mirror of https://github.com/istio/istio.io.git
545 lines
203 KiB
HTML
545 lines
203 KiB
HTML
<!doctype html><html lang=zh itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Global Mesh Options"><meta name=description content="Configuration affecting the service mesh as a whole."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Global Mesh Options"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting the service mesh as a whole."><meta property="og:url" content="/v1.16/zh/docs/reference/config/istio.mesh.v1alpha1/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.16 / Global Mesh Options</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
|
||
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.16/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.16/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.16/feed.xml><link rel="shortcut icon" href=/v1.16/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.16/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.16/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.16/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.16/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.16/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.16/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.16/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.16/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.16/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.16/favicons/favicon.svg><link rel=icon type=image/png href=/v1.16/favicons/favicon.png><link rel=mask-icon href=/v1.16/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.16/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.16/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.16/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.16",docTitle="Global Mesh Options",iconFile="/v1.16/img/icons.svg",buttonCopy="复制到剪切板",buttonPrint="打印",buttonDownload="下载"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
|
||
<script src=/v1.16/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.16/zh/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.16/img/icons.svg#menu-hamburger"/></svg></button>
|
||
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>关于</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.16/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/service-mesh class=main-navigation-links-link>服务网格</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/solutions class=main-navigation-links-link>解决方案</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/case-studies class=main-navigation-links-link>案例学习</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/ecosystem class=main-navigation-links-link>生态系统</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/deployment class=main-navigation-links-link>部署</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.16/zh/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.16/zh/blog/ class=main-navigation-links-link><span>博客</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/news/ class=main-navigation-links-link><span>新闻</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/get-involved/ class=main-navigation-links-link><span>加入我们</span></a></li><li class=main-navigation-links-item><a href=/v1.16/zh/docs/ class=main-navigation-links-link><span>文档</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.16/img/icons.svg#magnifier"/></svg></button>
|
||
<a href=/v1.16/zh/docs/setup/getting-started class="btn btn--primary" id=try-istio>试用 Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
||
<input type=hidden name=ie value=utf-8>
|
||
<input type=hidden name=hl value=zh>
|
||
<input type=hidden id=search-page-url value=/zh/search>
|
||
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='搜索 istio.io' placeholder=搜索>
|
||
<button id=search-close title=取消搜索 type=reset aria-label=取消搜索><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><main class="primary container has-sidebar has-toc docs"><div id=sidebar-container class=sidebar-container><nav id=sidebar aria-label="Section Navigation"><button id=sidebar-close class="main-navigation-toggle sidebar-close" aria-label="Close sidebar"><svg class="icon menu-close"><use xlink:href="/v1.16/img/icons.svg#menu-close"/></svg></button><div class=sidebar-nav><div class=search><form id=search-docs-form name=cse role=search><input type=hidden name=ie value=utf-8>
|
||
<input type=hidden name=hl value=en>
|
||
<input type=hidden id=search-docs-url value=/v1.16/search>
|
||
<input id=search-docs-textbox class=form-control name=docs-search type=search aria-label='搜索 istio.io' placeholder=搜索>
|
||
<button id=search-show2 class=search-show title='搜索 istio.io' aria-label=搜索><svg class="icon magnifier"><use xlink:href="/v1.16/img/icons.svg#magnifier"/></svg></button></form></div><div class=card><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label=概念><a class=main title="一些概念,理解它们有助于您更好地了解 Istio 系统的不同部分及其使用的抽象。" href=/v1.16/zh/docs/concepts/>概念</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="描述 Istio 多样的流量路由和控制特性。" href=/v1.16/zh/docs/concepts/traffic-management/>流量管理</a></li><li role=none><a role=treeitem title="讲述 Istio 的 WebAssembly 插件系统。" href=/v1.16/zh/docs/concepts/wasm/>扩展性</a></li><li role=none><a role=treeitem title="描述 Istio 的授权与认证功能。" href=/v1.16/zh/docs/concepts/security/>安全</a></li><li role=none><a role=treeitem title="描述 Istio 提供的遥测和监控特性。" href=/v1.16/zh/docs/concepts/observability/>可观测性</a></li></ul></li><li role=treeitem aria-label=安装><a class=main title="关于如何在 Kubernetes 集群中安装 Istio 控制平面和添加虚拟机到 mesh 中的说明。" href=/v1.16/zh/docs/setup/>安装</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="快速、轻松地尝试 Istio 特性。" href=/v1.16/zh/docs/setup/getting-started/>入门</a></li><li role=treeitem aria-label=平台安装><button aria-hidden=true tabindex=-1></button><a title="在安装 Istio 之前如何准备各种 Kubernetes 平台。" href=/v1.16/zh/docs/setup/platform-setup/>平台安装</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="在各平台上安装 Istio 的前提条件。" href=/v1.16/zh/docs/setup/platform-setup/prerequisites/>平台前提条件</a></li><li role=none><a role=treeitem title="在阿里云 Kubernetes 集群进行配置以便安装运行 Istio。" href=/v1.16/zh/docs/setup/platform-setup/alicloud/>阿里云</a></li><li role=none><a role=treeitem title="为 Istio 设置一个 Azure 集群的操作说明。" href=/v1.16/zh/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="在 Docker Desktop 中运行 Istio 的设置说明。" href=/v1.16/zh/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="为 Istio 设置 kind 的说明。" href=/v1.16/zh/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="在 Google Kubernetes Engine (GKE) 上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/gke/>使用 Google Kubernetes Engine 快速开始</a></li><li role=none><a role=treeitem title="在 Minikube 上配置 Istio。" href=/v1.16/zh/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="为 Istio 设置一个华为云 Kubernetes 集群的操作说明。" href=/v1.16/zh/docs/setup/platform-setup/huaweicloud/>华为云</a></li><li role=none><a role=treeitem title="在 IBM 公有云或私有云上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/ibm/>IBM Cloud 快速开始</a></li><li role=none><a role=treeitem title="与Istio 一起使用的 Kops 设置说明。" href=/v1.16/zh/docs/setup/platform-setup/kops/>Kops</a></li><li role=none><a role=treeitem title="使用 Gardener 快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/gardener/>Kubernetes Gardener 快速开始</a></li><li role=none><a role=treeitem title="Istio 适配 KubeSphere 容器平台指南。" href=/v1.16/zh/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="配置 MicroK8s 以便使用 Istio。" href=/v1.16/zh/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="在 OpenShift 集群上快速搭建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="使用 Oracle Container 为 Istio 准备集群的说明。" href=/v1.16/zh/docs/setup/platform-setup/oci/>Oracle Cloud 基础架构</a></li><li role=none><a role=treeitem title="在腾讯云上快速创建 Istio 服务。" href=/v1.16/zh/docs/setup/platform-setup/tencent-cloud-mesh/>腾讯云</a></li></ul></li><li role=treeitem aria-label=安装><button aria-hidden=true tabindex=-1></button><a title=选择最适合你需求和平台的安装指南。 href=/v1.16/zh/docs/setup/install/>安装</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="安装、定制 Istio 配置文件,用于深入评估及生产发布。" href=/v1.16/zh/docs/setup/install/istioctl/>使用 Istioctl 安装</a></li><li role=none><a role=treeitem title="安装、配置并深入评估 Istio。" href=/v1.16/zh/docs/setup/install/helm/>使用 Helm 安装</a></li><li role=treeitem aria-label=多集群安装><button aria-hidden=true tabindex=-1></button><a title="跨多 Kubernetes 集群,安装 Istio 服务网格。" href=/v1.16/zh/docs/setup/install/multicluster/>多集群安装</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="在多个集群上安装 Istio 之前的初始步骤。" href=/v1.16/zh/docs/setup/install/multicluster/before-you-begin/>准备工作</a></li><li role=none><a role=treeitem title="跨多个主集群,安装 Istio 网格。" href=/v1.16/zh/docs/setup/install/multicluster/multi-primary/>多主架构的安装</a></li><li role=none><a role=treeitem title="跨主-从集群,安装 Istio 网格。" href=/v1.16/zh/docs/setup/install/multicluster/primary-remote/>主-从架构的安装</a></li><li role=none><a role=treeitem title="跨网络、多主架构的 Istio 网格安装。" href=/v1.16/zh/docs/setup/install/multicluster/multi-primary_multi-network/>跨网络多主架构的安装</a></li><li role=none><a role=treeitem title="跨网络、主-从架构的 Istio 网格安装。" href=/v1.16/zh/docs/setup/install/multicluster/primary-remote_multi-network/>跨网络主-从架构的安装</a></li><li role=none><a role=treeitem title="验证 Istio 已成功安装到多集群环境中。" href=/v1.16/zh/docs/setup/install/multicluster/verify/>验证安装结果</a></li></ul></li><li role=none><a role=treeitem title="部署 Istio,接入虚拟机中运行的工作负载。" href=/v1.16/zh/docs/setup/install/virtual-machine/>虚拟机安装</a></li><li role=none><a role=treeitem title="使用修订和 discoverySelectors 在单集群中安装多个 Istio 控制面。" href=/v1.16/zh/docs/setup/install/multiple-controlplanes/>在单集群中安装多个 Istio 控制面</a></li><li role=none><a role=treeitem title=安装外部控制平面和远程集群。 href=/v1.16/zh/docs/setup/install/external-controlplane/>使用外部控制平面安装 Istio</a></li><li role=none><a role=treeitem title="使用 Istio Operator 在 Kubernetes 集群中安装 Istio 的说明。 (Beta)" href=/v1.16/zh/docs/setup/install/operator/>使用 Istio Operator 安装 *</a></li></ul></li><li role=treeitem aria-label=升级><button aria-hidden=true tabindex=-1></button><a title="跨多个控制平面升级、降级和管理 Istio。" href=/v1.16/zh/docs/setup/upgrade/>升级</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="通过先运行一个金丝雀部署的新控制平面升级 Istio。" href=/v1.16/zh/docs/setup/upgrade/canary/>金丝雀升级</a></li><li role=none><a role=treeitem title=原地升级和回退。 href=/v1.16/zh/docs/setup/upgrade/in-place/>原地升级</a></li><li role=none><a role=treeitem title="深度评估升级和配置 Istio。" href=/v1.16/zh/docs/setup/upgrade/helm/>Upgrade with Helm</a></li></ul></li><li role=treeitem aria-label=更多指南><button aria-hidden=true tabindex=-1></button><a title=有关其他设置任务的更多信息。 href=/v1.16/zh/docs/setup/additional-setup/>更多指南</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 内置的安装配置文件。" href=/v1.16/zh/docs/setup/additional-setup/config-profiles/>安装配置文件</a></li><li role=none><a role=treeitem title="在应用程序 Pod 中使用 Sidecar Injector Webhook 自动安装或使用 Istioctl CLI 手动安装 Istio Sidecar。" href=/v1.16/zh/docs/setup/additional-setup/sidecar-injection/>安装 Sidecar</a></li><li role=none><a role=treeitem title=描述如何定制安装配置选项。 href=/v1.16/zh/docs/setup/additional-setup/customize-installation/>定制安装配置</a></li><li role=none><a role=treeitem title="描述使用 helm 安装时如何自定义安装配置选项。" href=/v1.16/zh/docs/setup/additional-setup/customize-installation-helm/>高级 Helm chart 自定义</a></li><li role=none><a role=treeitem title="安装并使用 Istio CNI 插件,可以让运维人员用更低的权限来部署服务。" href=/v1.16/zh/docs/setup/additional-setup/cni/>安装 Istio CNI 插件</a></li></ul></li></ul></li><li role=treeitem aria-label=任务><a class=main title="如何用 Istio 实现单个特定的目标行为。" href=/v1.16/zh/docs/tasks/>任务</a><ul role=group aria-expanded=true><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 的流量路由功能的任务。" href=/v1.16/zh/docs/tasks/traffic-management/>流量管理</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title=如何将请求动态路由到微服务的多个版本。 href=/v1.16/zh/docs/tasks/traffic-management/request-routing/>配置请求路由</a></li><li role=none><a role=treeitem title=此任务说明如何注入故障并测试应用程序的弹性。 href=/v1.16/zh/docs/tasks/traffic-management/fault-injection/>故障注入</a></li><li role=none><a role=treeitem title=展示如何将流量从旧版本迁移到新版本的服务。 href=/v1.16/zh/docs/tasks/traffic-management/traffic-shifting/>流量转移</a></li><li role=none><a role=treeitem title="展示如何将一个服务的 TCP 流量从旧版本迁移到新版本。" href=/v1.16/zh/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP 流量转移</a></li><li role=none><a role=treeitem title="本任务用于示范如何使用 Istio 在 Envoy 中设置请求超时。" href=/v1.16/zh/docs/tasks/traffic-management/request-timeouts/>设置请求超时</a></li><li role=none><a role=treeitem title=本任务展示如何为连接、请求以及异常检测配置熔断。 href=/v1.16/zh/docs/tasks/traffic-management/circuit-breaking/>熔断</a></li><li role=none><a role=treeitem title="此任务演示了 Istio 的流量镜像/影子功能。" href=/v1.16/zh/docs/tasks/traffic-management/mirroring/>镜像</a></li><li role=treeitem aria-label=地域负载均衡><button aria-hidden=true tabindex=-1></button><a title="本系列任务演示如何在 Istio 中配置地域负载均衡。" href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/>地域负载均衡</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title=配置地域负载均衡前的初始化步骤。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/before-you-begin/>开始之前</a></li><li role=none><a role=treeitem title=本任务演示如何为网格配置地域故障转移。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/failover/>地域故障转移</a></li><li role=none><a role=treeitem title=本指南演示如何配置地域权重分配。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/distribute/>地域权重分布</a></li><li role=none><a role=treeitem title=地域负载均衡的清理步骤。 href=/v1.16/zh/docs/tasks/traffic-management/locality-load-balancing/cleanup/>清理</a></li></ul></li><li role=treeitem aria-label=Ingress><button aria-hidden=true tabindex=-1></button><a title="控制 Istio 服务网格的入口流量。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何配置 Istio Gateway 对象,以将服务暴露至服务网格之外。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-control/>入口网关</a></li><li role=none><a role=treeitem title="通过 TLS 或 mTLS 将服务暴露到服务网格外。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/secure-ingress/>安全网关</a></li><li role=none><a role=treeitem title="描述了如何在不使用 Ingress Gateway 的情况下,在一个 Sidecar 上终止 TLS 流量。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-sidecar-tls-termination/>Ingress Sidecar TLS 终止</a></li><li role=none><a role=treeitem title="如何为一个 Ingress Gateway 配置 SNI 透传。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>无 TLS 终止的 Ingress Gateway</a></li><li role=none><a role=treeitem title="展示如何配置 Kubernetes Ingress 对象,使得从服务网格外部可以访问网格内服务。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/kubernetes-ingress/>Kubernetes Ingress</a></li><li role=none><a role=treeitem title="描述在 Istio 中如何配置 Kubernetes Gateway API。" href=/v1.16/zh/docs/tasks/traffic-management/ingress/gateway-api/>Kubernetes Gateway API</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true tabindex=-1></button><a title="控制 Istio 服务网格的出口流量。" href=/v1.16/zh/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何配置 Istio 以将流量从网格中的服务路由到外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-control/>访问外部服务</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 对来自外部服务的流量执行 TLS 发起。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 通过专用网关服务将流量定向到外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway/>出口网关</a></li><li role=none><a role=treeitem title="描述了如何配置 Egress 网关,使用 Secret Discovery Service 执行 TLS 链接外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/>Egress 网关 TLS 连接 发起的过程 (SDS)</a></li><li role=none><a role=treeitem title="描述如何配置一个 Egress 网关,来向外部服务发起 TLS 连接。