istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.0/docs/reference/config/istio.networking.v1alpha3/index.html

1368 lines
148 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Traffic Routing"><meta name=description content="Configuration affecting traffic routing."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Traffic Routing"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting traffic routing."><meta property="og:url" content="/v1.0/docs/reference/config/istio.networking.v1alpha3/"><meta property="og:image" content="/v1.0/img/istio-logo-blue-background.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.0 / Traffic Routing</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><script>var branchName="release-1.0";var docTitle="Traffic Routing";</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.0/feed.xml><link rel="shortcut icon" href=/v1.0/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.0/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.0/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.0/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.0/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.0/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.0/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.0/favicons/android-96x196.png sizes=96x196><link rel=icon type=image/png href=/v1.0/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.0/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.0/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Chivo:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work Sans:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css integrity=sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm crossorigin=anonymous><link rel=stylesheet href=https://use.fontawesome.com/releases/v5.0.6/css/all.css><link rel=stylesheet href=/v1.0/css/light_theme_archive.css title=light><link rel="alternate stylesheet" href=/v1.0/css/dark_theme_archive.css title=dark><script src=/v1.0/js/styleSwitcher.min.js></script></head><body class=language-unknown><header><nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between"><a class=navbar-brand href=/v1.0/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="150" stroke-width="2" /><polygon points="65,240 225,240 125,270"/><polygon points="65,230 125,220 125,110"/><polygon points="135,220 225,230 135,30"/></svg></span><span class=brand-name>Istioldie 1.0</span></a>
<button class=navbar-toggler type=button data-toggle=collapse data-target=#navbarCollapse aria-controls=navbarCollapse aria-expanded=false aria-label="Toggle navigation">
<span class=navbar-toggler-icon></span></button><div class="collapse navbar-collapse justify-content-end" id=navbarCollapse><ul id=navbar-links class="navbar-nav active"><li class=nav-item><a class="nav-link active" title="Learn how to deploy, use, and operate Istio." href=/v1.0/docs/>Docs</a></li><li class=nav-item><a class=nav-link title="Posts about using Istio." href=/v1.0/blog/2019/announcing-1.0.6/>Blog</a></li><li class=nav-item><a class=nav-link title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.0/help/>Help</a></li><li class=nav-item><a class=nav-link title="Get a bit more in-depth info about the Istio project." href=/v1.0/about/>About</a></li><li class="nav-item dropdown" id=gearDropdown style=white-space:nowrap><a title="Options and Settings" href class=nav-link data-toggle=dropdown aria-label=Tools aria-haspopup=true aria-expanded=false><i style=width:1em class="fa fa-lg fa-cog"></i></a><div class="dropdown-menu dropdown-menu-right" aria-labelledby=gearDropdown><a class=dropdown-item id=light-theme-item href onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class=dropdown-item id=dark-theme-item href onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a><div class=dropdown-divider></div><h6 class=dropdown-header>Other versions of this site</h6><a href=https://istio.io class=dropdown-item>Current Release</a>
<a href=https://preliminary.istio.io class=dropdown-item>Next Release</a>
<a href=https://archive.istio.io class=dropdown-item>Older Releases</a></div></li><li class=nav-item><a id=search_show class=nav-link href title="Search istio.io" aria-label=Search><i style=width:1em class="fa fa-lg fa-search"></i></a></li></ul><form name=cse id=search_form class="form-inline mr-sm-2" role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search_page_url value=/v1.0/search.html>
<input id=search_textbox class=form-control name=q type=text aria-label="Search this site">
<button id=search_close type=reset aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button></form></div></nav></header><div class=container-fluid><div class="row row-offcanvas"><div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar d-print-none"><div class=spacer></div><div class=directory role=tablist><div class=card><div class=card-header role=tab id=header10><a data-toggle=collapse href=#collapse10 title="Learn about the different parts of the Istio system and the abstractions it uses." role=button aria-controls=collapse10><div><img src=/v1.0/img/concepts.svg alt=Icon class=page_icon>
