;s functionality. For example, the AuthorizationPolicy
can be used with an extension provider to delegate the authorization decision to a custom authorization system.</p></td><td>No</td></tr><tr id=MeshConfig-default_providers><td><code>defaultProviders</code></td><td><code><a href=#MeshConfig-DefaultProviders>DefaultProviders</a></code></td><td><p>Specifies extension providers to use by default in Istio configuration resources.</p></td><td>No</td></tr><tr id=MeshConfig-discovery_selectors><td><code>discoverySelectors</code></td><td><code><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>LabelSelector[]</a></code></td><td><p>A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
computing configuration updates for sidecars. This can be used to reduce Istio&rsquo;s computational load
by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
The following example selects any namespace that matches either below:</p><ol><li>The namespace has both of these labels: <code>env: prod</code> and <code>region: us-east1</code></li><li>The namespace has label <code>app</code> equal to <code>cassandra</code> or <code>spark</code>.</li></ol><pre><code class=language-yaml>discoverySelectors:
- matchLabels:
env: prod
region: us-east1
- matchExpressions:
- key: app
operator: In
values:
- cassandra
- spark
</code></pre><p>Refer to the <a href=https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors>kubernetes selector docs</a>
for additional detail on selector semantics.</p></td><td>No</td></tr><tr id=MeshConfig-path_normalization><td><code>pathNormalization</code></td><td><code><a href=#MeshConfig-ProxyPathNormalization>ProxyPathNormalization</a></code></td><td><p>ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
normalized by the sidecars and gateways.
The normalized paths will be used in all aspects through the requests&rsquo; lifetime on the
sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
authorization policy match and enforcement in inbound direction (server proxy), and the URL
path proxied to the upstream service.
If not set, the NormalizationType.DEFAULT configuration will be used.</p></td><td>No</td></tr><tr id=MeshConfig-default_http_retry_policy><td><code>defaultHttpRetryPolicy</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/virtual-service/#HTTPRetry>HTTPRetry</a></code></td><td><p>Configure the default HTTP retry policy.
The default number of retry attempts is set at 2 for these errors:
&ldquo;connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes&rdquo;.
Setting the number of attempts to 0 disables retry policy globally.
This setting can be overriden on a per-host basis using the Virtual Service
API.
All settings in the retry policy except <code>perTryTimeout</code> can currently be
configured globally via this field.</p></td><td>No</td></tr><tr id=MeshConfig-mesh_mTLS><td><code>meshMTLS</code></td><td><code><a href=#MeshConfig-TLSConfig>TLSConfig</a></code></td><td><p>Configuration of mTLS for traffic between workloads within the mesh.</p></td><td>No</td></tr></tbody></table></section><h2 id=ConfigSource>ConfigSource</h2><section><p>ConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ConfigSource-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the server implementing the Istio Mesh Configuration
protocol (MCP). Can be IP address or a fully qualified DNS name.
Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
fs:/// to specify a file-based backend with absolute path to the directory.</p></td><td>No</td></tr><tr id=ConfigSource-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr><tr id=ConfigSource-subscribed_resources><td><code>subscribedResources</code></td><td><code><a href=#Resource>Resource[]</a></code></td><td><p>Describes the source of configuration, if nothing is specified default is MCP</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-mode><td><code>mode</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-CertificateData>MeshConfig.CertificateData</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-CertificateData-pem class="oneof oneof-start"><td><code>pem</code></td><td><code>string (oneof)</code></td><td><p>The PEM data of the certificate.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-spiffe_bundle_url class=oneof><td><code>spiffeBundleUrl</code></td><td><code>string (oneof)</code></td><td><p>The SPIFFE bundle endpoint URL that complies to:
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle</a>
The endpoint should support authentication based on Web PKI:
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki</a>
The certificate is retrieved from the endpoint.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-cert_signers><td><code>certSigners</code></td><td><code>string[]</code></td><td><p>Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
when Istiod is acting as RA(registration authority)
If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-trust_domains><td><code>trustDomains</code></td><td><code>string[]</code></td><td><p>Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
Note that we can have multiple trustAnchor data for a same trust_domain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ThriftConfig-rate_limit_url><td><code>rateLimitUrl</code></td><td><code>string</code></td><td><p>Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
this will enable the rate limit service for destinations that have matching rate
limit configurations.</p></td><td>No</td></tr><tr id=MeshConfig-ThriftConfig-rate_limit_timeout><td><code>rateLimitTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Specify thrift rate limit service timeout, in milliseconds. Default is <code>50ms</code></p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-CA>MeshConfig.CA</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-CA-address><td><code>address</code></td><td><code>string</code></td><td><p>REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
Can be IP address or a fully qualified DNS name with port
Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000</p></td><td>No</td></tr><tr id=MeshConfig-CA-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use.
Regarding tls_settings:</p><ul><li>DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing</li><li>TLS MUTUAL MODE be on by default. If the CA certificates
(cert bundle to verify the CA server&rsquo;s certificate) is omitted, Istiod will
use the system root certs to verify the CA server&rsquo;s certificate.</li></ul></td><td>No</td></tr><tr id=MeshConfig-CA-request_timeout><td><code>requestTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>timeout for forward CSR requests from Istiod to External CA
Default: 10s</p></td><td>No</td></tr><tr id=MeshConfig-CA-istiod_side><td><code>istiodSide</code></td><td><code>bool</code></td><td><p>Use istiod_side to specify CA Server integrate to Istiod side or Agent side
Default: true</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-name><td><code>name</code></td><td><code>string</code></td><td><p>REQUIRED. A unique name identifying the extension provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_http class="oneof oneof-start"><td><code>envoyExtAuthzHttp</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider (oneof)</a></code></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_grpc class=oneof><td><code>envoyExtAuthzGrpc</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider (oneof)</a></code></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-zipkin class=oneof><td><code>zipkin</code></td><td><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider (oneof)</a></code></td><td><p>Configures a tracing provider that uses the Zipkin API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>LightstepTracingProvider (oneof)</a></code></td><td><p>Configures a Lightstep tracing provider.