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress 网关的 TLS 发起过程</a></li><li role=none><a role=treeitem title="描述如何开启通用域中一组主机的 egress,无需单独配置每一台主机。" href=/v1.16/zh/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Wildcard 主机的 egress</a></li><li role=none><a role=treeitem title="描述如何在 TLS Egress 上配置 SNI 监控和策略。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>TLS Egress 监控和策略配置</a></li><li role=none><a role=treeitem title="展示如何配置 Istio Kubernetes 外部服务。" href=/v1.16/zh/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Egress 流量服务</a></li><li role=none><a role=treeitem title="描述如何配置 Istio 以允许应用程序使用外部 HTTPS 代理。" href=/v1.16/zh/docs/tasks/traffic-management/egress/http-proxy/>使用外部 HTTPS 代理</a></li></ul></li></ul></li><li role=treeitem aria-label=安全><button aria-hidden=true tabindex=-1></button><a title=演示如何保护网格。 href=/v1.16/zh/docs/tasks/security/>安全</a><ul role=group aria-expanded=false><li role=treeitem aria-label=认证><button aria-hidden=true tabindex=-1></button><a title="管控网格服务间的双向 TLS 和终端用户的身份认证。" href=/v1.16/zh/docs/tasks/security/authentication/>认证</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="演示如何使用基于 JWT 声明路由请求的 Istio 身份验证策略。 (Experimental)" href=/v1.16/zh/docs/tasks/security/authentication/jwt-route/>基于 JWT 声明的路由 *</a></li><li role=none><a role=treeitem title="向您展示如何通过使用 Istio 认证策略来设置双向 TLS 和基本的终端用户认证。" href=/v1.16/zh/docs/tasks/security/authentication/authn-policy/>认证策略</a></li><li role=none><a role=treeitem title="阐述如何将 Istio 服务逐步迁移至双向 TLS 通信模式。" href=/v1.16/zh/docs/tasks/security/authentication/mtls-migration/>双向 TLS 迁移</a></li></ul></li><li role=treeitem aria-label=证书管理><button aria-hidden=true tabindex=-1></button><a title="管理 Istio 的证书。" href=/v1.16/zh/docs/tasks/security/cert-management/>证书管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="系统管理员如何通过根证书、签名证书和密钥来配置 Istio 的 CA。" href=/v1.16/zh/docs/tasks/security/cert-management/plugin-ca-cert/>插入 CA 证书</a></li><li role=none><a role=treeitem title="如何在 Istiod 中配置和管理 DNS 证书。" href=/v1.16/zh/docs/tasks/security/cert-management/dns-cert/>Istio 的 DNS 证书管理</a></li><li role=none><a role=treeitem title="演示如何使用自定义证书颁发机构(与 Kubernetes CSR API 集成)来提供 Istio 工作负载证书。 (Experimental)" href=/v1.16/zh/docs/tasks/security/cert-management/custom-ca-k8s/>使用 Kubernetes CSR 自定义 CA 集成 *</a></li></ul></li><li role=treeitem aria-label=授权><button aria-hidden=true tabindex=-1></button><a title="展示如何控制到 Istio 服务的访问。" href=/v1.16/zh/docs/tasks/security/authorization/>授权</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="展示如何设置 HTTP 流量访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-http/>HTTP 流量</a></li><li role=none><a role=treeitem title="展示如何设置 TCP 流量的访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-tcp/>TCP 流量</a></li><li role=none><a role=treeitem title="演示如何为 JWT 令牌设置访问控制。" href=/v1.16/zh/docs/tasks/security/authorization/authz-jwt/>JWT 令牌</a></li><li role=none><a role=treeitem title=如何集成访问控制并将其委托给外部授权系统。 href=/v1.16/zh/docs/tasks/security/authorization/authz-custom/>外部授权</a></li><li role=none><a role=treeitem title=如何设置访问控制以明确地拒绝流量。 href=/v1.16/zh/docs/tasks/security/authorization/authz-deny/>明确拒绝</a></li><li role=none><a role=treeitem title=展示如何在入口网关上设置访问控制。 href=/v1.16/zh/docs/tasks/security/authorization/authz-ingress/>入口网关</a></li><li role=none><a role=treeitem title=阐述如何在不更改授权策略的前提下从一个信任域迁移到另一个。 href=/v1.16/zh/docs/tasks/security/authorization/authz-td-migration/>信任域迁移</a></li></ul></li><li role=treeitem aria-label="TLS 配置"><button aria-hidden=true tabindex=-1></button><a title="在 Istio 中配置 TLS。" href=/v1.16/zh/docs/tasks/security/tls-configuration/>TLS 配置</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="演示如何为 Istio 工作负载配置最低版本的 TLS。" href=/v1.16/zh/docs/tasks/security/tls-configuration/workload-min-tls-version/>Istio 工作负载的最低 TLS 版本配置</a></li></ul></li></ul></li><li role=treeitem aria-label=策略执行><button aria-hidden=true tabindex=-1></button><a title=演示策略执行特性。 href=/v1.16/zh/docs/tasks/policy-enforcement/>策略执行</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="此任务将展示如何配置 Istio 来动态地限制服务的流量。" href=/v1.16/zh/docs/tasks/policy-enforcement/rate-limit/>使用 Envoy 启用速率限制</a></li></ul></li><li role=treeitem aria-label=可观察性><button aria-hidden=true tabindex=-1></button><a title=演示如何从网格收集遥测信息。 href=/v1.16/zh/docs/tasks/observability/>可观察性</a><ul role=group aria-expanded=false><li role=treeitem aria-label=指标><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 中指标的收集和查询。" href=/v1.16/zh/docs/tasks/observability/metrics/>指标</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="本任务展示了如何配置 Istio 进行 TCP 服务的指标收集。" href=/v1.16/zh/docs/tasks/observability/metrics/tcp-metrics/>收集 TCP 服务指标</a></li><li role=none><a role=treeitem title="此任务向您展示如何自定义 Istio 指标。" href=/v1.16/zh/docs/tasks/observability/metrics/customize-metrics/>自定义 Istio 指标</a></li><li role=none><a role=treeitem title=此任务向您展示如何通过按类型对请求和响应进行分组来改进遥测。 href=/v1.16/zh/docs/tasks/observability/metrics/classify-metrics/>根据请求或响应对指标进行分类</a></li><li role=none><a role=treeitem title="本任务介绍如何通过 Prometheus 查询 Istio 度量指标。" href=/v1.16/zh/docs/tasks/observability/metrics/querying-metrics/>通过 Prometheus 查询度量指标</a></li><li role=none><a role=treeitem title="此任务展示了如何设置和使用 Istio Dashboard 监控网格流量。" href=/v1.16/zh/docs/tasks/observability/metrics/using-istio-dashboard/>使用 Grafana 可视化指标</a></li></ul></li><li role=treeitem aria-label=日志><button aria-hidden=true tabindex=-1></button><a title="演示 Istio 网格日志的配置、收集和处理。" href=/v1.16/zh/docs/tasks/observability/logs/>日志</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="此任务向您展示如何配置 Envoy 代理将访问日志打印到其标准输出。" href=/v1.16/zh/docs/tasks/observability/logs/access-log/>获取 Envoy 访问日志</a></li></ul></li><li role=treeitem aria-label=分布式追踪><button aria-hidden=true tabindex=-1></button><a title="该任务展示了如何为启用了 Istio 支持的应用进行追踪。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/>分布式追踪</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 分布式追踪的概述。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/overview/>概述</a></li><li role=none><a role=treeitem title="了解如何配置代理以向 Jaeger 发送追踪请求。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="了解如何通过配置代理以向 Zipkin 发送追踪请求。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="怎样配置代理才能把追踪请求发送到 LightStep。" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/lightstep/>LightStep</a></li><li role=none><a role=treeitem title="如何使用 MeshConfig 和 Pod 注释配置跟踪选项。 (Beta/Experimental)" href=/v1.16/zh/docs/tasks/observability/distributed-tracing/mesh-and-proxy-config/>使用 MeshConfig 和 Pod 注释配置跟踪 *</a></li></ul></li><li role=none><a role=treeitem title="此任务向您展示如何在 Istio 网格中可视化服务。" href=/v1.16/zh/docs/tasks/observability/kiali/>网格可视化</a></li><li role=none><a role=treeitem title="此任务向您展示如何配置从外部访问 Istio 遥测插件。" href=/v1.16/zh/docs/tasks/observability/gateways/>远程访问遥测插件</a></li></ul></li><li role=treeitem aria-label=可扩展性><button aria-hidden=true tabindex=-1></button><a title=演示如何扩展网格行为。 href=/v1.16/zh/docs/tasks/extensibility/>可扩展性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述如何在网格中使用远程 WebAssembly 模块。 (Alpha)" href=/v1.16/zh/docs/tasks/extensibility/wasm-module-distribution/>WebAssembly 模块分发 *</a></li></ul></li></ul></li><li role=treeitem aria-label=示例><a class=main title="这里包括多个可供 Istio 使用的可完整工作的示例,你可以用来亲自部署和体验这些示例。" href=/v1.16/zh/docs/examples/>示例</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="部署一个用于演示多种 Istio 特性的应用,由四个单独的微服务构成。" href=/v1.16/zh/docs/examples/bookinfo/>Bookinfo 应用</a></li><li role=none><a role=treeitem title="使用在网格内的虚拟机上运行的 MySQL 服务运行 Bookinfo 应用程序。" href=/v1.16/zh/docs/examples/virtual-machines/>在虚拟机上部署 Bookinfo 应用程序</a></li><li role=treeitem aria-label="使用 Kubernetes 和 Istio 学习微服务"><button aria-hidden=true tabindex=-1></button><a title="该模块化教程为新用户提供了一步步将 Istio 应用于常见微服务场景的动手经验。" href=/v1.16/zh/docs/examples/microservices-istio/>使用 Kubernetes 和 Istio 学习微服务</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/prereq/>前提条件</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/setup-kubernetes-cluster/>设置 Kubernetes 集群</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/setup-local-computer/>设置本地计算机</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/single/>本地运行微服务</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/package-service/>在 Docker 中运行 ratings 服务</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/bookinfo-kubernetes/>使用 Kubernetes 运行 Bookinfo</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/production-testing/>生产测试</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/add-new-microservice-version/>添加一个新版本的 reviews</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/add-istio/>在 productpage 启用 Istio</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/enable-istio-all-microservices/>在所有微服务中启用 Istio</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/istio-ingress-gateway/>配置 Istio Ingress Gateway</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/examples/microservices-istio/logs-istio/>监控 Istio</a></li></ul></li></ul></li><li role=treeitem aria-label=运维><a class=main title="关于部署和管理 Istio 网格的概念、工具和技术。" href=/v1.16/zh/docs/ops/>运维</a><ul role=group aria-expanded=true><li role=treeitem aria-label=部署><button aria-hidden=true tabindex=-1></button><a title="设置 Istio 部署的要求、概念和注意事项。" href=/v1.16/zh/docs/ops/deployment/>部署</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 的整体架构与设计目标。" href=/v1.16/zh/docs/ops/deployment/architecture/>架构</a></li><li role=none><a role=treeitem title="描述 Istio 部署中的选择和建议。" href=/v1.16/zh/docs/ops/deployment/deployment-models/>部署模型</a></li><li role=none><a role=treeitem title="介绍 Istio 的性能和可扩展性。" href=/v1.16/zh/docs/ops/deployment/performance-and-scalability/>性能和可扩展性</a></li><li role=none><a role=treeitem title="部署在支持 Istio 的集群中的应用程序的要求。" href=/v1.16/zh/docs/ops/deployment/requirements/>应用程序要求</a></li></ul></li><li role=treeitem aria-label=配置><button aria-hidden=true tabindex=-1></button><a title="配置运行中的 Istio 网格的高级概念和功能。" href=/v1.16/zh/docs/ops/configuration/>配置</a><ul role=group aria-expanded=false><li role=treeitem aria-label=网格配置><button aria-hidden=true tabindex=-1></button><a title=帮助您管理全局网格配置。 href=/v1.16/zh/docs/ops/configuration/mesh/>网格配置</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="简要描述 Istio 对 Kubernetes webhook 的使用以及可能出现的相关问题。" href=/v1.16/zh/docs/ops/configuration/mesh/webhook/>动态准入 Webhook 概述</a></li><li role=none><a role=treeitem title=如何等待资源达到给定的就绪状态。 href=/v1.16/zh/docs/ops/configuration/mesh/config-resource-ready/>等待应用的配置资源状态就绪</a></li><li role=none><a role=treeitem title="为您展示如何对 Istio 服务做健康检查。" href=/v1.16/zh/docs/ops/configuration/mesh/app-health-check/>Istio 服务的健康检查</a></li></ul></li><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格的网络方面。 href=/v1.16/zh/docs/ops/configuration/traffic-management/>流量管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title=关于如何声明协议。 href=/v1.16/zh/docs/ops/configuration/traffic-management/protocol-selection/>协议选择</a></li><li role=none><a role=treeitem title=有关如何启用和理解地域负载平衡。 href=/v1.16/zh/docs/ops/configuration/traffic-management/locality-load-balancing/>地域负载均衡</a></li><li role=none><a role=treeitem title="如何使用 TLS 配置设置安全的网络流量。" href=/v1.16/zh/docs/ops/configuration/traffic-management/tls-configuration/>TLS 配置</a></li><li role=none><a role=treeitem title="理解 Istio 如何与 DNS 交互。" href=/v1.16/zh/docs/ops/configuration/traffic-management/dns/>DNS</a></li><li role=none><a role=treeitem title="如何配置 DNS 代理。" href=/v1.16/zh/docs/ops/configuration/traffic-management/dns-proxy/>DNS 代理</a></li><li role=none><a role=treeitem title="如何配置 Gateway 网络拓扑。 (Alpha)" href=/v1.16/zh/docs/ops/configuration/traffic-management/network-topologies/>配置 Gateway 网络拓扑 *</a></li><li role=none><a role=treeitem title=如何配置流量在网格集群之间如何分发的。 href=/v1.16/zh/docs/ops/configuration/traffic-management/multicluster/>多集群流量管理</a></li></ul></li><li role=treeitem aria-label=安全><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格的安全性方面。 href=/v1.16/zh/docs/ops/configuration/security/>安全</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="展示使用 Istio 安全策略的通用示例。" href=/v1.16/zh/docs/ops/configuration/security/security-policy-examples/>安全策略示例</a></li><li role=none><a role=treeitem title="使用加固的容器镜像来减小 Istio 的攻击面。" href=/v1.16/zh/docs/ops/configuration/security/harden-docker-images/>加固 Docker 容器镜像</a></li></ul></li><li role=treeitem aria-label=可观测性><button aria-hidden=true tabindex=-1></button><a title=帮助您管理正在运行的网格中的遥测收集和可视化。 href=/v1.16/zh/docs/ops/configuration/telemetry/>可观测性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="精细化控制 Envoy 的统计信息。" href=/v1.16/zh/docs/ops/configuration/telemetry/envoy-stats/>Envoy 的统计信息</a></li><li role=none><a role=treeitem title="配置 Prometheus 监控 Istio 多集群。" href=/v1.16/zh/docs/ops/configuration/telemetry/monitoring-multicluster-prometheus/>使用 Prometheus 监控 Istio 多集群</a></li></ul></li><li role=treeitem aria-label=可扩展性><button aria-hidden=true tabindex=-1></button><a title=帮助您管理服务网格的扩展。 href=/v1.16/zh/docs/ops/configuration/extensibility/>可扩展性</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="描述 Istio 如何决定是拉取 Wasm 模块还是使用缓存的版本。 (Alpha)" href=/v1.16/zh/docs/ops/configuration/extensibility/wasm-pull-policy/>WebAssembly 模块的拉取策略 *</a></li></ul></li></ul></li><li role=treeitem aria-label=最佳实践><button aria-hidden=true tabindex=-1></button><a title="设置和管理 Istio 服务网格的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/>最佳实践</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="设置 Istio 服务网格时的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/deployment/>Deployment 最佳实践</a></li><li role=none><a role=treeitem title=避免网络或流量管理问题的配置最佳实践。 href=/v1.16/zh/docs/ops/best-practices/traffic-management/>流量管理最佳实践</a></li><li role=none><a role=treeitem title="使用 Istio 保护应用的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/security/>安全最佳实践</a></li><li role=none><a role=treeitem title="描述如何使用镜像签名来验证 Istio 镜像的出处。" href=/v1.16/zh/docs/ops/best-practices/image-signing-validation/>镜像签名和验证</a></li><li role=none><a role=treeitem title="使用 Istio 观测应用时的最佳实践。" href=/v1.16/zh/docs/ops/best-practices/observability/>可观察性最佳实践</a></li></ul></li><li role=treeitem aria-label=常见问题><button aria-hidden=true tabindex=-1></button><a title="描述如何辨认和解决 Istio 中的常见问题。" href=/v1.16/zh/docs/ops/common-problems/>常见问题</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="定位常见的 Istio 流量管理和网络问题的技术。" href=/v1.16/zh/docs/ops/common-problems/network-issues/>流量管理问题</a></li><li role=none><a role=treeitem title="定位常见 Istio 认证、授权、安全相关问题的技巧。" href=/v1.16/zh/docs/ops/common-problems/security-issues/>安全问题</a></li><li role=none><a role=treeitem title="处理 Telemetry 收集问题。" href=/v1.16/zh/docs/ops/common-problems/observability-issues/>可观测性问题</a></li><li role=none><a role=treeitem title="解决 Istio 使用 Kubernetes Webhooks 进行 Sidecar 自动注入的常见问题。" href=/v1.16/zh/docs/ops/common-problems/injection/>Sidecar 自动注入问题</a></li><li role=none><a role=treeitem title=如何解决配置验证的问题。 href=/v1.16/zh/docs/ops/common-problems/validation/>配置验证的问题</a></li></ul></li><li role=treeitem aria-label=诊断工具><button aria-hidden=true tabindex=-1></button><a title="帮助解决 Istio 网格问题的工具和技术。" href=/v1.16/zh/docs/ops/diagnostic-tools/>诊断工具</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 自带的一个可以为服务网格部署提供调试和诊断的补充工具。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl/>使用 Istioctl 命令行工具</a></li><li role=none><a role=treeitem title="描述诊断与流量管理相关的 Envoy 配置问题的工具和技术。" href=/v1.16/zh/docs/ops/diagnostic-tools/proxy-cmd/>调试 Envoy 和 Istiod</a></li><li role=none><a role=treeitem title="向您展示如何使用 istioctl describe 来验证您的网格中的 pod 的配置。