Concepts</div></a></div><div id=collapse10 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header10><div class=card-body><ul class=tree><li><a title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.0/docs/concepts/what-is-istio/>What is Istio?</a></li><li><a title="Describes the various Istio features focused on traffic routing and control." href=/v1.0/docs/concepts/traffic-management/>Traffic Management</a></li><li><a title="Describes Istio's authorization and authentication functionality." href=/v1.0/docs/concepts/security/>Security</a></li><li><a title="Describes the policy enforcement and telemetry mechanisms." href=/v1.0/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li><a title="Introduces Performance and Scalability methodology, results and best practices for Istio components." href=/v1.0/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header20><a data-toggle=collapse href=#collapse20 title="How to deploy Istio in various environments (e.g., Kubernetes, Consul)." role=button aria-controls=collapse20><div><img src=/v1.0/img/setup.svg alt=Icon class=page_icon>
Setup</div></a></div><div id=collapse20 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header20><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.0/docs/setup/kubernetes/>Kubernetes</a></label><ul class="tree collapse"><li><a title="Instructions to download the Istio release." href=/v1.0/docs/setup/kubernetes/download-release/>Downloading the Release</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/>Platform Setup</a></label><ul class="tree collapse"><li><a title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/alicloud/>Alibaba Cloud</a></li><li><a title="Instructions to setup an AWS cluster with Kops cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/aws/>Amazon Web Services</a></li><li><a title="Instructions to setup an Azure cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/azure/>Azure</a></li><li><a title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/gke/>Google Kubernetes Engine</a></li><li><a title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/ibm/>IBM Cloud</a></li><li><a title="Instructions to setup Minikube for use with Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/minikube/>Minikube</a></li><li><a title="Instructions to setup an OpenShift cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/openshift/>OpenShift</a></li><li><a title="Instructions to setup an OKE cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li><a title="Instructions to setup the Istio service mesh in a Kubernetes cluster." href=/v1.0/docs/setup/kubernetes/quick-start/>Quick Start with Kubernetes</a></li><li><a title="How to quickly setup Istio using Alibaba Cloud Kubernetes Container Service." href=/v1.0/docs/setup/kubernetes/quick-start-alicloud-ack/>Quick Start with Alibaba Cloud Kubernetes Container Service</a></li><li><a title="How to quickly setup Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.0/docs/setup/kubernetes/quick-start-ibm/>Quick Start with IBM Cloud</a></li><li><a title="Install Istio with the included Helm chart." href=/v1.0/docs/setup/kubernetes/helm-install/>Installation with Helm</a></li><li><a title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.0/docs/setup/kubernetes/sidecar-injection/>Installing the sidecar</a></li><li><a title="Install minimal Istio using Helm." href=/v1.0/docs/setup/kubernetes/minimal-install/>Minimal Istio Installation</a></li><li><a title="Install Istio with the included Ansible playbook." href=/v1.0/docs/setup/kubernetes/ansible-install/>Installation with Ansible</a></li><li><a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.0/docs/setup/kubernetes/mesh-expansion/>Mesh Expansion</a></li><li><a title="Install Istio with multicluster support." href=/v1.0/docs/setup/kubernetes/multicluster-install/>Istio Multicluster</a></li><li><a title="How to quickly setup Istio using Google Kubernetes Engine (GKE)." href=/v1.0/docs/setup/kubernetes/quick-start-gke/>Quick Start with Google Kubernetes Engine</a></li><li><a title="Demonstrates how to upgrade the Istio control plane and data plane independently." href=/v1.0/docs/setup/kubernetes/upgrading-istio/>Upgrading Istio</a></li><li><a title="Describes the requirements for Kubernetes pods and services to run Istio." href=/v1.0/docs/setup/kubernetes/spec-requirements/>Requirements for Pods and Services</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.0/docs/setup/consul/>Nomad & Consul</a></label><ul class="tree collapse"><li><a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.0/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li><a title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.0/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header33><a data-toggle=collapse href=#collapse33 title="How to do single specific targeted activities with the Istio system." role=button aria-controls=collapse33><div><img src=/v1.0/img/tasks.svg alt=Icon class=page_icon>