Note: For Istio 1.15+, configuring this provider will result in
using an OpenTelemetryTracingProvider configured specially for
Lightstep. This is part of the Lightstep transition to OpenTelemetry.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider (oneof)</a></code></td><td><p>Configures a Datadog tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-stackdriver class=oneof><td><code>stackdriver</code></td><td><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider (oneof)</a></code></td><td><p>Configures a Stackdriver provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-opencensus class=oneof><td><code>opencensus</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>OpenCensusAgentTracingProvider (oneof)</a></code></td><td><p>Configures an OpenCensusAgent tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-skywalking class=oneof><td><code>skywalking</code></td><td><code><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider (oneof)</a></code></td><td><p>Configures a Apache SkyWalking provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-opentelemetry class=oneof><td><code>opentelemetry</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider (oneof)</a></code></td><td><p>Configures an OpenTelemetry tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-prometheus class=oneof><td><code>prometheus</code></td><td><code><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider (oneof)</a></code></td><td><p>Configures a Prometheus metrics provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_file_access_log class=oneof><td><code>envoyFileAccessLog</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider (oneof)</a></code></td><td><p>Configures an Envoy File Access Log provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_http_als class=oneof><td><code>envoyHttpAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider (oneof)</a></code></td><td><p>Configures an Envoy Access Logging Service provider for HTTP traffic.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_tcp_als class=oneof><td><code>envoyTcpAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider (oneof)</a></code></td><td><p>Configures an Envoy Access Logging Service provider for TCP traffic.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_otel_als class=oneof><td><code>envoyOtelAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider (oneof)</a></code></td><td><p>Configures an Envoy Open Telemetry Access Logging Service provider.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</h2><section><p>Holds the name references to the providers that will be used by default
in other Istio configuration resources if the provider is not specified.</p><p>These names must match a provider defined in <code>extension_providers</code> that is
one of the supported tracing providers.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-DefaultProviders-tracing><td><code>tracing</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for tracing.</p></td><td>No</td></tr><tr id=MeshConfig-DefaultProviders-metrics><td><code>metrics</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for metrics.</p></td><td>No</td></tr><tr id=MeshConfig-DefaultProviders-access_logging><td><code>accessLogging</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for access logging.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-normalization><td><code>normalization</code></td><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-TLSConfig>MeshConfig.TLSConfig</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-min_protocol_version><td><code>minProtocolVersion</code></td><td><code><a href=#MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</a></code></td><td><p>Optional: the minimum TLS protocol version. The default minimum
TLS version will be TLS 1.2. As servers may not be Envoy and be
set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
minimum TLS version for clients may also be TLS 1.2.
In the current Istio implementation, the maximum TLS protocol version
is TLS 1.3.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</h2><section><p>Settings for the selected services.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ServiceSettings-Settings-cluster_local><td><code>clusterLocal</code></td><td><code>bool</code></td><td><p>If true, specifies that the client and service endpoints must reside in the same cluster.
By default, in multi-cluster deployments, the Istio control plane assumes all service
endpoints to be reachable from any client in any of the clusters which are part of the
mesh. This configuration option limits the set of service endpoints visible to a client
to be cluster scoped.</p><p>There are some common scenarios when this can be useful:</p><ul><li>A service (or group of services) is inherently local to the cluster and has local storage
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li><li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
having services cluster-local and then slowly transition them to mesh-wide. They could do
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
(e.g. *.myns.svc.cluster.local).</li></ul><p>By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
services in the kube-system namespace to be cluster-local, unless explicitly overridden here.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-max_request_bytes><td><code>maxRequestBytes</code></td><td><code>uint32</code></td><td><p>Sets the maximum size of a message body that the ext-authz filter will hold in memory.
If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
fail_open is set to true.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-allow_partial_message><td><code>allowPartialMessage</code></td><td><code>bool</code></td><td><p>When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A &ldquo;x-envoy-auth-partial-body: false|true&rdquo; metadata header will be added to the authorization request message
indicating if the body data is partial.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-pack_as_bytes><td><code>packAsBytes</code></td><td><code>bool</code></td><td><p>If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the raw_body field (<a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)>https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)</a>.
Otherwise, it will be filled with UTF-8 string in the body field (<a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)>https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)</a>.
This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-path_prefix><td><code>pathPrefix</code></td><td><code>string</code></td><td><p>Sets a prefix to the value of authorization request header <em>Path</em>.
For example, setting this to &ldquo;/check&rdquo; for an original user request at path &ldquo;/admin&rdquo; will cause the
authorization check request to be sent to the authorization service at the path &ldquo;/check/admin&rdquo; instead of &ldquo;/admin&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-fail_open><td><code>failOpen</code></td><td><code>bool</code></td><td><p>If true, the user request will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false and the request will be rejected with &ldquo;Forbidden&rdquo; response.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-status_on_error><td><code>statusOnError</code></td><td><code>string</code></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_headers_in_check><td><code>includeHeadersInCheck</code></td><td><code>string[]</code></td><td><p>DEPRECATED. Use include_request_headers_in_check instead.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_headers_in_check><td><code>includeRequestHeadersInCheck</code></td><td><code>string[]</code></td><td><p>List of client request headers that should be included in the authorization request sent to the authorization service.
Note that in addition to the headers specified here following headers are included by default:</p><ol><li><em>Host</em>, <em>Method</em>, <em>Path</em> and <em>Content-Length</em> are automatically sent.</li><li><em>Content-Length</em> will be set to 0 and the request will not have a message body. However, the authorization
request can include the buffered client request body (controlled by include_request_body_in_check setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.</li></ol><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_additional_headers_in_check><td><code>includeAdditionalHeadersInCheck</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_body_in_check><td><code>includeRequestBodyInCheck</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></code></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_upstream_on_allow><td><code>headersToUpstreamOnAllow</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be added or overridden in the original request and
forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_deny><td><code>headersToDownstreamOnDeny</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is not allowed (HTTP code other than 200).