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl-describe/>通过 Istioctl Describe 理解您的网格</a></li><li role=none><a role=treeitem title="演示如何使用 istioctl analyze 来识别配置中的潜在问题。" href=/v1.16/zh/docs/ops/diagnostic-tools/istioctl-analyze/>使用 Istioctl Analyze 诊断配置</a></li><li role=none><a role=treeitem title="介绍如何使用 ControlZ 深入了解正在运行的 istiod 组件。" href=/v1.16/zh/docs/ops/diagnostic-tools/controlz/>组件自检</a></li><li role=none><a role=treeitem title=如何使用组件级别日志来深入了解正在运行的组件的行为。 href=/v1.16/zh/docs/ops/diagnostic-tools/component-logging/>组件日志记录</a></li><li role=none><a role=treeitem title=介绍关于虚拟机调试的技术和工具。 href=/v1.16/zh/docs/ops/diagnostic-tools/virtual-machines/>虚拟机调试</a></li><li role=none><a role=treeitem title=介绍用来诊断多集群和多网络下安装问题的工具和技术。 href=/v1.16/zh/docs/ops/diagnostic-tools/multicluster/>多集群下的故障排除</a></li></ul></li><li role=treeitem aria-label=集成><button aria-hidden=true tabindex=-1></button><a title="能够与 Istio 集成以提供额外功能的其他软件。" href=/v1.16/zh/docs/ops/integrations/>集成</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="关于如何与 cert-manager 集成的相关说明。" href=/v1.16/zh/docs/ops/integrations/certmanager/>cert-manager</a></li><li role=none><a role=treeitem title="关于如何与 Grafana 集成构建 Istio 仪表盘的相关文档。" href=/v1.16/zh/docs/ops/integrations/grafana/>Grafana</a></li><li role=none><a role=treeitem title="如何与 Jaeger 集成。" href=/v1.16/zh/docs/ops/integrations/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="有关如何与 Kiali 集成的信息。" href=/v1.16/zh/docs/ops/integrations/kiali/>Kiali</a></li><li role=none><a role=treeitem title="如何集成 Prometheus。" href=/v1.16/zh/docs/ops/integrations/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="如何与 Zipkin 进行集成。" href=/v1.16/zh/docs/ops/integrations/zipkin/>Zipkin</a></li></ul></li></ul></li><li role=treeitem aria-label=发布><a class=main title="与 Istio 发布有关的信息。" href=/v1.16/zh/docs/releases/>发布</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title=特性及其发布阶段的列表。 href=/v1.16/zh/docs/releases/feature-stages/>功能状态</a></li><li role=none><a role=treeitem title=如果发现错误该怎么办。 href=/v1.16/zh/docs/releases/bugs/>报告错误</a></li><li role=none><a role=treeitem title=我们如何处理安全漏洞。 href=/v1.16/zh/docs/releases/security-vulnerabilities/>安全漏洞</a></li><li role=none><a role=treeitem title="当前支持的 Istio 版本。" href=/v1.16/zh/docs/releases/supported-releases/>版本支持</a></li><li role=treeitem aria-label=贡献文档><button aria-hidden=true tabindex=-1></button><a title="详细介绍了如何创建和维护 Istio 文档。" href=/v1.16/zh/docs/releases/contribute/>贡献文档</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="介绍如何为 Istio 贡献新文档。" href=/v1.16/zh/docs/releases/contribute/add-content/>添加新文档</a></li><li role=none><a role=treeitem title="详细说明如何将已停用的文档提交给 Istio。" href=/v1.16/zh/docs/releases/contribute/remove-content/>删除已停用的文档</a></li><li role=none><a role=treeitem title=介绍如何在本地进行本网站的构建,测试,运行和预览。 href=/v1.16/zh/docs/releases/contribute/build/>本地构建和运行本网站</a></li><li role=none><a role=treeitem title=介绍了文档中使用的文章头及其可用字段。 href=/v1.16/zh/docs/releases/contribute/front-matter/>文章头部</a></li><li role=none><a role=treeitem title="向您展示如何审阅和批准对 Istio 文档和网站的更改。" href=/v1.16/zh/docs/releases/contribute/review/>文档审阅流程</a></li><li role=none><a role=treeitem title=介绍如何在您的文档中添加代码。 href=/v1.16/zh/docs/releases/contribute/code-blocks/>添加代码块</a></li><li role=none><a role=treeitem title="介绍可用的 shortcode 及其用法。" href=/v1.16/zh/docs/releases/contribute/shortcodes/>使用 Shortcode</a></li><li role=none><a role=treeitem title="介绍 Istio 文档的格式标准。" href=/v1.16/zh/docs/releases/contribute/formatting/>格式标准</a></li><li role=none><a role=treeitem title="介绍 Istio 文档所使用的风格规则。" href=/v1.16/zh/docs/releases/contribute/style-guide/>风格指南</a></li><li role=none><a role=treeitem title="解释 Istio 文档中使用的术语标准。" href=/v1.16/zh/docs/releases/contribute/terminology/>术语标准</a></li><li role=none><a role=treeitem title="为 Istio 文档创建图表提供素材和说明。" href=/v1.16/zh/docs/releases/contribute/diagrams/>创建图表指南</a></li><li role=none><a role=treeitem title="向您展示如何使用 GitHub 参与贡献 Istio 文档。" href=/v1.16/zh/docs/releases/contribute/github/>使用 GitHub 参与社区活动</a></li></ul></li><li role=none><a role=treeitem title=该网站的最新更改列表。 href=/v1.16/zh/docs/releases/log/>网站内容更改</a></li></ul></li><li role=treeitem aria-label=参考><a class=main title="参考部分包含详细的权威参考资料,如命令行选项、配置选项和 API 调用参数。" href=/v1.16/zh/docs/reference/>参考</a><ul role=group aria-expanded=true><li role=treeitem aria-label=配置><button class=show aria-hidden=true tabindex=-1></button><a title=关于配置选项的详细信息。 href=/v1.16/zh/docs/reference/config/>配置</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Telemetry configuration for workloads." href=/v1.16/zh/docs/reference/config/telemetry/>Telemetry</a></li><li role=none><a role=treeitem title="描述使用 Helm chart 安装 Istio 时的可选项。" href=/v1.16/zh/docs/reference/config/installation-options/>安装选项(Helm)</a></li><li role=none><a role=treeitem title="Describes the structure of messages generated by Istio analyzers." href=/v1.16/zh/docs/reference/config/istio.analysis.v1alpha1/>Analysis Messages</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.16/zh/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.16/zh/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=none><a role=treeitem title=描述“状态”字段在配置工作流程中的作用。 href=/v1.16/zh/docs/reference/config/config-status/>状态字段配置</a></li><li role=treeitem aria-label=流量管理><button aria-hidden=true tabindex=-1></button><a title="描述如何配置 HTTP/TCP 路由功能。" href=/v1.16/zh/docs/reference/config/networking/>流量管理</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.16/zh/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.16/zh/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.16/zh/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Provides configuration for individual workloads." href=/v1.16/zh/docs/reference/config/networking/proxy-config/>ProxyConfig</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.16/zh/docs/reference/config/networking/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.16/zh/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.16/zh/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting VMs onboarded into the mesh." href=/v1.16/zh/docs/reference/config/networking/workload-entry/>Workload Entry</a></li><li role=none><a role=treeitem title="Describes a collection of workload instances." href=/v1.16/zh/docs/reference/config/networking/workload-group/>Workload Group</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true tabindex=-1></button><a title="如何配置 Istio 的安全功能。" href=/v1.16/zh/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.16/zh/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.16/zh/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.16/zh/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.16/zh/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title=授权策略中支持的条件。 href=/v1.16/zh/docs/reference/config/security/conditions/>授权策略</a></li><li role=none><a role=treeitem title=受支持的约束条件和属性。 href=/v1.16/zh/docs/reference/config/security/constraints-and-properties/>RBAC 约束和属性(不建议使用)</a></li></ul></li><li role=none><a role=treeitem title="通过 Istio 遥测导出的 Istio 标准指标。" href=/v1.16/zh/docs/reference/config/metrics/>Istio 标准指标</a></li><li role=treeitem aria-label=常见类型><button aria-hidden=true tabindex=-1></button><a title="描述 Istio API 中的常见类型。" href=/v1.16/zh/docs/reference/config/type/>常见类型</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Definition of a workload selector." href=/v1.16/zh/docs/reference/config/type/workload-selector/>Workload Selector</a></li></ul></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.16/zh/docs/reference/config/annotations/>Resource Annotations</a></li><li role=none><a role=treeitem title="Resource labels used by Istio." href=/v1.16/zh/docs/reference/config/labels/>Resource Labels</a></li><li role=treeitem aria-label=配置分析消息><button aria-hidden=true tabindex=-1></button><a title=记录配置分析期间产生的各个错误和警告消息。 href=/v1.16/zh/docs/reference/config/analysis/>配置分析消息</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0136/>AlphaAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0116/>DeploymentAssociatedToMultipleServices</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0137/>DeploymentConflictingPorts</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0117/>DeploymentRequiresServiceAssociated</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0135/>DeprecatedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0153/>EnvoyFilterUsesAddOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0151/>EnvoyFilterUsesRelativeOperation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0155/>EnvoyFilterUsesRelativeOperationWithProxyVersion</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0154/>EnvoyFilterUsesRemoveOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0152/>EnvoyFilterUsesReplaceOperationIncorrectly</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0150/>ExternalNameServiceTypeInvalidPortName</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0125/>InvalidAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0144/>InvalidApplicationUID</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0122/>InvalidRegexp</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0123/>NamespaceMultipleInjectionLabels</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0127/>NoMatchingWorkloadsFound</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0128/>NoServerCertificateVerificationDestinationLevel</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0129/>NoServerCertificateVerificationPortLevel</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0132/>VirtualServiceHostNotFoundInGateway</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0131/>VirtualServiceIneffectiveMatch</a></li><li role=none><a role=treeitem title href=/v1.16/zh/docs/reference/config/analysis/ist0130/>VirtualServiceUnreachableRule</a></li></ul></li></ul></li><li role=treeitem aria-label=命令><button aria-hidden=true tabindex=-1></button><a title="描述 Istio 命令和工具的用法及选项。" href=/v1.16/zh/docs/reference/commands/>命令</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install and configure Istio CNI plugin on a node, detect and repair pod which is broken by race condition." href=/v1.16/zh/docs/reference/commands/install-cni/>install-cni</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.16/zh/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.16/zh/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.16/zh/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.16/zh/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="Istio 常用术语的词汇表。" href=/v1.16/zh/docs/reference/glossary/>术语表</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button id=sidebar-toggle class=main-navigation-toggle aria-label="Open sidebar"><svg class="icon hamburger-sidebar"><use xlink:href="/v1.16/img/icons.svg#hamburger-sidebar"/></svg>
|
||
目录</button><article aria-labelledby=title><nav aria-label=Breadcrumb><ol><li><a href=/v1.16/zh/docs/ title="了解如何部署、使用和运维 Istio。">文档</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.16/zh/docs/reference/ title="参考部分包含详细的权威参考资料,如命令行选项、配置选项和 API 调用参数。">参考</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li><a href=/v1.16/zh/docs/reference/config/ title=关于配置选项的详细信息。>配置</a><svg class="icon breadcrumb-arrow"><use xlink:href="/v1.16/img/icons.svg#breadcrumb-arrow"/></svg></li><li>Global Mesh Options</li></ol></nav><div class=title-area><div style=width:100%><h1 id=title>Global Mesh Options</h1><p class=byline><span class=reading-time title="8904 字"><svg class="icon clock"><use xlink:href="/v1.16/img/icons.svg#clock"/></svg><span> </span>阅读大约需要 42 分钟</span>
|
||
<span> </span>
|
||
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.CertificateData><a href=#MeshConfig-CertificateData>MeshConfig.CertificateData</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshConfig.CA><a href=#MeshConfig-CA>MeshConfig.CA</a><li role=none aria-label=MeshConfig.ExtensionProvider><a href=#MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</a><li role=none aria-label=MeshConfig.DefaultProviders><a href=#MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</a><li role=none aria-label=MeshConfig.ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</a><li role=none aria-label=MeshConfig.TLSConfig><a href=#MeshConfig-TLSConfig>MeshConfig.TLSConfig</a><li role=none aria-label=MeshConfig.ServiceSettings.Settings><a href=#MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider.Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</a><li role=none aria-label=k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.OpenCensusAgent><a href=#Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</a><li role=none aria-label=PrivateKeyProvider.CryptoMb><a href=#PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</a><li role=none aria-label=ProxyConfig.ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</a><li role=none aria-label=MeshConfig.ProxyPathNormalization.NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</a><li role=none aria-label=MeshConfig.TLSConfig.TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=Tracing.OpenCensusAgent.TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</a><li role=none aria-label=ProxyConfig.TracingServiceName><a href=#ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a></ol><hr></div></nav><p>Configuration affecting the service mesh as a whole.</p><h2 id=MeshConfig>MeshConfig</h2><section><p>MeshConfig defines mesh-wide settings for the Istio service mesh.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-proxy_listen_port><td><code>proxyListenPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for incoming connections from
|
||
other services. Default port is 15001.</p></td><td>No</td></tr><tr id=MeshConfig-proxy_http_port><td><code>proxyHttpPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for HTTP PROXY requests if set.</p></td><td>No</td></tr><tr id=MeshConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Connection timeout used by Envoy. (MUST BE >=1ms)
|
||
Default timeout is 10s.</p></td><td>No</td></tr><tr id=MeshConfig-protocol_detection_timeout><td><code>protocolDetectionTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Automatic protocol detection uses a set of heuristics to
|
||
determine whether the connection is using TLS or not (on the
|
||
server side), as well as the application protocol being used
|
||
(e.g., http vs tcp). These heuristics rely on the client sending
|
||
the first bits of data. For server first protocols like MySQL,
|
||
MongoDB, etc. Envoy will timeout on the protocol detection after
|
||
the specified period, defaulting to non mTLS plain TCP
|
||
traffic. Set this field to tweak the period that Envoy will wait
|
||
for the client to send the first bits of data. (MUST BE >=1ms or
|
||
0s to disable). Default detection timeout is 0s (no timeout).</p></td><td>No</td></tr><tr id=MeshConfig-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_class><td><code>ingressClass</code></td><td><code>string</code></td><td><p>Class of ingress resources to be processed by Istio ingress
|
||
controller. This corresponds to the value of
|
||
<code>kubernetes.io/ingress.class</code> annotation.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_service><td><code>ingressService</code></td><td><code>string</code></td><td><p>Name of the Kubernetes service used for the istio ingress controller.