Tasks</div></a></div><div id=collapse33 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header33><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.0/docs/tasks/traffic-management/>Traffic Management</a></label><ul class="tree collapse"><li><a title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.0/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li><a title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.0/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li><a title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.0/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li><a title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.0/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li><a title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.0/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li><a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS, mutual TLS or JWT authentication." href=/v1.0/docs/tasks/traffic-management/secure-ingress/>Securing Gateways with HTTPS</a></li><li><a title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.0/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li><a title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.0/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li><a title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.0/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li><a title="Shows how to do health checking for Istio services." href=/v1.0/docs/tasks/traffic-management/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates how to secure the mesh." href=/v1.0/docs/tasks/security/>Security</a></label><ul class="tree collapse"><li><a title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.0/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li><a title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.0/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li><a title="Shows how to set up role-based access control for services in the mesh." href=/v1.0/docs/tasks/security/role-based-access-control/>Authorization</a></li><li><a title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.0/docs/tasks/security/plugin-ca-cert/>Plugging in external CA key and certificate</a></li><li><a title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.0/docs/tasks/security/health-check/>Citadel health checking</a></li><li><a title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.0/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li><a title="Shows how to enable mutual TLS on HTTPS services." href=/v1.0/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates policy enforcement features." href=/v1.0/docs/tasks/policy-enforcement/>Policies</a></label><ul class="tree collapse"><li><a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.0/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li><a title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.0/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.0/docs/tasks/telemetry/>Telemetry</a></label><ul class="tree collapse"><li><a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger." href=/v1.0/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a></li><li><a title="This task shows you how to configure Istio to collect metrics and logs." href=/v1.0/docs/tasks/telemetry/metrics-logs/>Collecting Metrics and Logs</a></li><li><a title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.0/docs/tasks/telemetry/tcp-metrics/>Collecting Metrics for TCP services</a></li><li><a title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.0/docs/tasks/telemetry/querying-metrics/>Querying Metrics from Prometheus</a></li><li><a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.0/docs/tasks/telemetry/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li><li><a title="This task shows you how to visualize your services within an Istio mesh." href=/v1.0/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li><a title="This task shows you how to generate a graph of services within an Istio mesh." href=/v1.0/docs/tasks/telemetry/servicegraph/>Generating a Service Graph</a></li><li><a title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.0/docs/tasks/telemetry/fluentd/>Logging with Fluentd</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header46><a data-toggle=collapse href=#collapse46 title="A variety of fully working example uses for Istio that you can experiment with." role=button aria-controls=collapse46><div><img src=/v1.0/img/examples.svg alt=Icon class=page_icon>
Examples</div></a></div><div id=collapse46 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header46><div class=card-body><ul class=tree><li><a title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.0/docs/examples/bookinfo/>Bookinfo Application</a></li><li><a title="Demonstrates how to use various traffic management capabilities of an Istio service mesh." href=/v1.0/docs/examples/intelligent-routing/>Intelligent Routing</a></li><li><a title="Demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href=/v1.0/docs/examples/telemetry/>In-Depth Telemetry</a></li><li><a title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.0/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li><a title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.0/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="A variety of fully working examples for egress traffic control in Istio that you can experiment with." href=/v1.0/docs/examples/advanced-egress/>Advanced egress traffic control</a></label><ul class="tree collapse"><li><a title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.0/docs/examples/advanced-egress/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li><a title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.0/docs/examples/advanced-egress/egress-gateway/>Configure an Egress Gateway</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.0/docs/examples/multicluster/>Enabling multiclusters</a></label><ul class="tree collapse"><li><a title="Example multicluster GKE install of Istio." href=/v1.0/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li><a title="Example multicluster IBM Cloud Private install of Istio." href=/v1.0/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li><a title="Example multicluster between IBM Cloud Kubernetes Service & IBM Cloud Private." href=/v1.0/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service & IBM Cloud Private</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header78><a data-toggle=collapse href=#collapse78 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role=button aria-controls=collapse78><div><img src=/v1.0/img/reference.svg alt=Icon class=page_icon>