If not specified, all the authorization response headers, except <em>Authority (Host)</em> will be in the response to
the downstream.
When a header is included in this list, <em>Path</em>, <em>Status</em>, <em>Content-Length</em>, <em>WWWAuthenticate</em> and <em>Location</em> are
automatically added.
Note, the body from the authorization service is always included in the response to downstream.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_allow><td><code>headersToDownstreamOnAllow</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
check result is allowed (HTTP code 200).
If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li><li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li><li>Suffix match: &ldquo;*abc&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;xabc&rdquo;.</li></ul></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;my-ext-authz.foo.svc.cluster.local&rdquo; or &ldquo;bar/my-ext-authz.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-fail_open><td><code>failOpen</code></td><td><code>bool</code></td><td><p>If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
or if the authorization service has returned a HTTP 5xx error.
Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-status_on_error><td><code>statusOnError</code></td><td><code>string</code></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
The default status is &ldquo;403&rdquo; (HTTP Forbidden).</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-include_request_body_in_check><td><code>includeRequestBodyInCheck</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></code></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</h2><section><p>Defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that the Zipkin API.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;zipkin.default.svc.cluster.local&rdquo; or &ldquo;bar/zipkin.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</h2><section><p>Defines configuration for a Lightstep tracer.
Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
will generate OpenTelemetry-compatible configuration when using this option.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the Lightstep collector.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;lightstep.default.svc.cluster.local&rdquo; or &ldquo;bar/lightstep.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>The Lightstep access token.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</h2><section><p>Defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the Datadog agent.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;datadog.default.svc.cluster.local&rdquo; or &ldquo;bar/datadog.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</h2><section><p>Defines configuration for a SkyWalking tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the SkyWalking receiver.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;skywalking.default.svc.cluster.local&rdquo; or &ldquo;bar/skywalking.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>Optional. The SkyWalking OAP access token.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</h2><section><p>Defines configuration for Stackdriver.</p><p>WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
driver in Envoy.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-logging><td><code>logging</code></td><td><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</a></code></td><td><p>Optional. Controls Stackdriver logging behavior.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</h2><section><p>Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.</p><p>WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
OpenCensus providers CANNOT be changed during the course of proxy&rsquo;s lifetime due to a limitation
in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
configuration MUST be accompanied by a restart of all proxies that will use that configuration.</p><p>NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
alongside OpenCensus provider configuration.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the OpenCensusAgent.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;ocagent.default.svc.cluster.local&rdquo; or &ldquo;bar/ocagent.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-context><td><code>context</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext[]</a></code></td><td><p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</h2><section></section><h2 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</h2><section><p>Defines configuration for Envoy-based access logging that writes to
local files (and/or standard streams).</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-path><td><code>path</code></td><td><code>string</code></td><td><p>Path to a local file to write the access log entries.
This may be used to write to streams, via <code>/dev/stderr</code> and <code>/dev/stdout</code>
If unspecified, defaults to <code>/dev/stdout</code>.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-log_format><td><code>logFormat</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</a></code></td><td><p>Optional. Allows overriding of the default access log format.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
integration for HTTP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;http_envoy_accesslog&rdquo;</li><li>&ldquo;listener_envoy_accesslog&rdquo;</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-filter_state_objects_to_log><td><code>filterStateObjectsToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional filter state objects to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_request_headers_to_log><td><code>additionalRequestHeadersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional request headers to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_headers_to_log><td><code>additionalResponseHeadersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional response headers to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_trailers_to_log><td><code>additionalResponseTrailersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional response trailers to log.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
integration for TCP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;tcp_envoy_accesslog&rdquo;</li><li>&ldquo;listener_envoy_accesslog&rdquo;</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-filter_state_objects_to_log><td><code>filterStateObjectsToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional filter state objects to log.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>OpenTelemetry (gRPC) Access Log</a></p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
The format is <code>[&lt;Namespace>/]&lt;Hostname></code>. The specification of <code>&lt;Namespace></code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname></code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: &ldquo;envoy-als.foo.svc.cluster.local&rdquo; or &ldquo;bar/envoy-als.example.com&rdquo;.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
Defaults:</p><ul><li>&ldquo;otel_envoy_accesslog&rdquo;</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_format><td><code>logFormat</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</a></code></td><td><p>Optional. Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format, following Envoy access logging formatting.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging-labels><td><code>labels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Collection of tag names and tag expressions to include in the log
entry. Conflicts are resolved by the tag name by overriding previously
supplied values.</p><p>Example:
labels:
path: request.url_path
foo: request.headers[&lsquo;x-foo&rsquo;]</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-text class="oneof oneof-start"><td><code>text</code></td><td><code>string (oneof)</code></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
provides more information.</p><p>NOTE: Istio will insert a newline (&rsquo;\n&rsquo;) on all formats (if missing).</p><p>Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-labels class=oneof><td><code>labels</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct (oneof)</a></code></td><td><p>JSON structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. <code>FILTER_STATE</code> or <code>DYNAMIC_METADATA</code>).
Use <code>labels: {}</code> for default envoy JSON log format.</p><p>Example:</p><pre><code>labels:
status: &quot;%RESPONSE_CODE%&quot;
message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-text><td><code>text</code></td><td><code>string</code></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
provides more information.
Alias to <code>body</code> filed in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a>
Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-labels><td><code>labels</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct</a></code></td><td><p>Optional. Additional attributes that describe the specific event occurrence.
Structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
can be used as values for fields within the Struct. Values are rendered
as strings, numbers, or boolean values, as appropriate
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
Alias to <code>attributes</code> filed in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a></p><p>Example:</p><pre><code>labels:
status: &quot;%RESPONSE_CODE%&quot;
message: &quot;%LOCAL_REPLY_BODY%&quot;
</code></pre></td><td>No</td></tr></tbody></table></section><h2 id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</h2><section><p>A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
+structType=atomic</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchLabels><td><code>matchLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is &ldquo;key&rdquo;, the
operator is &ldquo;In&rdquo;, and the values array contains only &ldquo;value&rdquo;. The requirements are ANDed.
+optional</p></td><td>No</td></tr><tr id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchExpressions><td><code>matchExpressions</code></td><td><code><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement>LabelSelectorRequirement[]</a></code></td><td><p>matchExpressions is a list of label selector requirements. The requirements are ANDed.
+optional</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing>Tracing</h2><section><p>Tracing defines configuration for the tracing performed by Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-zipkin class="oneof oneof-start"><td><code>zipkin</code></td><td><code><a href=#Tracing-Zipkin>Zipkin (oneof)</a></code></td><td><p>Use a Zipkin tracer.</p></td><td>No</td></tr><tr id=Tracing-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#Tracing-Lightstep>Lightstep (oneof)</a></code></td><td><p>Use a Lightstep tracer.
NOTE: For Istio 1.15+, this configuration option will result
in using OpenTelemetry-based Lightstep integration.</p></td><td>No</td></tr><tr id=Tracing-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#Tracing-Datadog>Datadog (oneof)</a></code></td><td><p>Use a Datadog tracer.</p></td><td>No</td></tr><tr id=Tracing-stackdriver class=oneof><td><code>stackdriver</code></td><td><code><a href=#Tracing-Stackdriver>Stackdriver (oneof)</a></code></td><td><p>Use a Stackdriver tracer.</p></td><td>No</td></tr><tr id=Tracing-open_census_agent class=oneof><td><code>openCensusAgent</code></td><td><code><a href=#Tracing-OpenCensusAgent>OpenCensusAgent (oneof)</a></code></td><td><p>Use an OpenCensus tracer exporting to an OpenCensus agent.</p></td><td>No</td></tr><tr id=Tracing-sampling><td><code>sampling</code></td><td><code>double</code></td><td><p>The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
if not requested by the client or not forced. Default is 1.0.</p></td><td>No</td></tr><tr id=Tracing-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr></tbody></table></section><h2 id=PrivateKeyProvider>PrivateKeyProvider</h2><section><p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
mesh wide or individual per-workload basis.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=PrivateKeyProvider-cryptomb class="oneof oneof-start"><td><code>cryptomb</code></td><td><code><a href=#PrivateKeyProvider-CryptoMb>CryptoMb (oneof)</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=ProxyConfig>ProxyConfig</h2><section><p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
as well as by the mesh-wide defaults.
To set the mesh wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p><pre><code>meshConfig:
defaultConfig:
discoveryAddress: istiod:15012
</code></pre><p>This can also be configured on a per-workload basis by configuring the <code>proxy.istio.io/config</code> annotation on the pod. For example:</p><pre><code>annotations:
proxy.istio.io/config: |
discoveryAddress: istiod:15012
</code></pre><p>If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
This is different than a deep merge provided by protobuf.
For example, <code>"tracing": { "sampling": 5 }</code> would completely override a setting configuring a tracing provider
such as <code>"tracing": { "zipkin": { "address": "..." } }</code>.</p><p>Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ProxyConfig-config_path><td><code>configPath</code></td><td><code>string</code></td><td><p>Path to the generated configuration file directory.
Proxy agent generates the actual configuration and stores it in this directory.</p></td><td>No</td></tr><tr id=ProxyConfig-binary_path><td><code>binaryPath</code></td><td><code>string</code></td><td><p>Path to the proxy binary</p></td><td>No</td></tr><tr id=ProxyConfig-service_cluster class="oneof oneof-start"><td><code>serviceCluster</code></td><td><code>string (oneof)</code></td><td><p>Service cluster defines the name for the <code>service_cluster</code> that is
shared by all Envoy instances. This setting corresponds to
<code>--service-cluster</code> flag in Envoy. In a typical Envoy deployment, the
<code>service-cluster</code> flag is used to identify the caller, for
source-based routing scenarios.</p><p>Since Istio does not assign a local <code>service/service</code> version to each
Envoy instance, the name is same for all of them. However, the
source/caller&rsquo;s identity (e.g., IP address) is encoded in the
<code>--service-node</code> flag when launching Envoy. When the RDS service
receives API calls from Envoy, it uses the value of the <code>service-node</code>
flag to compute routes that are relative to the service instances
located at that IP address.</p></td><td>No</td></tr><tr id=ProxyConfig-tracing_service_name class=oneof><td><code>tracingServiceName</code></td><td><code><a href=#ProxyConfig-TracingServiceName>TracingServiceName (oneof)</a></code></td><td><p>Used by Envoy proxies to assign the values for the service names in trace
spans.</p></td><td>No</td></tr><tr id=ProxyConfig-drain_duration><td><code>drainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will drain connections during a hot
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)
Default drain duration is <code>45s</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-parent_shutdown_duration><td><code>parentShutdownDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will wait before shutting down the
parent process during a hot restart. MUST be >=1s (e.g., <code>1s/1m/1h</code>).
MUST BE greater than <code>drain_duration</code> parameter.
Default shutdown duration is <code>60s</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-discovery_address><td><code>discoveryAddress</code></td><td><code>string</code></td><td><p>Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.</p></td><td>No</td></tr><tr id=ProxyConfig-statsd_udp_address><td><code>statsdUdpAddress</code></td><td><code>string</code></td><td><p>IP Address and Port of a statsd UDP listener (e.g. <code>10.75.241.127:9125</code>).</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_admin_port><td><code>proxyAdminPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for administrative commands.