|
||
If no ingress controller is specified, the default value <code>istio-ingressgateway</code> is used.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_controller_mode><td><code>ingressControllerMode</code></td><td><code><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a></code></td><td><p>Defines whether to use Istio ingress controller for annotated or all ingress resources.
|
||
Default mode is <code>STRICT</code>.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_selector><td><code>ingressSelector</code></td><td><code>string</code></td><td><p>Defines which gateway deployment to use as the Ingress controller. This field corresponds to
|
||
the Gateway.selector field, and will be set as <code>istio: INGRESS_SELECTOR</code>.
|
||
By default, <code>ingressgateway</code> is used, which will select the default IngressGateway as it has the
|
||
<code>istio: ingressgateway</code> labels.
|
||
It is recommended that this is the same value as ingress_service.</p></td><td>No</td></tr><tr id=MeshConfig-enable_tracing><td><code>enableTracing</code></td><td><code>bool</code></td><td><p>Flag to control generation of trace spans and request IDs.
|
||
Requires a trace span collector defined in the proxy configuration.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_file><td><code>accessLogFile</code></td><td><code>string</code></td><td><p>File address for the proxy access log (e.g. /dev/stdout).
|
||
Empty value disables access logging.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_format><td><code>accessLogFormat</code></td><td><code>string</code></td><td><p>Format for the proxy access log
|
||
Empty value results in proxy’s default access log format</p></td><td>No</td></tr><tr id=MeshConfig-access_log_encoding><td><code>accessLogEncoding</code></td><td><code><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a></code></td><td><p>Encoding for the proxy access log (<code>TEXT</code> or <code>JSON</code>).
|
||
Default value is <code>TEXT</code>.</p></td><td>No</td></tr><tr id=MeshConfig-enable_envoy_access_log_service><td><code>enableEnvoyAccessLogService</code></td><td><code>bool</code></td><td><p>This flag enables Envoy’s gRPC Access Log Service.
|
||
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto>Access Log Service</a>
|
||
for details about Envoy’s gRPC Access Log Service API.
|
||
Default value is <code>false</code>.</p></td><td>No</td></tr><tr id=MeshConfig-disable_envoy_listener_log><td><code>disableEnvoyListenerLog</code></td><td><code>bool</code></td><td><p>This flag disables Envoy Listener logs.
|
||
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log>Listener Access Log</a>
|
||
Istio Enables Envoy’s listener access logs on “NoRoute” response flag.
|
||
Default value is <code>false</code>.</p></td><td>No</td></tr><tr id=MeshConfig-default_config><td><code>defaultConfig</code></td><td><code><a href=#ProxyConfig>ProxyConfig</a></code></td><td><p>Default proxy config used by gateway and sidecars.
|
||
In case of Kubernetes, the proxy config is applied once during the injection process,
|
||
and remain constant for the duration of the pod. The rest of the mesh config can be changed
|
||
at runtime and config gets distributed dynamically.
|
||
On Kubernetes, this can be overridden on individual pods with the <code>proxy.istio.io/config</code> annotation.</p></td><td>No</td></tr><tr id=MeshConfig-outbound_traffic_policy><td><code>outboundTrafficPolicy</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a></code></td><td><p>Set the default behavior of the sidecar for handling outbound
|
||
traffic from the application. If your application uses one or
|
||
more external services that are not known apriori, setting the
|
||
policy to <code>ALLOW_ANY</code> will cause the sidecars to route any unknown
|
||
traffic originating from the application to its requested
|
||
destination. Users are strongly encouraged to use ServiceEntries
|
||
to explicitly declare any external dependencies, instead of using
|
||
<code>ALLOW_ANY</code>, so that traffic to these services can be
|
||
monitored. Can be overridden at a Sidecar level by setting the
|
||
<code>OutboundTrafficPolicy</code> in the <a href=/v1.16/zh/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy>Sidecar
|
||
API</a>.
|
||
Default mode is <code>ALLOW_ANY</code> which means outbound traffic to unknown destinations will be allowed.</p></td><td>No</td></tr><tr id=MeshConfig-config_sources><td><code>configSources</code></td><td><code><a href=#ConfigSource>ConfigSource[]</a></code></td><td><p>ConfigSource describes a source of configuration data for networking
|
||
rules, and other Istio configuration artifacts. Multiple data sources
|
||
can be configured for a single control plane.</p></td><td>No</td></tr><tr id=MeshConfig-enable_auto_mtls><td><code>enableAutoMtls</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>This flag is used to enable mutual <code>TLS</code> automatically for service to service communication
|
||
within the mesh, default true.
|
||
If set to true, and a given service does not have a corresponding <code>DestinationRule</code> configured,
|
||
or its <code>DestinationRule</code> does not have ClientTLSSettings specified, Istio configures client side
|
||
TLS configuration appropriately. More specifically,
|
||
If the upstream authentication policy is in <code>STRICT</code> mode, use Istio provisioned certificate
|
||
for mutual <code>TLS</code> to connect to upstream.
|
||
If upstream service is in plain text mode, use plain text.
|
||
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
|
||
mutual <code>TLS</code> when server sides are capable of accepting mutual <code>TLS</code> traffic.
|
||
If service <code>DestinationRule</code> exists and has <code>ClientTLSSettings</code> specified, that is always used instead.</p></td><td>No</td></tr><tr id=MeshConfig-trust_domain><td><code>trustDomain</code></td><td><code>string</code></td><td><p>The trust domain corresponds to the trust root of a system.
|
||
Refer to <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain>SPIFFE-ID</a></p></td><td>No</td></tr><tr id=MeshConfig-trust_domain_aliases><td><code>trustDomainAliases</code></td><td><code>string[]</code></td><td><p>The trust domain aliases represent the aliases of <code>trust_domain</code>.
|
||
For example, if we have</p><pre><code class=language-yaml>trustDomain: td1
|
||
trustDomainAliases: ["td2", "td3"]
|
||
</code></pre><p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
|
||
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p></td><td>No</td></tr><tr id=MeshConfig-ca_certificates><td><code>caCertificates</code></td><td><code><a href=#MeshConfig-CertificateData>CertificateData[]</a></code></td><td><p>The extra root certificates for workload-to-workload communication.
|
||
The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret)
|
||
are automatically added by Istiod.
|
||
The CA certificate that signs the workload certificates is automatically added by Istio Agent.</p></td><td>No</td></tr><tr id=MeshConfig-default_service_export_to><td><code>defaultServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the ServiceEntry.export_to field and services
|
||
imported through container registry integrations, e.g. this applies to
|
||
Kubernetes Service resources. The value is a list of namespace names and
|
||
reserved namespace aliases. The allowed namespace aliases are:</p><pre><code>* - All Namespaces
|
||
. - Current Namespace
|
||
~ - No Namespace
|
||
</code></pre><p>If not set the system will use “*” as the default value which implies that
|
||
services are exported to all namespaces.</p><p><code>All namespaces</code> is a reasonable default for implementations that don’t
|
||
need to restrict access or visibility of services across namespace
|
||
boundaries. If that requirement is present it is generally good practice to
|
||
make the default <code>Current namespace</code> so that services are only visible
|
||
within their own namespaces by default. Operators can then expand the
|
||
visibility of services to other namespaces as needed. Use of <code>No Namespace</code>
|
||
is expected to be rare but can have utility for deployments where
|
||
dependency management needs to be precise even within the scope of a single
|
||
namespace.</p><p>For further discussion see the reference documentation for <code>ServiceEntry</code>,
|
||
<code>Sidecar</code>, and <code>Gateway</code>.</p></td><td>No</td></tr><tr id=MeshConfig-default_virtual_service_export_to><td><code>defaultVirtualServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the VirtualService.export_to field. Has the same
|
||
syntax as <code>default_service_export_to</code>.</p><p>If not set the system will use “*” as the default value which implies that
|
||
virtual services are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-default_destination_rule_export_to><td><code>defaultDestinationRuleExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the <code>DestinationRule.export_to</code> field. Has the same
|
||
syntax as <code>default_service_export_to</code>.</p><p>If not set the system will use “*” as the default value which implies that
|
||
destination rules are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-root_namespace><td><code>rootNamespace</code></td><td><code>string</code></td><td><p>The namespace to treat as the administrative root namespace for
|
||
Istio configuration. When processing a leaf namespace Istio will search for
|
||
declarations in that namespace first and if none are found it will
|
||
search in the root namespace. Any matching declaration found in the root
|
||
namespace is processed as if it were declared in the leaf namespace.</p><p>The precise semantics of this processing are documented on each resource
|
||
type.</p></td><td>No</td></tr><tr id=MeshConfig-locality_lb_setting><td><code>localityLbSetting</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a></code></td><td><p>Locality based load balancing distribution or failover settings.</p></td><td>No</td></tr><tr id=MeshConfig-dns_refresh_rate><td><code>dnsRefreshRate</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Configures DNS refresh rate for Envoy clusters of type <code>STRICT_DNS</code>
|
||
Default refresh rate is <code>5s</code>.</p></td><td>No</td></tr><tr id=MeshConfig-h2_upgrade_policy><td><code>h2UpgradePolicy</code></td><td><code><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></code></td><td><p>Specify if http1.1 connections should be upgraded to http2 by default.
|
||
if sidecar is installed on all pods in the mesh, then this should be set to <code>UPGRADE</code>.
|
||
If one or more services or namespaces do not have sidecar(s), then this should be set to <code>DO_NOT_UPGRADE</code>.
|
||
It can be enabled by destination using the <code>destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy</code> override.</p></td><td>No</td></tr><tr id=MeshConfig-inbound_cluster_stat_name><td><code>inboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
|
||
network filters like TCP and Redis.
|
||
By default, Istio emits statistics with the pattern <code>inbound|<port>|<port-name>|<service-FQDN></code>.
|
||
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-outbound_cluster_stat_name><td><code>outboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
|
||
network filters like TCP and Redis.
|
||
By default, Istio emits statistics with the pattern <code>outbound|<port>|<subsetname>|<service-FQDN></code>.
|
||
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li><li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use <code>reviews.prod.svc.cluster.local_7443</code> as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-thrift_config><td><code>thriftConfig</code></td><td><code><a href=#MeshConfig-ThriftConfig>ThriftConfig</a></code></td><td><p>Set configuration for Thrift protocol</p></td><td>No</td></tr><tr id=MeshConfig-enable_prometheus_merge><td><code>enablePrometheusMerge</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
|
||
and Istio agent. The sidecar injection will replace <code>prometheus.io</code> annotations present on the pod
|
||
and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
|
||
This relies on the annotations <code>prometheus.io/scrape</code>, <code>prometheus.io/port</code>, and
|
||
<code>prometheus.io/path</code> annotations.
|
||
If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
|
||
In this case, it is recommended to disable aggregation on that deployment with the
|
||
<code>prometheus.istio.io/merge-metrics: "false"</code> annotation.