Reference</div></a></div><div id=collapse78 class="collapse show" data-parent=#sidebar role=tabpanel aria-labelledby=header78><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-down"></i><a title="Detailed information on configuration options." href=/v1.0/docs/reference/config/>Configuration</a></label><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes how to configure Istio's authorization features." href=/v1.0/docs/reference/config/authorization/>Authorization</a></label><ul class="tree collapse"><li><a title="Describes the supported constraints and properties." href=/v1.0/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li><a title="Configuration for Role Based Access Control." href=/v1.0/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li><a title="Describes the options available when installing Istio using the included Helm chart." href=/v1.0/docs/reference/config/installation-options/>Installation Options</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.0/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a></label><ul class="tree collapse"><li><a title="Describes the base attribute vocabulary used for policy and control." href=/v1.0/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li><a title="Mixer configuration expression language reference." href=/v1.0/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a></label><ul class="tree collapse"><li><a title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li><a title="Adapter for circonus.com's monitoring solution." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li><a title="Adapter for cloudwatch metrics." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li><a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li><a title="Adapter that always returns a precondition denial." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li><a title="Adapter that delivers logs to a fluentd daemon." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li><a title="Adapter that extracts information from a Kubernetes environment." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li><a title="Adapter that performs whitelist or blacklist checks." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li><a title="Adapter for a simple in-memory quota management system." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li><a title="Adapter that implements an Open Policy Agent engine." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li><a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li><a title="Adapter that exposes Istio's Role-Based Access Control model." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/rbac/>RBAC</a></li><li><a title="Adapter for a Redis-based quota management system." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li><a title="Adapter that delivers logs and metrics to Google Service Control." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/servicecontrol/>Service Control</a></li><li><a title="Adapter that sends Istio metrics to SignalFx." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li><a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li><a title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li><a title="Adapter to deliver metrics to a StatsD backend." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li><a title="Adapter for outputting logs and metrics locally." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li><a title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li></ul></li><li><a title="Default Metrics exported from Istio through Mixer." href=/v1.0/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Mixer templates are used to send data to individual adapters." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/>Templates</a></label><ul class="tree collapse"><li><a title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li><a title="A template that represents a single API key." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li><a title="A template used to represent an access control query." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li><a title="A template that carries no data, useful for testing." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li><a title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li><a title="A template designed to let you perform list checking operations." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li><a title="A template that represents a single runtime log entry." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li><a title="A template that represents a single runtime metric." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li><a title="A template that represents a quota allocation request." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li><a title="A template that carries no data, useful for testing." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li><a title="A template used by the Google Service Control adapter." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/servicecontrolreport/>Service Control Report</a></li><li><a title="A template that represents\ an individual span within a distributed trace." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li><a title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.0/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li><a title="Authentication policy for Istio services." href=/v1.0/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li><span class=current title="Configuration affecting traffic routing.">Traffic Routing</span></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes usage and options of the Istio commands and utilities." href=/v1.0/docs/reference/commands/>Commands</a></label><ul class="tree collapse"><li><a title="Galley provides configuration management services for Istio." href=/v1.0/docs/reference/commands/galley/>galley</a></li><li><a title="Istio Certificate Authority (CA)." href=/v1.0/docs/reference/commands/istio_ca/>istio_ca</a></li><li><a title="Istio control interface." href=/v1.0/docs/reference/commands/istioctl/>istioctl</a></li><li><a title="Utility to trigger direct calls to Mixer's API." href=/v1.0/docs/reference/commands/mixc/>mixc</a></li><li><a title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.0/docs/reference/commands/mixs/>mixs</a></li><li><a title="Istio security per-node agent." href=/v1.0/docs/reference/commands/node_agent/>node_agent</a></li><li><a title="Istio Pilot agent." href=/v1.0/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li><a title="Istio Pilot." href=/v1.0/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li><a title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.0/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-xl-8"><p class=d-md-none><label class=sidebar-toggler data-toggle=offcanvas><i class="fa fa-sign-out-alt"></i></label></p><main aria-labelledby=title><div class=pagenav><p><a href=/v1.0/docs/reference/config/ title="Detailed information on configuration options."><i style=transform:scaleX(-1) class="fa fa-level-up-alt"></i>&nbsp;Configuration</a></p></div><h1 id=title>Traffic Routing</h1><nav class="toc-inlined d-xl-none d-print-none"><hr><div class=directory role=directory><nav id=InlinedTableOfContents><ul><li><a href=#ConnectionPoolSettings>ConnectionPoolSettings</a></li><li><a href=#ConnectionPoolSettings-HTTPSettings>ConnectionPoolSettings.HTTPSettings</a></li><li><a href=#ConnectionPoolSettings-TCPSettings>ConnectionPoolSettings.TCPSettings</a></li><li><a href=#CorsPolicy>CorsPolicy</a></li><li><a href=#Destination>Destination</a></li><li><a href=#DestinationRule>DestinationRule</a></li><li><a href=#DestinationWeight>DestinationWeight</a></li><li><a href=#EnvoyFilter>EnvoyFilter</a></li><li><a href=#EnvoyFilter-Filter>EnvoyFilter.Filter</a></li><li><a href=#EnvoyFilter-Filter-FilterType>EnvoyFilter.Filter.FilterType</a></li><li><a href=#EnvoyFilter-InsertPosition>EnvoyFilter.InsertPosition</a></li><li><a href=#EnvoyFilter-InsertPosition-Index>EnvoyFilter.InsertPosition.Index</a></li><li><a href=#EnvoyFilter-ListenerMatch>EnvoyFilter.ListenerMatch</a></li><li><a href=#EnvoyFilter-ListenerMatch-ListenerProtocol>EnvoyFilter.ListenerMatch.ListenerProtocol</a></li><li><a href=#EnvoyFilter-ListenerMatch-ListenerType>EnvoyFilter.ListenerMatch.ListenerType</a></li><li><a href=#Gateway>Gateway</a></li><li><a href=#HTTPFaultInjection>HTTPFaultInjection</a></li><li><a href=#HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</a></li><li><a href=#HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</a></li><li><a href=#HTTPMatchRequest>HTTPMatchRequest</a></li><li><a href=#HTTPRedirect>HTTPRedirect</a></li><li><a href=#HTTPRetry>HTTPRetry</a></li><li><a href=#HTTPRewrite>HTTPRewrite</a></li><li><a href=#HTTPRoute>HTTPRoute</a></li><li><a href=#L4MatchAttributes>L4MatchAttributes</a></li><li><a href=#LoadBalancerSettings>LoadBalancerSettings</a></li><li><a href=#LoadBalancerSettings-ConsistentHashLB>LoadBalancerSettings.ConsistentHashLB</a></li><li><a href=#LoadBalancerSettings-ConsistentHashLB-HTTPCookie>LoadBalancerSettings.ConsistentHashLB.HTTPCookie</a></li><li><a href=#LoadBalancerSettings-SimpleLB>LoadBalancerSettings.SimpleLB</a></li><li><a href=#OutlierDetection>OutlierDetection</a></li><li><a href=#Port>Port</a></li><li><a href=#PortSelector>PortSelector</a></li><li><a href=#Server>Server</a></li><li><a href=#Server-TLSOptions>Server.TLSOptions</a></li><li><a href=#Server-TLSOptions-TLSmode>Server.TLSOptions.TLSmode</a></li><li><a href=#ServiceEntry>ServiceEntry</a></li><li><a href=#ServiceEntry-Endpoint>ServiceEntry.Endpoint</a></li><li><a href=#ServiceEntry-Location>ServiceEntry.Location</a></li><li><a href=#ServiceEntry-Resolution>ServiceEntry.Resolution</a></li><li><a href=#StringMatch>StringMatch</a></li><li><a href=#Subset>Subset</a></li><li><a href=#TCPRoute>TCPRoute</a></li><li><a href=#TLSMatchAttributes>TLSMatchAttributes</a></li><li><a href=#TLSRoute>TLSRoute</a></li><li><a href=#TLSSettings>TLSSettings</a></li><li><a href=#TLSSettings-TLSmode>TLSSettings.TLSmode</a></li><li><a href=#TrafficPolicy>TrafficPolicy</a></li><li><a href=#TrafficPolicy-PortTrafficPolicy>TrafficPolicy.PortTrafficPolicy</a></li><li><a href=#VirtualService>VirtualService</a></li></ul></nav></div><hr></nav><p>Configuration affecting traffic routing. Here are a few terms useful to define