Default port is <code>15000</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-control_plane_auth_policy><td><code>controlPlaneAuthPolicy</code></td><td><code><a href=#AuthenticationPolicy>AuthenticationPolicy</a></code></td><td><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
Default is set to <code>MUTUAL_TLS</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-custom_config_file><td><code>customConfigFile</code></td><td><code>string</code></td><td><p>File path of custom proxy configuration, currently used by proxies
in front of Mixer and Pilot.</p></td><td>No</td></tr><tr id=ProxyConfig-stat_name_length><td><code>statNameLength</code></td><td><code>int32</code></td><td><p>Maximum length of name field in Envoy&rsquo;s metrics. The length of the name field
is determined by the length of a name field in a service and the set of labels that
comprise a particular version of the service. The default value is set to 189 characters.
Envoy&rsquo;s internal metrics take up 67 characters, for a total of 256 character name per metric.
Increase the value of this field if you find that the metrics from Envoys are truncated.</p></td><td>No</td></tr><tr id=ProxyConfig-concurrency><td><code>concurrency</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value>Int32Value</a></code></td><td><p>The number of worker threads to run.
If unset, this will be automatically determined based on CPU requests/limits.
If set to 0, all cores on the machine will be used.
Default is 2 worker threads.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_bootstrap_template_path><td><code>proxyBootstrapTemplatePath</code></td><td><code>string</code></td><td><p>Path to the proxy bootstrap template file</p></td><td>No</td></tr><tr id=ProxyConfig-interception_mode><td><code>interceptionMode</code></td><td><code><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></code></td><td><p>The mode used to redirect inbound traffic to Envoy.</p></td><td>No</td></tr><tr id=ProxyConfig-tracing><td><code>tracing</code></td><td><code><a href=#Tracing>Tracing</a></code></td><td><p>Tracing configuration to be used by the proxy.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_access_log_service><td><code>envoyAccessLogService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the service to which access logs from Envoys should be
sent. (e.g. <code>accesslog-service:15000</code>). See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto>Access Log
Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_metrics_service><td><code>envoyMetricsService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the Envoy Metrics Service implementation (e.g. <code>metrics-service:15000</code>).
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto>Metric Service</a>
for details about Envoy&rsquo;s Metrics Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_metadata><td><code>proxyMetadata</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Additional environment variables for the proxy.
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap and sent to the XDS server.</p></td><td>No</td></tr><tr id=ProxyConfig-runtime_values><td><code>runtimeValues</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime>runtime configuration</a> to set during bootstrapping.
This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.</p></td><td>No</td></tr><tr id=ProxyConfig-status_port><td><code>statusPort</code></td><td><code>int32</code></td><td><p>Port on which the agent should listen for administrative commands such as readiness probe.
Default is set to port <code>15020</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-extra_stat_tags><td><code>extraStatTags</code></td><td><code>string[]</code></td><td><p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
and exposed as Prometheus metrics.</p></td><td>No</td></tr><tr id=ProxyConfig-termination_drain_duration><td><code>terminationDrainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The amount of time allowed for connections to complete on proxy shutdown.
On receiving <code>SIGTERM</code> or <code>SIGINT</code>, <code>istio-agent</code> tells the active Envoy to start draining,
preventing any new connections and allowing existing connections to complete. It then
sleeps for the <code>termination_drain_duration</code> and then kills any remaining active Envoy processes.
If not set, a default of <code>5s</code> will be applied.</p></td><td>No</td></tr><tr id=ProxyConfig-mesh_id><td><code>meshId</code></td><td><code>string</code></td><td><p>The unique identifier for the <a href=/v1.16/zh/docs/reference/glossary/#service-mesh>service mesh</a>
All control planes running in the same service mesh should specify the same mesh ID.
Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.</p></td><td>No</td></tr><tr id=ProxyConfig-readiness_probe><td><code>readinessProbe</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/workload-group/#ReadinessProbe>ReadinessProbe</a></code></td><td><p>VM Health Checking readiness probe. This health check config exactly mirrors the
kubernetes readiness probe configuration both in schema and logic.
Only one health check method of 3 can be set at a time.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_stats_matcher><td><code>proxyStatsMatcher</code></td><td><code><a href=#ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</a></code></td><td><p>Proxy stats matcher defines configuration for reporting custom Envoy stats.
To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
default create and expose only a subset of Envoy stats. This option is to
control creation of additional Envoy stats with prefix, suffix, and regex
expressions match on the name of the stats. This replaces the stats
inclusion annotations
(<code>sidecar.istio.io/statsInclusionPrefixes</code>,
<code>sidecar.istio.io/statsInclusionRegexps</code>, and
<code>sidecar.istio.io/statsInclusionSuffixes</code>). For example, to enable stats
for circuit breakers, request retries, upstream connections, and request timeouts,
you can specify stats matcher as follows:</p><pre><code class=language-yaml>proxyStatsMatcher:
inclusionRegexps:
- .*outlier_detection.*
- .*upstream_rq_retry.*
- .*upstream_cx_.*
inclusionSuffixes:
- upstream_rq_timeout
</code></pre><p>Note including more Envoy stats might increase number of time series
collected by prometheus significantly. Care needs to be taken on Prometheus
resource provision and configuration to reduce cardinality.</p></td><td>No</td></tr><tr id=ProxyConfig-hold_application_until_proxy_starts><td><code>holdApplicationUntilProxyStarts</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
This feature adds hooks to delay application startup until the pod proxy
is ready to accept traffic, mitigating some startup race conditions.
Default value is &lsquo;false&rsquo;.</p></td><td>No</td></tr><tr id=ProxyConfig-ca_certificates_pem><td><code>caCertificatesPem</code></td><td><code>string[]</code></td><td><p>The PEM data of the extra root certificates for workload-to-workload communication.