|
||
If not specified, this will be enabled by default.</p></td><td>No</td></tr><tr id=MeshConfig-extension_providers><td><code>extensionProviders</code></td><td><code><a href=#MeshConfig-ExtensionProvider>ExtensionProvider[]</a></code></td><td><p>Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy
|
||
can be used with an extension provider to delegate the authorization decision to a custom authorization system.</p></td><td>No</td></tr><tr id=MeshConfig-default_providers><td><code>defaultProviders</code></td><td><code><a href=#MeshConfig-DefaultProviders>DefaultProviders</a></code></td><td><p>Specifies extension providers to use by default in Istio configuration resources.</p></td><td>No</td></tr><tr id=MeshConfig-discovery_selectors><td><code>discoverySelectors</code></td><td><code><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>LabelSelector[]</a></code></td><td><p>A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
|
||
computing configuration updates for sidecars. This can be used to reduce Istio’s computational load
|
||
by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
|
||
If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
|
||
Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
|
||
The following example selects any namespace that matches either below:</p><ol><li>The namespace has both of these labels: <code>env: prod</code> and <code>region: us-east1</code></li><li>The namespace has label <code>app</code> equal to <code>cassandra</code> or <code>spark</code>.</li></ol><pre><code class=language-yaml>discoverySelectors:
|
||
- matchLabels:
|
||
env: prod
|
||
region: us-east1
|
||
- matchExpressions:
|
||
- key: app
|
||
operator: In
|
||
values:
|
||
- cassandra
|
||
- spark
|
||
</code></pre><p>Refer to the <a href=https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors>kubernetes selector docs</a>
|
||
for additional detail on selector semantics.</p></td><td>No</td></tr><tr id=MeshConfig-path_normalization><td><code>pathNormalization</code></td><td><code><a href=#MeshConfig-ProxyPathNormalization>ProxyPathNormalization</a></code></td><td><p>ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
|
||
normalized by the sidecars and gateways.
|
||
The normalized paths will be used in all aspects through the requests’ lifetime on the
|
||
sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
|
||
authorization policy match and enforcement in inbound direction (server proxy), and the URL
|
||
path proxied to the upstream service.
|
||
If not set, the NormalizationType.DEFAULT configuration will be used.</p></td><td>No</td></tr><tr id=MeshConfig-default_http_retry_policy><td><code>defaultHttpRetryPolicy</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/virtual-service/#HTTPRetry>HTTPRetry</a></code></td><td><p>Configure the default HTTP retry policy.
|
||
The default number of retry attempts is set at 2 for these errors:
|
||
“connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”.
|
||
Setting the number of attempts to 0 disables retry policy globally.
|
||
This setting can be overriden on a per-host basis using the Virtual Service
|
||
API.
|
||
All settings in the retry policy except <code>perTryTimeout</code> can currently be
|
||
configured globally via this field.</p></td><td>No</td></tr><tr id=MeshConfig-mesh_mTLS><td><code>meshMTLS</code></td><td><code><a href=#MeshConfig-TLSConfig>TLSConfig</a></code></td><td><p>Configuration of mTLS for traffic between workloads within the mesh.</p></td><td>No</td></tr></tbody></table></section><h2 id=ConfigSource>ConfigSource</h2><section><p>ConfigSource describes information about a configuration store inside a
|
||
mesh. A single control plane instance can interact with one or more data
|
||
sources.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ConfigSource-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the server implementing the Istio Mesh Configuration
|
||
protocol (MCP). Can be IP address or a fully qualified DNS name.
|
||
Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
|
||
fs:/// to specify a file-based backend with absolute path to the directory.</p></td><td>No</td></tr><tr id=ConfigSource-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the MCP server
|
||
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
||
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr><tr id=ConfigSource-subscribed_resources><td><code>subscribedResources</code></td><td><code><a href=#Resource>Resource[]</a></code></td><td><p>Describes the source of configuration, if nothing is specified default is MCP</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-mode><td><code>mode</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-CertificateData>MeshConfig.CertificateData</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-CertificateData-pem class="oneof oneof-start"><td><code>pem</code></td><td><code>string (oneof)</code></td><td><p>The PEM data of the certificate.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-spiffe_bundle_url class=oneof><td><code>spiffeBundleUrl</code></td><td><code>string (oneof)</code></td><td><p>The SPIFFE bundle endpoint URL that complies to:
|
||
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle</a>
|
||
The endpoint should support authentication based on Web PKI:
|
||
<a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki>https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki</a>
|
||
The certificate is retrieved from the endpoint.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-cert_signers><td><code>certSigners</code></td><td><code>string[]</code></td><td><p>Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
|
||
when Istiod is acting as RA(registration authority)
|
||
If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.</p></td><td>No</td></tr><tr id=MeshConfig-CertificateData-trust_domains><td><code>trustDomains</code></td><td><code>string[]</code></td><td><p>Optional. Specify the list of trust domains to which this trustAnchor data belongs.
|
||
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
|
||
and its aliases.
|
||
Note that we can have multiple trustAnchor data for a same trust_domain.
|
||
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
|
||
If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
|
||
If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
|
||
If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
|
||
If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ThriftConfig-rate_limit_url><td><code>rateLimitUrl</code></td><td><code>string</code></td><td><p>Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
|
||
this will enable the rate limit service for destinations that have matching rate
|
||
limit configurations.</p></td><td>No</td></tr><tr id=MeshConfig-ThriftConfig-rate_limit_timeout><td><code>rateLimitTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Specify thrift rate limit service timeout, in milliseconds. Default is <code>50ms</code></p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-CA>MeshConfig.CA</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-CA-address><td><code>address</code></td><td><code>string</code></td><td><p>REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
|
||
Can be IP address or a fully qualified DNS name with port
|
||
Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000</p></td><td>No</td></tr><tr id=MeshConfig-CA-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use.
|
||
Regarding tls_settings:</p><ul><li>DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
|
||
DISABLE MODE can also be used for testing</li><li>TLS MUTUAL MODE be on by default. If the CA certificates
|
||
(cert bundle to verify the CA server’s certificate) is omitted, Istiod will
|
||
use the system root certs to verify the CA server’s certificate.</li></ul></td><td>No</td></tr><tr id=MeshConfig-CA-request_timeout><td><code>requestTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>timeout for forward CSR requests from Istiod to External CA
|
||
Default: 10s</p></td><td>No</td></tr><tr id=MeshConfig-CA-istiod_side><td><code>istiodSide</code></td><td><code>bool</code></td><td><p>Use istiod_side to specify CA Server integrate to Istiod side or Agent side
|
||
Default: true</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-name><td><code>name</code></td><td><code>string</code></td><td><p>REQUIRED. A unique name identifying the extension provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_http class="oneof oneof-start"><td><code>envoyExtAuthzHttp</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>EnvoyExternalAuthorizationHttpProvider (oneof)</a></code></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_ext_authz_grpc class=oneof><td><code>envoyExtAuthzGrpc</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>EnvoyExternalAuthorizationGrpcProvider (oneof)</a></code></td><td><p>Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-zipkin class=oneof><td><code>zipkin</code></td><td><code><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>ZipkinTracingProvider (oneof)</a></code></td><td><p>Configures a tracing provider that uses the Zipkin API.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>LightstepTracingProvider (oneof)</a></code></td><td><p>Configures a Lightstep tracing provider.
|
||
Note: For Istio 1.15+, configuring this provider will result in
|
||
using an OpenTelemetryTracingProvider configured specially for
|
||
Lightstep. This is part of the Lightstep transition to OpenTelemetry.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>DatadogTracingProvider (oneof)</a></code></td><td><p>Configures a Datadog tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-stackdriver class=oneof><td><code>stackdriver</code></td><td><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>StackdriverProvider (oneof)</a></code></td><td><p>Configures a Stackdriver provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-opencensus class=oneof><td><code>opencensus</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>OpenCensusAgentTracingProvider (oneof)</a></code></td><td><p>Configures an OpenCensusAgent tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-skywalking class=oneof><td><code>skywalking</code></td><td><code><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>SkyWalkingTracingProvider (oneof)</a></code></td><td><p>Configures a Apache SkyWalking provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-opentelemetry class=oneof><td><code>opentelemetry</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenTelemetryTracingProvider>OpenTelemetryTracingProvider (oneof)</a></code></td><td><p>Configures an OpenTelemetry tracing provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-prometheus class=oneof><td><code>prometheus</code></td><td><code><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>PrometheusMetricsProvider (oneof)</a></code></td><td><p>Configures a Prometheus metrics provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_file_access_log class=oneof><td><code>envoyFileAccessLog</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>EnvoyFileAccessLogProvider (oneof)</a></code></td><td><p>Configures an Envoy File Access Log provider.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_http_als class=oneof><td><code>envoyHttpAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>EnvoyHttpGrpcV3LogProvider (oneof)</a></code></td><td><p>Configures an Envoy Access Logging Service provider for HTTP traffic.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_tcp_als class=oneof><td><code>envoyTcpAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>EnvoyTcpGrpcV3LogProvider (oneof)</a></code></td><td><p>Configures an Envoy Access Logging Service provider for TCP traffic.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-envoy_otel_als class=oneof><td><code>envoyOtelAls</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>EnvoyOpenTelemetryLogProvider (oneof)</a></code></td><td><p>Configures an Envoy Open Telemetry Access Logging Service provider.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</h2><section><p>Holds the name references to the providers that will be used by default
|
||
in other Istio configuration resources if the provider is not specified.</p><p>These names must match a provider defined in <code>extension_providers</code> that is
|
||
one of the supported tracing providers.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-DefaultProviders-tracing><td><code>tracing</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for tracing.</p></td><td>No</td></tr><tr id=MeshConfig-DefaultProviders-metrics><td><code>metrics</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for metrics.</p></td><td>No</td></tr><tr id=MeshConfig-DefaultProviders-access_logging><td><code>accessLogging</code></td><td><code>string[]</code></td><td><p>Name of the default provider(s) for access logging.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-normalization><td><code>normalization</code></td><td><code><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>NormalizationType</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-TLSConfig>MeshConfig.TLSConfig</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-min_protocol_version><td><code>minProtocolVersion</code></td><td><code><a href=#MeshConfig-TLSConfig-TLSProtocol>TLSProtocol</a></code></td><td><p>Optional: the minimum TLS protocol version. The default minimum
|
||
TLS version will be TLS 1.2. As servers may not be Envoy and be
|
||
set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
|
||
minimum TLS version for clients may also be TLS 1.2.
|
||
In the current Istio implementation, the maximum TLS protocol version
|
||
is TLS 1.3.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</h2><section><p>Settings for the selected services.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ServiceSettings-Settings-cluster_local><td><code>clusterLocal</code></td><td><code>bool</code></td><td><p>If true, specifies that the client and service endpoints must reside in the same cluster.
|
||
By default, in multi-cluster deployments, the Istio control plane assumes all service
|
||
endpoints to be reachable from any client in any of the clusters which are part of the
|
||
mesh. This configuration option limits the set of service endpoints visible to a client
|
||
to be cluster scoped.</p><p>There are some common scenarios when this can be useful:</p><ul><li>A service (or group of services) is inherently local to the cluster and has local storage
|
||
for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).</li><li>A mesh administrator wants to slowly migrate services to Istio. They might start by first
|
||
having services cluster-local and then slowly transition them to mesh-wide. They could do
|
||
this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
|
||
(e.g. *.myns.svc.cluster.local).</li></ul><p>By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
|
||
services in the kube-system namespace to be cluster-local, unless explicitly overridden here.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-max_request_bytes><td><code>maxRequestBytes</code></td><td><code>uint32</code></td><td><p>Sets the maximum size of a message body that the ext-authz filter will hold in memory.
|
||
If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
|
||
Otherwise the request will be sent to the provider with a partial message.
|
||
Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
|
||
fail_open is set to true.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-allow_partial_message><td><code>allowPartialMessage</code></td><td><code>bool</code></td><td><p>When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
|
||
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
|
||
A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message
|
||
indicating if the body data is partial.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody-pack_as_bytes><td><code>packAsBytes</code></td><td><code>bool</code></td><td><p>If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
|
||
in the raw_body field (<a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)>https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)</a>.
|
||
Otherwise, it will be filled with UTF-8 string in the body field (<a href=https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)>https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)</a>.
|
||
This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
|
||
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
|
||
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-path_prefix><td><code>pathPrefix</code></td><td><code>string</code></td><td><p>Sets a prefix to the value of authorization request header <em>Path</em>.
|
||
For example, setting this to “/check” for an original user request at path “/admin” will cause the
|
||
authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-fail_open><td><code>failOpen</code></td><td><code>bool</code></td><td><p>If true, the user request will be allowed even if the communication with the authorization service has failed,
|
||
or if the authorization service has returned a HTTP 5xx error.
|
||
Default is false and the request will be rejected with “Forbidden” response.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-status_on_error><td><code>statusOnError</code></td><td><code>string</code></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
|
||
The default status is “403” (HTTP Forbidden).</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_headers_in_check><td><code>includeHeadersInCheck</code></td><td><code>string[]</code></td><td><p>DEPRECATED. Use include_request_headers_in_check instead.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_headers_in_check><td><code>includeRequestHeadersInCheck</code></td><td><code>string[]</code></td><td><p>List of client request headers that should be included in the authorization request sent to the authorization service.
|
||
Note that in addition to the headers specified here following headers are included by default:</p><ol><li><em>Host</em>, <em>Method</em>, <em>Path</em> and <em>Content-Length</em> are automatically sent.</li><li><em>Content-Length</em> will be set to 0 and the request will not have a message body. However, the authorization
|
||
request can include the buffered client request body (controlled by include_request_body_in_check setting),
|
||
consequently the value of Content-Length of the authorization request reflects the size of its payload size.</li></ol><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
|
||
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: “abc” will match on value “abc”.</li><li>Prefix match: “abc*” will match on value “abc” and “abcd”.</li><li>Suffix match: “*abc” will match on value “abc” and “xabc”.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_additional_headers_in_check><td><code>includeAdditionalHeadersInCheck</code></td><td><code>map<string, string></code></td><td><p>Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
|
||
Key is the header name and value is the header value.
|
||
Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-include_request_body_in_check><td><code>includeRequestBodyInCheck</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></code></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_upstream_on_allow><td><code>headersToUpstreamOnAllow</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be added or overridden in the original request and
|
||
forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
|
||
If not specified, the original request will not be modified and forwarded to backend as-is.
|
||
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
|
||
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: “abc” will match on value “abc”.</li><li>Prefix match: “abc*” will match on value “abc” and “abcd”.</li><li>Suffix match: “*abc” will match on value “abc” and “xabc”.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_deny><td><code>headersToDownstreamOnDeny</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
|
||
check result is not allowed (HTTP code other than 200).
|
||
If not specified, all the authorization response headers, except <em>Authority (Host)</em> will be in the response to
|
||
the downstream.
|
||
When a header is included in this list, <em>Path</em>, <em>Status</em>, <em>Content-Length</em>, <em>WWWAuthenticate</em> and <em>Location</em> are
|
||
automatically added.
|
||
Note, the body from the authorization service is always included in the response to downstream.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
|
||
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: “abc” will match on value “abc”.</li><li>Prefix match: “abc*” will match on value “abc” and “abcd”.</li><li>Suffix match: “*abc” will match on value “abc” and “xabc”.</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider-headers_to_downstream_on_allow><td><code>headersToDownstreamOnAllow</code></td><td><code>string[]</code></td><td><p>List of headers from the authorization service that should be forwarded to downstream when the authorization
|
||
check result is allowed (HTTP code 200).
|
||
If not specified, the original response will not be modified and forwarded to downstream as-is.
|
||
Note, any existing headers will be overridden.</p><p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
|
||
<a href=/v1.16/latest/docs/reference/config/security/authorization-policy/#Rule)>https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p><ul><li>Exact match: “abc” will match on value “abc”.</li><li>Prefix match: “abc*” will match on value “abc” and “abcd”.</li><li>Suffix match: “*abc” will match on value “abc” and “xabc”.</li></ul></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
|
||
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
|
||
In this situation, the response sent back to the client will depend on the configured <code>fail_open</code> field.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-fail_open><td><code>failOpen</code></td><td><code>bool</code></td><td><p>If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
|
||
or if the authorization service has returned a HTTP 5xx error.
|
||
Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-status_on_error><td><code>statusOnError</code></td><td><code>string</code></td><td><p>Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
|
||
The default status is “403” (HTTP Forbidden).</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider-include_request_body_in_check><td><code>includeRequestBodyInCheck</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>EnvoyExternalAuthorizationRequestBody</a></code></td><td><p>If set, the client request body will be included in the authorization request sent to the authorization service.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</h2><section><p>Defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that the Zipkin API.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-ZipkinTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
|
||
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</h2><section><p>Defines configuration for a Lightstep tracer.
|
||
Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
|
||
will generate OpenTelemetry-compatible configuration when using this option.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the Lightstep collector.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>The Lightstep access token.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-LightstepTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
|
||
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</h2><section><p>Defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the Datadog agent.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-DatadogTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
|
||
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</h2><section><p>Defines configuration for a SkyWalking tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the SkyWalking receiver.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-SkyWalkingTracingProvider-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>Optional. The SkyWalking OAP access token.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</h2><section><p>Defines configuration for Stackdriver.</p><p>WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
|
||
alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
|
||
driver in Envoy.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
|
||
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-logging><td><code>logging</code></td><td><code><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>Logging</a></code></td><td><p>Optional. Controls Stackdriver logging behavior.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</h2><section><p>Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.</p><p>WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
|
||
OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation
|
||
in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
|
||
may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
|
||
configuration MUST be accompanied by a restart of all proxies that will use that configuration.</p><p>NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
|
||
alongside OpenCensus provider configuration.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service for the OpenCensusAgent.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-context><td><code>context</code></td><td><code><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>TraceContext[]</a></code></td><td><p>Specifies the set of context propagation headers used for distributed
|
||
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
|
||
the proxy will attempt to read each header for each request and will
|
||
write all headers.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-max_tag_length><td><code>maxTagLength</code></td><td><code>uint32</code></td><td><p>Optional. Controls the overall path length allowed in a reported span.
|
||
NOTE: currently only controls max length of the path tag.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</h2><section></section><h2 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</h2><section><p>Defines configuration for Envoy-based access logging that writes to
|
||
local files (and/or standard streams).</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-path><td><code>path</code></td><td><code>string</code></td><td><p>Path to a local file to write the access log entries.
|
||
This may be used to write to streams, via <code>/dev/stderr</code> and <code>/dev/stdout</code>
|
||
If unspecified, defaults to <code>/dev/stdout</code>.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-log_format><td><code>logFormat</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>LogFormat</a></code></td><td><p>Optional. Allows overriding of the default access log format.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
|
||
integration for HTTP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
|
||
Defaults:</p><ul><li>“http_envoy_accesslog”</li><li>“listener_envoy_accesslog”</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-filter_state_objects_to_log><td><code>filterStateObjectsToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional filter state objects to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_request_headers_to_log><td><code>additionalRequestHeadersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional request headers to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_headers_to_log><td><code>additionalResponseHeadersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional response headers to log.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider-additional_response_trailers_to_log><td><code>additionalResponseTrailersToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional response trailers to log.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als>Access Logging Service</a>
|
||
integration for TCP traffic.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
|
||
Defaults:</p><ul><li>“tcp_envoy_accesslog”</li><li>“listener_envoy_accesslog”</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider-filter_state_objects_to_log><td><code>filterStateObjectsToLog</code></td><td><code>string[]</code></td><td><p>Optional. Additional filter state objects to log.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</h2><section><p>Defines configuration for an Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>OpenTelemetry (gRPC) Access Log</a></p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-service><td><code>service</code></td><td><code>string</code></td><td><p>REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
|
||
The format is <code>[<Namespace>/]<Hostname></code>. The specification of <code><Namespace></code> is required only when it is insufficient
|
||
to unambiguously resolve a service in the service registry. The <code><Hostname></code> is a fully qualified host name of a
|
||
service defined by the Kubernetes service or ServiceEntry.</p><p>Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-port><td><code>port</code></td><td><code>uint32</code></td><td><p>REQUIRED. Specifies the port of the service.</p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_name><td><code>logName</code></td><td><code>string</code></td><td><p>Optional. The friendly name of the access log.
|
||
Defaults:</p><ul><li>“otel_envoy_accesslog”</li></ul></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-log_format><td><code>logFormat</code></td><td><code><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>LogFormat</a></code></td><td><p>Optional. Format for the proxy access log
|
||
Empty value results in proxy’s default access log format, following Envoy access logging formatting.</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-StackdriverProvider-Logging-labels><td><code>labels</code></td><td><code>map<string, string></code></td><td><p>Collection of tag names and tag expressions to include in the log
|
||
entry. Conflicts are resolved by the tag name by overriding previously
|
||
supplied values.</p><p>Example:
|
||
labels:
|
||
path: request.url_path
|
||
foo: request.headers[‘x-foo’]</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-text class="oneof oneof-start"><td><code>text</code></td><td><code>string (oneof)</code></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
|
||
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
|
||
provides more information.</p><p>NOTE: Istio will insert a newline (’\n’) on all formats (if missing).</p><p>Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat-labels class=oneof><td><code>labels</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct (oneof)</a></code></td><td><p>JSON structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
|
||
can be used as values for fields within the Struct. Values are rendered
|
||
as strings, numbers, or boolean values, as appropriate
|
||
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
|
||
supported for some command operators (e.g. <code>FILTER_STATE</code> or <code>DYNAMIC_METADATA</code>).
|
||
Use <code>labels: {}</code> for default envoy JSON log format.</p><p>Example:</p><pre><code>labels:
|
||
status: "%RESPONSE_CODE%"
|
||
message: "%LOCAL_REPLY_BODY%"
|
||
</code></pre></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-text><td><code>text</code></td><td><code>string</code></td><td><p>Textual format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a> may be
|
||
used in the format. The <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings>format string documentation</a>
|
||
provides more information.
|
||
Alias to <code>body</code> filed in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a>
|
||
Example: <code>text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"</code></p></td><td>No</td></tr><tr id=MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat-labels><td><code>labels</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>Struct</a></code></td><td><p>Optional. Additional attributes that describe the specific event occurrence.
|
||
Structured format for the envoy access logs. Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators>command operators</a>
|
||
can be used as values for fields within the Struct. Values are rendered
|
||
as strings, numbers, or boolean values, as appropriate
|
||
(see: <a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries>format dictionaries</a>). Nested JSON is
|
||
supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
|
||
Alias to <code>attributes</code> filed in <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto>Open Telemetry</a></p><p>Example:</p><pre><code>labels:
|
||
status: "%RESPONSE_CODE%"
|
||
message: "%LOCAL_REPLY_BODY%"
|
||
</code></pre></td><td>No</td></tr></tbody></table></section><h2 id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</h2><section><p>A label selector is a label query over a set of resources. The result of matchLabels and
|
||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||
label selector matches no objects.
|
||
+structType=atomic</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchLabels><td><code>matchLabels</code></td><td><code>map<string, string></code></td><td><p>matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||
map is equivalent to an element of matchExpressions, whose key field is “key”, the
|
||
operator is “In”, and the values array contains only “value”. The requirements are ANDed.
|
||
+optional</p></td><td>No</td></tr><tr id=k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector-matchExpressions><td><code>matchExpressions</code></td><td><code><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelectorRequirement>LabelSelectorRequirement[]</a></code></td><td><p>matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
||
+optional</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing>Tracing</h2><section><p>Tracing defines configuration for the tracing performed by Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-zipkin class="oneof oneof-start"><td><code>zipkin</code></td><td><code><a href=#Tracing-Zipkin>Zipkin (oneof)</a></code></td><td><p>Use a Zipkin tracer.</p></td><td>No</td></tr><tr id=Tracing-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#Tracing-Lightstep>Lightstep (oneof)</a></code></td><td><p>Use a Lightstep tracer.
|
||
NOTE: For Istio 1.15+, this configuration option will result
|
||
in using OpenTelemetry-based Lightstep integration.</p></td><td>No</td></tr><tr id=Tracing-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#Tracing-Datadog>Datadog (oneof)</a></code></td><td><p>Use a Datadog tracer.</p></td><td>No</td></tr><tr id=Tracing-stackdriver class=oneof><td><code>stackdriver</code></td><td><code><a href=#Tracing-Stackdriver>Stackdriver (oneof)</a></code></td><td><p>Use a Stackdriver tracer.</p></td><td>No</td></tr><tr id=Tracing-open_census_agent class=oneof><td><code>openCensusAgent</code></td><td><code><a href=#Tracing-OpenCensusAgent>OpenCensusAgent (oneof)</a></code></td><td><p>Use an OpenCensus tracer exporting to an OpenCensus agent.</p></td><td>No</td></tr><tr id=Tracing-sampling><td><code>sampling</code></td><td><code>double</code></td><td><p>The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
|
||
if not requested by the client or not forced. Default is 1.0.</p></td><td>No</td></tr><tr id=Tracing-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the remote tracing service
|
||
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
||
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr></tbody></table></section><h2 id=PrivateKeyProvider>PrivateKeyProvider</h2><section><p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
|
||
mesh wide or individual per-workload basis.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=PrivateKeyProvider-cryptomb class="oneof oneof-start"><td><code>cryptomb</code></td><td><code><a href=#PrivateKeyProvider-CryptoMb>CryptoMb (oneof)</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=ProxyConfig>ProxyConfig</h2><section><p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
|
||
as well as by the mesh-wide defaults.
|
||
To set the mesh wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p><pre><code>meshConfig:
|
||
defaultConfig:
|
||
discoveryAddress: istiod:15012
|
||
</code></pre><p>This can also be configured on a per-workload basis by configuring the <code>proxy.istio.io/config</code> annotation on the pod. For example:</p><pre><code>annotations:
|
||
proxy.istio.io/config: |
|
||
discoveryAddress: istiod:15012
|
||
</code></pre><p>If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
|
||
This is different than a deep merge provided by protobuf.
|
||
For example, <code>"tracing": { "sampling": 5 }</code> would completely override a setting configuring a tracing provider
|
||
such as <code>"tracing": { "zipkin": { "address": "..." } }</code>.</p><p>Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ProxyConfig-config_path><td><code>configPath</code></td><td><code>string</code></td><td><p>Path to the generated configuration file directory.
|
||
Proxy agent generates the actual configuration and stores it in this directory.</p></td><td>No</td></tr><tr id=ProxyConfig-binary_path><td><code>binaryPath</code></td><td><code>string</code></td><td><p>Path to the proxy binary</p></td><td>No</td></tr><tr id=ProxyConfig-service_cluster class="oneof oneof-start"><td><code>serviceCluster</code></td><td><code>string (oneof)</code></td><td><p>Service cluster defines the name for the <code>service_cluster</code> that is
|
||
shared by all Envoy instances. This setting corresponds to
|
||
<code>--service-cluster</code> flag in Envoy. In a typical Envoy deployment, the
|
||
<code>service-cluster</code> flag is used to identify the caller, for
|
||
source-based routing scenarios.</p><p>Since Istio does not assign a local <code>service/service</code> version to each
|
||
Envoy instance, the name is same for all of them. However, the
|
||
source/caller’s identity (e.g., IP address) is encoded in the
|
||
<code>--service-node</code> flag when launching Envoy. When the RDS service
|
||
receives API calls from Envoy, it uses the value of the <code>service-node</code>
|
||
flag to compute routes that are relative to the service instances
|
||
located at that IP address.</p></td><td>No</td></tr><tr id=ProxyConfig-tracing_service_name class=oneof><td><code>tracingServiceName</code></td><td><code><a href=#ProxyConfig-TracingServiceName>TracingServiceName (oneof)</a></code></td><td><p>Used by Envoy proxies to assign the values for the service names in trace
|
||
spans.</p></td><td>No</td></tr><tr id=ProxyConfig-drain_duration><td><code>drainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will drain connections during a hot
|
||
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)
|
||
Default drain duration is <code>45s</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-parent_shutdown_duration><td><code>parentShutdownDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will wait before shutting down the
|
||
parent process during a hot restart. MUST be >=1s (e.g., <code>1s/1m/1h</code>).
|
||
MUST BE greater than <code>drain_duration</code> parameter.
|
||
Default shutdown duration is <code>60s</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-discovery_address><td><code>discoveryAddress</code></td><td><code>string</code></td><td><p>Address of the discovery service exposing xDS with mTLS connection.
|
||
The inject configuration may override this value.</p></td><td>No</td></tr><tr id=ProxyConfig-statsd_udp_address><td><code>statsdUdpAddress</code></td><td><code>string</code></td><td><p>IP Address and Port of a statsd UDP listener (e.g. <code>10.75.241.127:9125</code>).</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_admin_port><td><code>proxyAdminPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for administrative commands.
|
||
Default port is <code>15000</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-control_plane_auth_policy><td><code>controlPlaneAuthPolicy</code></td><td><code><a href=#AuthenticationPolicy>AuthenticationPolicy</a></code></td><td><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
|
||
Default is set to <code>MUTUAL_TLS</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-custom_config_file><td><code>customConfigFile</code></td><td><code>string</code></td><td><p>File path of custom proxy configuration, currently used by proxies
|
||
in front of Mixer and Pilot.</p></td><td>No</td></tr><tr id=ProxyConfig-stat_name_length><td><code>statNameLength</code></td><td><code>int32</code></td><td><p>Maximum length of name field in Envoy’s metrics. The length of the name field
|
||
is determined by the length of a name field in a service and the set of labels that
|
||
comprise a particular version of the service. The default value is set to 189 characters.