This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
The plugin certificates (the &lsquo;cacerts&rsquo; secret), self-signed certificates (the &lsquo;istio-ca-secret&rsquo; secret)
are added automatically by Istiod.</p></td><td>No</td></tr><tr id=ProxyConfig-image><td><code>image</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/proxy-config/#ProxyImage>ProxyImage</a></code></td><td><p>Specifies the details of the proxy image.</p></td><td>No</td></tr><tr id=ProxyConfig-private_key_provider><td><code>privateKeyProvider</code></td><td><code><a href=#PrivateKeyProvider>PrivateKeyProvider</a></code></td><td><p>Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.</p></td><td>No</td></tr><tr id=ProxyConfig-zipkin_address class=deprecated><td><code>zipkinAddress</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
DEPRECATED: Use <a href=#ProxyConfig-tracing>tracing</a> instead.</p></td><td>No</td></tr></tbody></table></section><h2 id=RemoteService>RemoteService</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=RemoteService-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of a remove service used for various purposes (access log
receiver, metrics receiver, etc.). Can be IP address or a fully
qualified DNS name.</p></td><td>No</td></tr><tr id=RemoteService-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the <code>tls_settings</code> to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr><tr id=RemoteService-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Zipkin>Tracing.Zipkin</h2><section><p>Zipkin defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Zipkin-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Datadog>Tracing.Datadog</h2><section><p>Datadog defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Datadog-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Datadog Agent.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Stackdriver>Tracing.Stackdriver</h2><section><p>Stackdriver defines configuration for a Stackdriver tracer.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a> for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody></tbody></table></section><h2 id=Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</h2><section><p>OpenCensusAgent defines configuration for an OpenCensus tracer writing to
an OpenCensus agent backend. See
<a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy&rsquo;s OpenCensus trace configuration</a>
and
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a>
for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-address><td><code>address</code></td><td><code>string</code></td><td><p>gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
unix:path). See <a href=https://github.com/grpc/grpc/blob/master/doc/naming.md>gRPC naming
docs</a> for
details.</p></td><td>No</td></tr><tr id=Tracing-OpenCensusAgent-context><td><code>context</code></td><td><code><a href=#Tracing-OpenCensusAgent-TraceContext>TraceContext[]</a></code></td><td><p>Specifies the set of context propagation headers used for distributed
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
the proxy will attempt to read each header for each request and will
write all headers.</p></td><td>No</td></tr></tbody></table></section><h2 id=PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</h2><section><p>CryptoMb PrivateKeyProvider configuration</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=PrivateKeyProvider-CryptoMb-poll_delay><td><code>pollDelay</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>How long to wait until the per-thread processing queue should be processed. If the processing queue
gets full (eight sign or decrypt requests are received) it is processed immediately.
However, if the queue is not filled before the delay has expired, the requests already in the queue
are processed, even if the queue is not full.
In effect, this value controls the balance between latency and throughput.
The duration needs to be set to a non-zero value.</p></td><td>No</td></tr></tbody></table></section><h2 id=ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</h2><section><p>Proxy stats name matchers for stats creation. Note this is in addition to
the minimum Envoy stats that Istio generates by default.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_prefixes><td><code>inclusionPrefixes</code></td><td><code>string[]</code></td><td><p>Proxy stats name prefix matcher for inclusion.</p></td><td>No</td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_suffixes><td><code>inclusionSuffixes</code></td><td><code>string[]</code></td><td><p>Proxy stats name suffix matcher for inclusion.</p></td><td>No</td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_regexps><td><code>inclusionRegexps</code></td><td><code>string[]</code></td><td><p>Proxy stats name regexps matcher for inclusion.</p></td><td>No</td></tr></tbody></table></section><h2 id=Network>Network</h2><section><p>Network provides information about the endpoints in a routable L3
network. A single routable L3 network can have one or more service
registries. Note that the network has no relation to the locality of the
endpoint. The endpoint locality will be obtained from the service
registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-endpoints><td><code>endpoints</code></td><td><code><a href=#Network-NetworkEndpoints>NetworkEndpoints[]</a></code></td><td><p>The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
the network are directly accessible to one another.</p></td><td>Yes</td></tr><tr id=Network-gateways><td><code>gateways</code></td><td><code><a href=#Network-IstioNetworkGateway>IstioNetworkGateway[]</a></code></td><td><p>Set of gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=MeshNetworks>MeshNetworks</h2><section><p>MeshNetworks (config map) provides information about the set of networks
inside a mesh and how to route to endpoints in each network. For example</p><p>MeshNetworks(file/config map):</p><pre><code class=language-yaml>networks:
network1:
endpoints:
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
- fromCidr: 192.168.100.0/22 #a VM network for example
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 15443
locality: us-east-1a
- address: 192.168.100.1
port: 15443
locality: us-east-1a
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshNetworks-networks><td><code>networks</code></td><td><code>map&lt;string,&nbsp;<a href=#Network>Network</a>></code></td><td><p>The set of networks inside this mesh. Each network should
have a unique name and information about how to infer the endpoints in
the network as well as the gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=Network-NetworkEndpoints>Network.NetworkEndpoints</h2><section><p>NetworkEndpoints describes how the network associated with an endpoint
should be inferred. An endpoint will be assigned to a network based on
the following rules:</p><ol><li><p>Implicitly: If the registry explicitly provides information about
the network to which the endpoint belongs to. In some cases, its
possible to indicate the network associated with the endpoint by
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li><li><p>Explicitly:</p><p>a. By matching the registry name with one of the &ldquo;fromRegistry&rdquo;
in the mesh config. A &ldquo;from_registry&rdquo; can only be assigned to a
single network.</p><p>b. By matching the IP against one of the CIDR ranges in a mesh
config network. The CIDR ranges must not overlap and be assigned to
a single network.</p></li></ol><p>(2) will override (1) if both are present.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-NetworkEndpoints-from_cidr class="oneof oneof-start"><td><code>fromCidr</code></td><td><code>string (oneof)</code></td><td><p>A CIDR range for the set of endpoints in this network. The CIDR
ranges for endpoints from different networks must not overlap.</p></td><td>No</td></tr><tr id=Network-NetworkEndpoints-from_registry class=oneof><td><code>fromRegistry</code></td><td><code>string (oneof)</code></td><td><p>Add all endpoints from the specified registry into this network.