|
||
Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
|
||
Increase the value of this field if you find that the metrics from Envoys are truncated.</p></td><td>No</td></tr><tr id=ProxyConfig-concurrency><td><code>concurrency</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value>Int32Value</a></code></td><td><p>The number of worker threads to run.
|
||
If unset, this will be automatically determined based on CPU requests/limits.
|
||
If set to 0, all cores on the machine will be used.
|
||
Default is 2 worker threads.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_bootstrap_template_path><td><code>proxyBootstrapTemplatePath</code></td><td><code>string</code></td><td><p>Path to the proxy bootstrap template file</p></td><td>No</td></tr><tr id=ProxyConfig-interception_mode><td><code>interceptionMode</code></td><td><code><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></code></td><td><p>The mode used to redirect inbound traffic to Envoy.</p></td><td>No</td></tr><tr id=ProxyConfig-tracing><td><code>tracing</code></td><td><code><a href=#Tracing>Tracing</a></code></td><td><p>Tracing configuration to be used by the proxy.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_access_log_service><td><code>envoyAccessLogService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the service to which access logs from Envoys should be
|
||
sent. (e.g. <code>accesslog-service:15000</code>). See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto>Access Log
|
||
Service</a>
|
||
for details about Envoy’s gRPC Access Log Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_metrics_service><td><code>envoyMetricsService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the Envoy Metrics Service implementation (e.g. <code>metrics-service:15000</code>).
|
||
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto>Metric Service</a>
|
||
for details about Envoy’s Metrics Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_metadata><td><code>proxyMetadata</code></td><td><code>map<string, string></code></td><td><p>Additional environment variables for the proxy.
|
||
Names starting with <code>ISTIO_META_</code> will be included in the generated bootstrap and sent to the XDS server.</p></td><td>No</td></tr><tr id=ProxyConfig-runtime_values><td><code>runtimeValues</code></td><td><code>map<string, string></code></td><td><p>Envoy <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime>runtime configuration</a> to set during bootstrapping.
|
||
This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.</p></td><td>No</td></tr><tr id=ProxyConfig-status_port><td><code>statusPort</code></td><td><code>int32</code></td><td><p>Port on which the agent should listen for administrative commands such as readiness probe.
|
||
Default is set to port <code>15020</code>.</p></td><td>No</td></tr><tr id=ProxyConfig-extra_stat_tags><td><code>extraStatTags</code></td><td><code>string[]</code></td><td><p>An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
|
||
added by configuring the telemetry extension. Each additional tag needs to be present in this list.
|
||
Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
|
||
and exposed as Prometheus metrics.</p></td><td>No</td></tr><tr id=ProxyConfig-termination_drain_duration><td><code>terminationDrainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The amount of time allowed for connections to complete on proxy shutdown.
|
||
On receiving <code>SIGTERM</code> or <code>SIGINT</code>, <code>istio-agent</code> tells the active Envoy to start draining,
|
||
preventing any new connections and allowing existing connections to complete. It then
|
||
sleeps for the <code>termination_drain_duration</code> and then kills any remaining active Envoy processes.
|
||
If not set, a default of <code>5s</code> will be applied.</p></td><td>No</td></tr><tr id=ProxyConfig-mesh_id><td><code>meshId</code></td><td><code>string</code></td><td><p>The unique identifier for the <a href=/v1.16/zh/docs/reference/glossary/#service-mesh>service mesh</a>
|
||
All control planes running in the same service mesh should specify the same mesh ID.
|
||
Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.</p></td><td>No</td></tr><tr id=ProxyConfig-readiness_probe><td><code>readinessProbe</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/workload-group/#ReadinessProbe>ReadinessProbe</a></code></td><td><p>VM Health Checking readiness probe. This health check config exactly mirrors the
|
||
kubernetes readiness probe configuration both in schema and logic.
|
||
Only one health check method of 3 can be set at a time.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_stats_matcher><td><code>proxyStatsMatcher</code></td><td><code><a href=#ProxyConfig-ProxyStatsMatcher>ProxyStatsMatcher</a></code></td><td><p>Proxy stats matcher defines configuration for reporting custom Envoy stats.
|
||
To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
|
||
default create and expose only a subset of Envoy stats. This option is to
|
||
control creation of additional Envoy stats with prefix, suffix, and regex
|
||
expressions match on the name of the stats. This replaces the stats
|
||
inclusion annotations
|
||
(<code>sidecar.istio.io/statsInclusionPrefixes</code>,
|
||
<code>sidecar.istio.io/statsInclusionRegexps</code>, and
|
||
<code>sidecar.istio.io/statsInclusionSuffixes</code>). For example, to enable stats
|
||
for circuit breakers, request retries, upstream connections, and request timeouts,
|
||
you can specify stats matcher as follows:</p><pre><code class=language-yaml>proxyStatsMatcher:
|
||
inclusionRegexps:
|
||
- .*outlier_detection.*
|
||
- .*upstream_rq_retry.*
|
||
- .*upstream_cx_.*
|
||
inclusionSuffixes:
|
||
- upstream_rq_timeout
|
||
</code></pre><p>Note including more Envoy stats might increase number of time series
|
||
collected by prometheus significantly. Care needs to be taken on Prometheus
|
||
resource provision and configuration to reduce cardinality.</p></td><td>No</td></tr><tr id=ProxyConfig-hold_application_until_proxy_starts><td><code>holdApplicationUntilProxyStarts</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
|
||
This feature adds hooks to delay application startup until the pod proxy
|
||
is ready to accept traffic, mitigating some startup race conditions.
|
||
Default value is ‘false’.</p></td><td>No</td></tr><tr id=ProxyConfig-ca_certificates_pem><td><code>caCertificatesPem</code></td><td><code>string[]</code></td><td><p>The PEM data of the extra root certificates for workload-to-workload communication.
|
||
This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
|
||
The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
|
||
are added automatically by Istiod.</p></td><td>No</td></tr><tr id=ProxyConfig-image><td><code>image</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/proxy-config/#ProxyImage>ProxyImage</a></code></td><td><p>Specifies the details of the proxy image.</p></td><td>No</td></tr><tr id=ProxyConfig-private_key_provider><td><code>privateKeyProvider</code></td><td><code><a href=#PrivateKeyProvider>PrivateKeyProvider</a></code></td><td><p>Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.</p></td><td>No</td></tr><tr id=ProxyConfig-zipkin_address class=deprecated><td><code>zipkinAddress</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
|
||
DEPRECATED: Use <a href=#ProxyConfig-tracing>tracing</a> instead.</p></td><td>No</td></tr></tbody></table></section><h2 id=RemoteService>RemoteService</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=RemoteService-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of a remove service used for various purposes (access log
|
||
receiver, metrics receiver, etc.). Can be IP address or a fully
|
||
qualified DNS name.</p></td><td>No</td></tr><tr id=RemoteService-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings>ClientTLSSettings</a></code></td><td><p>Use the <code>tls_settings</code> to specify the tls mode to use. If the remote service
|
||
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
|
||
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr><tr id=RemoteService-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.16/zh/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set <code>SO_KEEPALIVE</code> on the socket to enable TCP Keepalives.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Zipkin>Tracing.Zipkin</h2><section><p>Zipkin defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Zipkin-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Datadog>Tracing.Datadog</h2><section><p>Datadog defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Datadog-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Datadog Agent.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Stackdriver>Tracing.Stackdriver</h2><section><p>Stackdriver defines configuration for a Stackdriver tracer.
|
||
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy’s OpenCensus trace configuration</a>
|
||
and
|
||
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a> for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody></tbody></table></section><h2 id=Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</h2><section><p>OpenCensusAgent defines configuration for an OpenCensus tracer writing to
|
||
an OpenCensus agent backend. See
|
||
<a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto>Envoy’s OpenCensus trace configuration</a>
|
||
and
|
||
<a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>OpenCensus trace config</a>
|
||
for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-address><td><code>address</code></td><td><code>string</code></td><td><p>gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
|
||
unix:path). See <a href=https://github.com/grpc/grpc/blob/master/doc/naming.md>gRPC naming
|
||
docs</a> for
|
||
details.</p></td><td>No</td></tr><tr id=Tracing-OpenCensusAgent-context><td><code>context</code></td><td><code><a href=#Tracing-OpenCensusAgent-TraceContext>TraceContext[]</a></code></td><td><p>Specifies the set of context propagation headers used for distributed
|
||
tracing. Default is <code>["W3C_TRACE_CONTEXT"]</code>. If multiple values are specified,
|
||
the proxy will attempt to read each header for each request and will
|
||
write all headers.</p></td><td>No</td></tr></tbody></table></section><h2 id=PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</h2><section><p>CryptoMb PrivateKeyProvider configuration</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=PrivateKeyProvider-CryptoMb-poll_delay><td><code>pollDelay</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>How long to wait until the per-thread processing queue should be processed. If the processing queue
|
||
gets full (eight sign or decrypt requests are received) it is processed immediately.
|
||
However, if the queue is not filled before the delay has expired, the requests already in the queue
|
||
are processed, even if the queue is not full.
|
||
In effect, this value controls the balance between latency and throughput.
|
||
The duration needs to be set to a non-zero value.</p></td><td>No</td></tr></tbody></table></section><h2 id=ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</h2><section><p>Proxy stats name matchers for stats creation. Note this is in addition to
|
||
the minimum Envoy stats that Istio generates by default.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_prefixes><td><code>inclusionPrefixes</code></td><td><code>string[]</code></td><td><p>Proxy stats name prefix matcher for inclusion.</p></td><td>No</td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_suffixes><td><code>inclusionSuffixes</code></td><td><code>string[]</code></td><td><p>Proxy stats name suffix matcher for inclusion.</p></td><td>No</td></tr><tr id=ProxyConfig-ProxyStatsMatcher-inclusion_regexps><td><code>inclusionRegexps</code></td><td><code>string[]</code></td><td><p>Proxy stats name regexps matcher for inclusion.</p></td><td>No</td></tr></tbody></table></section><h2 id=Network>Network</h2><section><p>Network provides information about the endpoints in a routable L3
|
||
network. A single routable L3 network can have one or more service
|
||
registries. Note that the network has no relation to the locality of the
|
||
endpoint. The endpoint locality will be obtained from the service
|
||
registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-endpoints><td><code>endpoints</code></td><td><code><a href=#Network-NetworkEndpoints>NetworkEndpoints[]</a></code></td><td><p>The list of endpoints in the network (obtained through the
|
||
constituent service registries or from CIDR ranges). All endpoints in
|
||
the network are directly accessible to one another.</p></td><td>Yes</td></tr><tr id=Network-gateways><td><code>gateways</code></td><td><code><a href=#Network-IstioNetworkGateway>IstioNetworkGateway[]</a></code></td><td><p>Set of gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=MeshNetworks>MeshNetworks</h2><section><p>MeshNetworks (config map) provides information about the set of networks
|
||
inside a mesh and how to route to endpoints in each network. For example</p><p>MeshNetworks(file/config map):</p><pre><code class=language-yaml>networks:
|
||
network1:
|
||
endpoints:
|
||
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
|
||
- fromCidr: 192.168.100.0/22 #a VM network for example
|
||
gateways:
|
||
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
|
||
port: 15443
|
||
locality: us-east-1a
|
||
- address: 192.168.100.1
|
||
port: 15443
|
||
locality: us-east-1a
|
||
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshNetworks-networks><td><code>networks</code></td><td><code>map<string, <a href=#Network>Network</a>></code></td><td><p>The set of networks inside this mesh. Each network should
|
||
have a unique name and information about how to infer the endpoints in
|
||
the network as well as the gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=Network-NetworkEndpoints>Network.NetworkEndpoints</h2><section><p>NetworkEndpoints describes how the network associated with an endpoint
|
||
should be inferred. An endpoint will be assigned to a network based on
|
||
the following rules:</p><ol><li><p>Implicitly: If the registry explicitly provides information about
|
||
the network to which the endpoint belongs to. In some cases, its
|
||
possible to indicate the network associated with the endpoint by
|
||
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li><li><p>Explicitly:</p><p>a. By matching the registry name with one of the “fromRegistry”
|
||
in the mesh config. A “from_registry” can only be assigned to a
|
||
single network.</p><p>b. By matching the IP against one of the CIDR ranges in a mesh
|
||
config network. The CIDR ranges must not overlap and be assigned to
|
||
a single network.</p></li></ol><p>(2) will override (1) if both are present.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-NetworkEndpoints-from_cidr class="oneof oneof-start"><td><code>fromCidr</code></td><td><code>string (oneof)</code></td><td><p>A CIDR range for the set of endpoints in this network. The CIDR
|
||
ranges for endpoints from different networks must not overlap.</p></td><td>No</td></tr><tr id=Network-NetworkEndpoints-from_registry class=oneof><td><code>fromRegistry</code></td><td><code>string (oneof)</code></td><td><p>Add all endpoints from the specified registry into this network.
|
||
The names of the registries should correspond to the kubeconfig file name
|
||
inside the secret that was used to configure the registry (Kubernetes
|
||
multicluster) or supplied by MCP server.</p></td><td>No</td></tr></tbody></table></section><h2 id=Network-IstioNetworkGateway>Network.IstioNetworkGateway</h2><section><p>The gateway associated with this network. Traffic from remote networks
|
||
will arrive at the specified gateway:port. All incoming traffic must
|
||
use mTLS.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-IstioNetworkGateway-registry_service_name class="oneof oneof-start"><td><code>registryServiceName</code></td><td><code>string (oneof)</code></td><td><p>A fully qualified domain name of the gateway service. Pilot will
|
||
lookup the service from the service registries in the network and
|
||
obtain the endpoint IPs of the gateway from the service
|
||
registry. Note that while the service name is a fully qualified
|
||
domain name, it need not be resolvable outside the orchestration
|
||
platform for the registry. e.g., this could be
|
||
istio-ingressgateway.istio-system.svc.cluster.local.</p></td><td>No</td></tr><tr id=Network-IstioNetworkGateway-address class=oneof><td><code>address</code></td><td><code>string (oneof)</code></td><td><p>IP address or externally resolvable DNS address associated with the gateway.</p></td><td>No</td></tr><tr id=Network-IstioNetworkGateway-port><td><code>port</code></td><td><code>uint32</code></td><td><p>The port associated with the gateway.</p></td><td>Yes</td></tr><tr id=Network-IstioNetworkGateway-locality><td><code>locality</code></td><td><code>string</code></td><td><p>The locality associated with an explicitly specified gateway (i.e. ip)</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY><td><code>REGISTRY_ONLY</code></td><td><p>outbound traffic will be restricted to services defined in the
|
||
service registry as well as those defined through ServiceEntries</p></td></tr><tr id=MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY><td><code>ALLOW_ANY</code></td><td><p>outbound traffic to unknown destinations will be allowed, in case
|
||
there are no services or ServiceEntries for the destination port</p></td></tr></tbody></table></section><h2 id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</h2><section><p>TraceContext selects the context propagation headers used for
|
||
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-W3C_TRACE_CONTEXT><td><code>W3C_TRACE_CONTEXT</code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
|
||
See the
|
||
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-GRPC_BIN><td><code>GRPC_BIN</code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-CLOUD_TRACE_CONTEXT><td><code>CLOUD_TRACE_CONTEXT</code></td><td><p>Use Cloud Trace context propagation using the
|
||
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext-B3><td><code>B3</code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
|
||
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
|
||
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
|
||
for details.</p></td></tr></tbody></table></section><h2 id=MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DEFAULT><td><code>DEFAULT</code></td><td><p>Apply default normalizations. Currently, this is BASE.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-NONE><td><code>NONE</code></td><td><p>No normalization, paths are used as is.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-BASE><td><code>BASE</code></td><td><p>Normalize according to <a href=https://tools.ietf.org/html/rfc3986>RFC 3986</a>.