The names of the registries should correspond to the kubeconfig file name
inside the secret that was used to configure the registry (Kubernetes
multicluster) or supplied by MCP server.</p></td><td>No</td></tr></tbody></table></section><h2 id=Network-IstioNetworkGateway>Network.IstioNetworkGateway</h2><section><p>The gateway associated with this network. Traffic from remote networks
will arrive at the specified gateway:port. All incoming traffic must
use mTLS.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-IstioNetworkGateway-registry_service_name class="oneof oneof-start"><td><code>registryServiceName</code></td><td><code>string (oneof)</code></td><td><p>A fully qualified domain name of the gateway service. Pilot will
lookup the service from the service registries in the network and
obtain the endpoint IPs of the gateway from the service
registry. Note that while the service name is a fully qualified
domain name, it need not be resolvable outside the orchestration
platform for the registry. e.g., this could be
istio-ingressgateway.istio-system.svc.cluster.local.</p></td><td>No</td></tr><tr id=Network-IstioNetworkGateway-address class=oneof><td><code>address</code></td><td><code>string (oneof)</code></td><td><p>IP address or externally resolvable DNS address associated with the gateway.</p></td><td>No</td></tr><tr id=Network-IstioNetworkGateway-port><td><code>port</code></td><td><code>uint32</code></td><td><p>The port associated with the gateway.</p></td><td>Yes</td></tr><tr id=Network-IstioNetworkGateway-locality><td><code>locality</code></td><td><code>string</code></td><td><p>The locality associated with an explicitly specified gateway (i.e. ip)</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY><td><code>REGISTRY_ONLY</code></td><td><p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p></td></tr><tr id=MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY><td><code>ALLOW_ANY</code></td><td><p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p></td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</h2><section><p>TraceContext selects the context propagation headers used for
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-W3C_TRACE_CONTEXT><td><code>W3C_TRACE_CONTEXT</code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-GRPC_BIN><td><code>GRPC_BIN</code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-CLOUD_TRACE_CONTEXT><td><code>CLOUD_TRACE_CONTEXT</code></td><td><p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-B3><td><code>B3</code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
for details.</p></td></tr></tbody></table></section><h2 id=MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DEFAULT><td><code>DEFAULT</code></td><td><p>Apply default normalizations. Currently, this is BASE.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-NONE><td><code>NONE</code></td><td><p>No normalization, paths are used as is.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-BASE><td><code>BASE</code></td><td><p>Normalize according to <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a>.
For Envoy proxies, this is the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html><code>normalize_path</code></a> option.
For example, <code>/a/../b</code> normalizes to <code>/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-MERGE_SLASHES><td><code>MERGE_SLASHES</code></td><td><p>In addition to the <code>BASE</code> normalization, consecutive slashes are also merged.
For example, <code>/a//b</code> normalizes to <code>a/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DECODE_AND_MERGE_SLASHES><td><code>DECODE_AND_MERGE_SLASHES</code></td><td><p>In addition to normalization in <code>MERGE_SLASHES</code>, slash characters are UTF-8 decoded (case insensitive) prior to merging.
This means <code>%2F</code>, <code>%2f</code>, <code>%5C</code>, and <code>%5c</code> sequences in the request path will be rewritten to <code>/</code> or <code>\</code>.
For example, <code>/a%2f/b</code> normalizes to <code>a/b</code>.</p></td></tr></tbody></table></section><h2 id=MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</h2><section><p>TLS protocol versions.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-TLSProtocol-TLS_AUTO><td><code>TLS_AUTO</code></td><td><p>Automatically choose the optimal TLS version.</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_2><td><code>TLSV1_2</code></td><td><p>TLS version 1.2</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_3><td><code>TLSV1_3</code></td><td><p>TLS version 1.3</p></td></tr></tbody></table></section><h2 id=MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-IngressControllerMode-UNSPECIFIED><td><code>UNSPECIFIED</code></td><td><p>Unspecified Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-OFF><td><code>OFF</code></td><td><p>Disables Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-DEFAULT><td><code>DEFAULT</code></td><td><p>Istio ingress controller will act on ingress resources that do not
contain any annotation or whose annotations match the value
specified in the ingress_class parameter described earlier. Use this
mode if Istio ingress controller will be the default ingress
controller for the entire Kubernetes cluster.</p></td></tr><tr id=MeshConfig-IngressControllerMode-STRICT><td><code>STRICT</code></td><td><p>Istio ingress controller will only act on ingress resources whose
annotations match the value specified in the ingress_class parameter
described earlier. Use this mode if Istio ingress controller will be
a secondary ingress controller (e.g., in addition to a
cloud-provided ingress controller).</p></td></tr></tbody></table></section><h2 id=MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-AccessLogEncoding-TEXT><td><code>TEXT</code></td><td><p>text encoding for the proxy access log</p></td></tr><tr id=MeshConfig-AccessLogEncoding-JSON><td><code>JSON</code></td><td><p>json encoding for the proxy access log</p></td></tr></tbody></table></section><h2 id=MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</h2><section><p>Default Policy for upgrading http1.1 connections to http2.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE><td><code>DO_NOT_UPGRADE</code></td><td><p>Do not upgrade connections to http2.</p></td></tr><tr id=MeshConfig-H2UpgradePolicy-UPGRADE><td><code>UPGRADE</code></td><td><p>Upgrade the connections to http2.</p></td></tr></tbody></table></section><h2 id=Resource>Resource</h2><section><p>Resource describes the source of configuration</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Resource-SERVICE_REGISTRY><td><code>SERVICE_REGISTRY</code></td><td><p>Set to only receive service entries that are generated by the platform.
These auto generated service entries are combination of services and endpoints
that are generated by a specific platform e.g. k8</p></td></tr></tbody></table></section><h2 id=Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</h2><section><p>TraceContext selects the context propagation headers used for
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-TraceContext-W3C_TRACE_CONTEXT><td><code>W3C_TRACE_CONTEXT</code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
See the
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-GRPC_BIN><td><code>GRPC_BIN</code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-CLOUD_TRACE_CONTEXT><td><code>CLOUD_TRACE_CONTEXT</code></td><td><p>Use Cloud Trace context propagation using the
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-B3><td><code>B3</code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
for details.</p></td></tr></tbody></table></section><h2 id=ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</h2><section><p>Allows specification of various Istio-supported naming schemes for the
Envoy <code>service_cluster</code> value. The <code>servce_cluster</code> value is primarily used
by Envoys to provide service names for tracing spans.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-TracingServiceName-APP_LABEL_AND_NAMESPACE><td><code>APP_LABEL_AND_NAMESPACE</code></td><td><p>Default scheme. Uses the <code>app</code> label and workload namespace to construct
a cluster name. If the <code>app</code> label does not exist <code>istio-proxy</code> is used.</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_ONLY><td><code>CANONICAL_NAME_ONLY</code></td><td><p>Uses the canonical name for a workload (<em>excluding namespace</em>).</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_AND_NAMESPACE><td><code>CANONICAL_NAME_AND_NAMESPACE</code></td><td><p>Uses the canonical name and namespace for a workload.</p></td></tr></tbody></table></section><h2 id=ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</h2><section><p>The mode used to redirect inbound traffic to Envoy.
This setting has no effect on outbound traffic: iptables <code>REDIRECT</code> is always used for
outbound connections.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-InboundInterceptionMode-REDIRECT><td><code>REDIRECT</code></td><td><p>The <code>REDIRECT</code> mode uses iptables <code>REDIRECT</code> to <code>NAT</code> and redirect to Envoy. This mode loses
source IP addresses during redirection.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-TPROXY><td><code>TPROXY</code></td><td><p>The <code>TPROXY</code> mode uses iptables <code>TPROXY</code> to redirect to Envoy. This mode preserves both the
source and destination IP addresses and ports, so that they can be used for advanced
filtering and manipulation. This mode also configures the sidecar to run with the
<code>CAP_NET_ADMIN</code> capability, which is required to use <code>TPROXY</code>.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-NONE><td><code>NONE</code></td><td><p>The <code>NONE</code> mode does not configure redirect to Envoy at all. This is an advanced
configuration that typically requires changes to user applications.</p></td></tr></tbody></table></section><h2 id=AuthenticationPolicy>AuthenticationPolicy</h2><section><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
Mesh policy cannot be INHERIT.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=AuthenticationPolicy-NONE><td><code>NONE</code></td><td><p>Do not encrypt proxy to control plane traffic.</p></td></tr><tr id=AuthenticationPolicy-MUTUAL_TLS><td><code>MUTUAL_TLS</code></td><td><p>Proxy to control plane traffic is wrapped into mutual TLS connections.</p></td></tr><tr id=AuthenticationPolicy-INHERIT><td><code>INHERIT</code></td><td><p>Use the policy defined by the parent scope. Should not be used for mesh
policy.</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Configuration for Attribute Generation plugin." href=/v1.16/zh/docs/reference/config/proxy_extensions/attributegen/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.16/img/icons.svg#left-arrow"/></svg>AttributeGen Config</a></div><div class=right><a title="Configuration affecting Istio control plane installation version and shape." href=/v1.16/zh/docs/reference/config/istio.operator.v1alpha1/ class=next-link>IstioOperator Options<svg class="icon right-arrow"><use xlink:href="/v1.16/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>这些信息有用吗?<br><button class="btn feedback" onclick='sendFeedback("zh",1)'>是的</button>
<button class="btn feedback" onclick='sendFeedback("zh",0)'>没有</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder='Help us improve...' data-lang=zh></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>链接</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.CertificateData><a href=#MeshConfig-CertificateData>MeshConfig.CertificateData</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshConfig.CA><a href=#MeshConfig-CA>MeshConfig.CA</a><li role=none aria-label=MeshConfig.ExtensionProvider><a href=#MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</a><li role=none aria-label=MeshConfig.DefaultProviders><a href=#MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</a><li role=none aria-label=MeshConfig.ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</a><li role=none aria-label=MeshConfig.TLSConfig><a href=#MeshConfig-TLSConfig>MeshConfig.TLSConfig</a><li role=none aria-label=MeshConfig.ServiceSettings.Settings><a href=#MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider.Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</a><li role=none aria-label=k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.OpenCensusAgent><a href=#Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</a><li role=none aria-label=PrivateKeyProvider.CryptoMb><a href=#PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</a><li role=none aria-label=ProxyConfig.ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</a><li role=none aria-label=MeshConfig.ProxyPathNormalization.NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</a><li role=none aria-label=MeshConfig.TLSConfig.TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=Tracing.OpenCensusAgent.TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</a><li role=none aria-label=ProxyConfig.TracingServiceName><a href=#ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a></ol></div></nav></div></main><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.16/img/icons.svg#github"/></svg></a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.16/img/icons.svg#drive"/></svg></a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.16/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.16/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.16/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.16/zh/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.16/img/icons.svg#tick"/></svg>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款</a> |
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策</a> |
<a class=disabled title="这是一个自动生成的文件,要修改其中的内容,请修改 https://github.com/istio/api 仓库中的源码。">在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2023 the Istio Authors.</span>
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>Version
Istio 归档
1.16.2</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.16/img/icons.svg#top"/></svg></button></div></body></html>