|
||
For Envoy proxies, this is the <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html><code>normalize_path</code></a> option.
|
||
For example, <code>/a/../b</code> normalizes to <code>/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-MERGE_SLASHES><td><code>MERGE_SLASHES</code></td><td><p>In addition to the <code>BASE</code> normalization, consecutive slashes are also merged.
|
||
For example, <code>/a//b</code> normalizes to <code>a/b</code>.</p></td></tr><tr id=MeshConfig-ProxyPathNormalization-NormalizationType-DECODE_AND_MERGE_SLASHES><td><code>DECODE_AND_MERGE_SLASHES</code></td><td><p>In addition to normalization in <code>MERGE_SLASHES</code>, slash characters are UTF-8 decoded (case insensitive) prior to merging.
|
||
This means <code>%2F</code>, <code>%2f</code>, <code>%5C</code>, and <code>%5c</code> sequences in the request path will be rewritten to <code>/</code> or <code>\</code>.
|
||
For example, <code>/a%2f/b</code> normalizes to <code>a/b</code>.</p></td></tr></tbody></table></section><h2 id=MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</h2><section><p>TLS protocol versions.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-TLSConfig-TLSProtocol-TLS_AUTO><td><code>TLS_AUTO</code></td><td><p>Automatically choose the optimal TLS version.</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_2><td><code>TLSV1_2</code></td><td><p>TLS version 1.2</p></td></tr><tr id=MeshConfig-TLSConfig-TLSProtocol-TLSV1_3><td><code>TLSV1_3</code></td><td><p>TLS version 1.3</p></td></tr></tbody></table></section><h2 id=MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-IngressControllerMode-UNSPECIFIED><td><code>UNSPECIFIED</code></td><td><p>Unspecified Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-OFF><td><code>OFF</code></td><td><p>Disables Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-DEFAULT><td><code>DEFAULT</code></td><td><p>Istio ingress controller will act on ingress resources that do not
|
||
contain any annotation or whose annotations match the value
|
||
specified in the ingress_class parameter described earlier. Use this
|
||
mode if Istio ingress controller will be the default ingress
|
||
controller for the entire Kubernetes cluster.</p></td></tr><tr id=MeshConfig-IngressControllerMode-STRICT><td><code>STRICT</code></td><td><p>Istio ingress controller will only act on ingress resources whose
|
||
annotations match the value specified in the ingress_class parameter
|
||
described earlier. Use this mode if Istio ingress controller will be
|
||
a secondary ingress controller (e.g., in addition to a
|
||
cloud-provided ingress controller).</p></td></tr></tbody></table></section><h2 id=MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-AccessLogEncoding-TEXT><td><code>TEXT</code></td><td><p>text encoding for the proxy access log</p></td></tr><tr id=MeshConfig-AccessLogEncoding-JSON><td><code>JSON</code></td><td><p>json encoding for the proxy access log</p></td></tr></tbody></table></section><h2 id=MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</h2><section><p>Default Policy for upgrading http1.1 connections to http2.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE><td><code>DO_NOT_UPGRADE</code></td><td><p>Do not upgrade connections to http2.</p></td></tr><tr id=MeshConfig-H2UpgradePolicy-UPGRADE><td><code>UPGRADE</code></td><td><p>Upgrade the connections to http2.</p></td></tr></tbody></table></section><h2 id=Resource>Resource</h2><section><p>Resource describes the source of configuration</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Resource-SERVICE_REGISTRY><td><code>SERVICE_REGISTRY</code></td><td><p>Set to only receive service entries that are generated by the platform.
|
||
These auto generated service entries are combination of services and endpoints
|
||
that are generated by a specific platform e.g. k8</p></td></tr></tbody></table></section><h2 id=Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</h2><section><p>TraceContext selects the context propagation headers used for
|
||
distributed tracing.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Tracing-OpenCensusAgent-TraceContext-W3C_TRACE_CONTEXT><td><code>W3C_TRACE_CONTEXT</code></td><td><p>Use W3C Trace Context propagation using the <code>traceparent</code> HTTP header.
|
||
See the
|
||
<a href=https://www.w3.org/TR/trace-context/>Trace Context documentation</a> for details.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-GRPC_BIN><td><code>GRPC_BIN</code></td><td><p>Use gRPC binary context propagation using the <code>grpc-trace-bin</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-CLOUD_TRACE_CONTEXT><td><code>CLOUD_TRACE_CONTEXT</code></td><td><p>Use Cloud Trace context propagation using the
|
||
<code>X-Cloud-Trace-Context</code> http header.</p></td></tr><tr id=Tracing-OpenCensusAgent-TraceContext-B3><td><code>B3</code></td><td><p>Use multi-header B3 context propagation using the <code>X-B3-TraceId</code>,
|
||
<code>X-B3-SpanId</code>, and <code>X-B3-Sampled</code> HTTP headers. See
|
||
<a href=https://github.com/openzipkin/b3-propagation>B3 header propagation README</a>
|
||
for details.</p></td></tr></tbody></table></section><h2 id=ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</h2><section><p>Allows specification of various Istio-supported naming schemes for the
|
||
Envoy <code>service_cluster</code> value. The <code>servce_cluster</code> value is primarily used
|
||
by Envoys to provide service names for tracing spans.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-TracingServiceName-APP_LABEL_AND_NAMESPACE><td><code>APP_LABEL_AND_NAMESPACE</code></td><td><p>Default scheme. Uses the <code>app</code> label and workload namespace to construct
|
||
a cluster name. If the <code>app</code> label does not exist <code>istio-proxy</code> is used.</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_ONLY><td><code>CANONICAL_NAME_ONLY</code></td><td><p>Uses the canonical name for a workload (<em>excluding namespace</em>).</p></td></tr><tr id=ProxyConfig-TracingServiceName-CANONICAL_NAME_AND_NAMESPACE><td><code>CANONICAL_NAME_AND_NAMESPACE</code></td><td><p>Uses the canonical name and namespace for a workload.</p></td></tr></tbody></table></section><h2 id=ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</h2><section><p>The mode used to redirect inbound traffic to Envoy.
|
||
This setting has no effect on outbound traffic: iptables <code>REDIRECT</code> is always used for
|
||
outbound connections.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-InboundInterceptionMode-REDIRECT><td><code>REDIRECT</code></td><td><p>The <code>REDIRECT</code> mode uses iptables <code>REDIRECT</code> to <code>NAT</code> and redirect to Envoy. This mode loses
|
||
source IP addresses during redirection.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-TPROXY><td><code>TPROXY</code></td><td><p>The <code>TPROXY</code> mode uses iptables <code>TPROXY</code> to redirect to Envoy. This mode preserves both the
|
||
source and destination IP addresses and ports, so that they can be used for advanced
|
||
filtering and manipulation. This mode also configures the sidecar to run with the
|
||
<code>CAP_NET_ADMIN</code> capability, which is required to use <code>TPROXY</code>.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-NONE><td><code>NONE</code></td><td><p>The <code>NONE</code> mode does not configure redirect to Envoy at all. This is an advanced
|
||
configuration that typically requires changes to user applications.</p></td></tr></tbody></table></section><h2 id=AuthenticationPolicy>AuthenticationPolicy</h2><section><p>AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
|
||
It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
|
||
Mesh policy cannot be INHERIT.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=AuthenticationPolicy-NONE><td><code>NONE</code></td><td><p>Do not encrypt proxy to control plane traffic.</p></td></tr><tr id=AuthenticationPolicy-MUTUAL_TLS><td><code>MUTUAL_TLS</code></td><td><p>Proxy to control plane traffic is wrapped into mutual TLS connections.</p></td></tr><tr id=AuthenticationPolicy-INHERIT><td><code>INHERIT</code></td><td><p>Use the policy defined by the parent scope. Should not be used for mesh
|
||
policy.</p></td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Configuration for Attribute Generation plugin." href=/v1.16/zh/docs/reference/config/proxy_extensions/attributegen/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.16/img/icons.svg#left-arrow"/></svg>AttributeGen Config</a></div><div class=right><a title="Configuration affecting Istio control plane installation version and shape." href=/v1.16/zh/docs/reference/config/istio.operator.v1alpha1/ class=next-link>IstioOperator Options<svg class="icon right-arrow"><use xlink:href="/v1.16/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>这些信息有用吗?<br><button class="btn feedback" onclick='sendFeedback("zh",1)'>是的</button>
|
||
<button class="btn feedback" onclick='sendFeedback("zh",0)'>没有</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder='Help us improve...' data-lang=zh></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>链接</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.CertificateData><a href=#MeshConfig-CertificateData>MeshConfig.CertificateData</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshConfig.CA><a href=#MeshConfig-CA>MeshConfig.CA</a><li role=none aria-label=MeshConfig.ExtensionProvider><a href=#MeshConfig-ExtensionProvider>MeshConfig.ExtensionProvider</a><li role=none aria-label=MeshConfig.DefaultProviders><a href=#MeshConfig-DefaultProviders>MeshConfig.DefaultProviders</a><li role=none aria-label=MeshConfig.ProxyPathNormalization><a href=#MeshConfig-ProxyPathNormalization>MeshConfig.ProxyPathNormalization</a><li role=none aria-label=MeshConfig.TLSConfig><a href=#MeshConfig-TLSConfig>MeshConfig.TLSConfig</a><li role=none aria-label=MeshConfig.ServiceSettings.Settings><a href=#MeshConfig-ServiceSettings-Settings>MeshConfig.ServiceSettings.Settings</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider><a href=#MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationGrpcProvider>MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.ZipkinTracingProvider><a href=#MeshConfig-ExtensionProvider-ZipkinTracingProvider>MeshConfig.ExtensionProvider.ZipkinTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.LightstepTracingProvider><a href=#MeshConfig-ExtensionProvider-LightstepTracingProvider>MeshConfig.ExtensionProvider.LightstepTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.DatadogTracingProvider><a href=#MeshConfig-ExtensionProvider-DatadogTracingProvider>MeshConfig.ExtensionProvider.DatadogTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.SkyWalkingTracingProvider><a href=#MeshConfig-ExtensionProvider-SkyWalkingTracingProvider>MeshConfig.ExtensionProvider.SkyWalkingTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider><a href=#MeshConfig-ExtensionProvider-StackdriverProvider>MeshConfig.ExtensionProvider.StackdriverProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.PrometheusMetricsProvider><a href=#MeshConfig-ExtensionProvider-PrometheusMetricsProvider>MeshConfig.ExtensionProvider.PrometheusMetricsProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyHttpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyTcpGrpcV3LogProvider>MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider</a><li role=none aria-label=MeshConfig.ExtensionProvider.StackdriverProvider.Logging><a href=#MeshConfig-ExtensionProvider-StackdriverProvider-Logging>MeshConfig.ExtensionProvider.StackdriverProvider.Logging</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyFileAccessLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider.LogFormat</a><li role=none aria-label=MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat><a href=#MeshConfig-ExtensionProvider-EnvoyOpenTelemetryLogProvider-LogFormat>MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider.LogFormat</a><li role=none aria-label=k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector><a href=#k8s-io-apimachinery-pkg-apis-meta-v1-LabelSelector>k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=PrivateKeyProvider><a href=#PrivateKeyProvider>PrivateKeyProvider</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.OpenCensusAgent><a href=#Tracing-OpenCensusAgent>Tracing.OpenCensusAgent</a><li role=none aria-label=PrivateKeyProvider.CryptoMb><a href=#PrivateKeyProvider-CryptoMb>PrivateKeyProvider.CryptoMb</a><li role=none aria-label=ProxyConfig.ProxyStatsMatcher><a href=#ProxyConfig-ProxyStatsMatcher>ProxyConfig.ProxyStatsMatcher</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext><a href=#MeshConfig-ExtensionProvider-OpenCensusAgentTracingProvider-TraceContext>MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext</a><li role=none aria-label=MeshConfig.ProxyPathNormalization.NormalizationType><a href=#MeshConfig-ProxyPathNormalization-NormalizationType>MeshConfig.ProxyPathNormalization.NormalizationType</a><li role=none aria-label=MeshConfig.TLSConfig.TLSProtocol><a href=#MeshConfig-TLSConfig-TLSProtocol>MeshConfig.TLSConfig.TLSProtocol</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=Tracing.OpenCensusAgent.TraceContext><a href=#Tracing-OpenCensusAgent-TraceContext>Tracing.OpenCensusAgent.TraceContext</a><li role=none aria-label=ProxyConfig.TracingServiceName><a href=#ProxyConfig-TracingServiceName>ProxyConfig.TracingServiceName</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a></ol></div></nav></div></main><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='Istio 的代码在 GitHub 上开发' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.16/img/icons.svg#github"/></svg></a><a class=channel title='如果您想深入了解 Istio 的技术细节,请查看我们日益完善的设计文档' href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.16/img/icons.svg#drive"/></svg></a><a class=channel title='在 Slack 上与 Istio 社区交互讨论开发问题(仅限邀请)' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.16/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow 中列举了针对实际问题以及部署、配置和使用 Istio 的各项回答' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.16/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='关注我们的 Twitter 来获取最新信息' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.16/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.16/zh/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class=footer-languages-item>English</a>
|
||
<a tabindex=-1 lang=zh id=switch-lang-zh class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.16/img/icons.svg#tick"/></svg>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>条款</a> |
|
||
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>隐私政策</a> |
|
||
<a class=disabled title="这是一个自动生成的文件,要修改其中的内容,请修改 https://github.com/istio/api 仓库中的源码。">在 GitHub 上编辑此页</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2023 the Istio Authors.</span>
|
||
<span class=footer-base-version>部分内容可能滞后于英文版本,同步工作正在进行中<br>Version
|
||
Istio 归档
|
||
1.16.2</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>当前版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/docs/reference/config/istio.mesh.v1alpha1/"),!1'>下个版本</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>旧版本</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title=回到顶部 tabindex=-1><svg class="icon top"><use xlink:href="/v1.16/img/icons.svg#top"/></svg></button></div></body></html> |