in the context of traffic routing.</p><p><code>Service</code> a unit of application behavior bound to a unique name in a
service registry. Services consist of multiple network <em>endpoints</em>
implemented by workload instances running on pods, containers, VMs etc.</p><p><code>Service versions (a.k.a. subsets)</code> - In a continuous deployment
scenario, for a given service, there can be distinct subsets of
instances running different variants of the application binary. These
variants are not necessarily different API versions. They could be
iterative changes to the same service, deployed in different
environments (prod, staging, dev, etc.). Common scenarios where this
occurs include A/B testing, canary rollouts, etc. The choice of a
particular version can be decided based on various criterion (headers,
url, etc.) and/or by weights assigned to each version. Each service has
a default version consisting of all its instances.</p><p><code>Source</code> - A downstream client calling a service.</p><p><code>Host</code> - The address used by a client when attempting to connect to a
service.</p><p><code>Access model</code> - Applications address only the destination service
(Host) without knowledge of individual service versions (subsets). The
actual choice of the version is determined by the proxy/sidecar, enabling the
application code to decouple itself from the evolution of dependent
services.</p><h2 id=ConnectionPoolSettings>ConnectionPoolSettings</h2><section><p>Connection pool settings for an upstream host. The settings apply to
each individual host in the upstream service. See Envoy&rsquo;s <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/circuit_breaking>circuit
breaker</a>
for more details. Connection pool settings can be applied at the TCP
level as well as at HTTP level.</p><p>For example, the following rule sets a limit of 100 connections to redis
service called myredissrv with a connect timeout of 30ms</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-redis
spec:
host: myredissrv.prod.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
connectTimeout: 30ms
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ConnectionPoolSettings-tcp><td><code>tcp</code></td><td><code><a href=#ConnectionPoolSettings-TCPSettings>ConnectionPoolSettings.TCPSettings</a></code></td><td><p>Settings common to both HTTP and TCP upstream connections.</p></td></tr><tr id=ConnectionPoolSettings-http><td><code>http</code></td><td><code><a href=#ConnectionPoolSettings-HTTPSettings>ConnectionPoolSettings.HTTPSettings</a></code></td><td><p>HTTP connection pool settings.</p></td></tr></tbody></table></section><h2 id=ConnectionPoolSettings-HTTPSettings>ConnectionPoolSettings.HTTPSettings</h2><section><p>Settings applicable to HTTP1.1/HTTP2/GRPC connections.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ConnectionPoolSettings-HTTPSettings-http1_max_pending_requests><td><code>http1MaxPendingRequests</code></td><td><code>int32</code></td><td><p>Maximum number of pending HTTP requests to a destination. Default 1024.</p></td></tr><tr id=ConnectionPoolSettings-HTTPSettings-http2_max_requests><td><code>http2MaxRequests</code></td><td><code>int32</code></td><td><p>Maximum number of requests to a backend. Default 1024.</p></td></tr><tr id=ConnectionPoolSettings-HTTPSettings-max_requests_per_connection><td><code>maxRequestsPerConnection</code></td><td><code>int32</code></td><td><p>Maximum number of requests per connection to a backend. Setting this
parameter to 1 disables keep alive.</p></td></tr><tr id=ConnectionPoolSettings-HTTPSettings-max_retries><td><code>maxRetries</code></td><td><code>int32</code></td><td><p>Maximum number of retries that can be outstanding to all hosts in a
cluster at a given time. Defaults to 3.</p></td></tr></tbody></table></section><h2 id=ConnectionPoolSettings-TCPSettings>ConnectionPoolSettings.TCPSettings</h2><section><p>Settings common to both HTTP and TCP upstream connections.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ConnectionPoolSettings-TCPSettings-max_connections><td><code>maxConnections</code></td><td><code>int32</code></td><td><p>Maximum number of HTTP1 /TCP connections to a destination host.</p></td></tr><tr id=ConnectionPoolSettings-TCPSettings-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>TCP connection timeout.</p></td></tr></tbody></table></section><h2 id=CorsPolicy>CorsPolicy</h2><section><p>Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
service. Refer to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access<em>control</em>CORS
for further details about cross origin resource sharing. For example,
the following rule restricts cross origin requests to those originating
from example.com domain using HTTP POST/GET, and sets the
Access-Control-Allow-Credentials header to false. In addition, it only
exposes X-Foo-bar header and sets an expiry period of 1 day.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
corsPolicy:
allowOrigin:
- example.com
allowMethods:
- POST
- GET
allowCredentials: false
allowHeaders:
- X-Foo-Bar
maxAge: &quot;1d&quot;
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=CorsPolicy-allow_origin><td><code>allowOrigin</code></td><td><code>string[]</code></td><td><p>The list of origins that are allowed to perform CORS requests. The
content will be serialized into the Access-Control-Allow-Origin
header. Wildcard * will allow all origins.</p></td></tr><tr id=CorsPolicy-allow_methods><td><code>allowMethods</code></td><td><code>string[]</code></td><td><p>List of HTTP methods allowed to access the resource. The content will
be serialized into the Access-Control-Allow-Methods header.</p></td></tr><tr id=CorsPolicy-allow_headers><td><code>allowHeaders</code></td><td><code>string[]</code></td><td><p>List of HTTP headers that can be used when requesting the
resource. Serialized to Access-Control-Allow-Methods header.</p></td></tr><tr id=CorsPolicy-expose_headers><td><code>exposeHeaders</code></td><td><code>string[]</code></td><td><p>A white list of HTTP headers that the browsers are allowed to
access. Serialized into Access-Control-Expose-Headers header.</p></td></tr><tr id=CorsPolicy-max_age><td><code>maxAge</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Specifies how long the the results of a preflight request can be
cached. Translates to the Access-Control-Max-Age header.</p></td></tr><tr id=CorsPolicy-allow_credentials><td><code>allowCredentials</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>google.protobuf.BoolValue</a></code></td><td><p>Indicates whether the caller is allowed to send the actual request
(not the preflight) using credentials. Translates to
Access-Control-Allow-Credentials header.</p></td></tr></tbody></table></section><h2 id=Destination>Destination</h2><section><p>Destination indicates the network addressable service to which the
request/connection will be sent after processing a routing rule. The
destination.host should unambiguously refer to a service in the service
registry. Istio&rsquo;s service registry is composed of all the services found
in the platform&rsquo;s service registry (e.g., Kubernetes services, Consul
services), as well as services declared through the
<a href=#ServiceEntry>ServiceEntry</a> resource.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of the
actual namespace associated with the reviews service. <em>To avoid potential
misconfigurations, it is recommended to always use fully qualified
domain names over short names.</em></p><p>The following Kubernetes example routes all traffic by default to pods
of the reviews service with label &ldquo;version: v1&rdquo; (i.e., subset v1), and
some to subset v2, in a kubernetes environment.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
namespace: foo
spec:
hosts:
- reviews # interpreted as reviews.foo.svc.cluster.local
http:
- match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v2
- route:
- destination:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subset: v1
</code></pre><p>And the associated DestinationRule</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
namespace: foo
spec:
host: reviews # interpreted as reviews.foo.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre><p>The following VirtualService sets a timeout of 5s for all calls to
productpage.prod.svc.cluster.local service in Kubernetes. Notice that
there are no subsets defined in this rule. Istio will fetch all
instances of productpage.prod.svc.cluster.local service from the service
registry and populate the sidecar&rsquo;s load balancing pool. Also, notice
that this rule is set in the istio-system namespace but uses the fully
qualified domain name of the productpage service,
productpage.prod.svc.cluster.local. Therefore the rule&rsquo;s namespace does
not have an impact in resolving the name of the productpage service.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-productpage-rule
namespace: istio-system
spec:
hosts:
- productpage.prod.svc.cluster.local # ignores rule namespace
http:
- timeout: 5s
route:
- destination:
host: productpage.prod.svc.cluster.local
</code></pre><p>To control routing for traffic bound to services outside the mesh, external
services must first be added to Istio&rsquo;s internal service registry using the
ServiceEntry resource. VirtualServices can then be defined to control traffic
bound to these external services. For example, the following rules define a
Service for wikipedia.org and set a timeout of 5s for http requests.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-wikipedia
spec:
hosts:
- wikipedia.org
location: MESH_EXTERNAL
ports:
- number: 80
name: example-http
protocol: HTTP
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-wiki-rule
spec:
hosts:
- wikipedia.org
http:
- timeout: 5s
route:
- destination:
host: wikipedia.org
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Destination-host><td><code>host</code></td><td><code>string</code></td><td><p>REQUIRED. The name of a service from the service registry. Service
names are looked up from the platform&rsquo;s service registry (e.g.,
Kubernetes services, Consul services, etc.) and from the hosts
declared by <a href=#ServiceEntry>ServiceEntry</a>. Traffic forwarded to
destinations that are not found in either of the two, will be dropped.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. <em>To avoid
potential misconfigurations, it is recommended to always use fully
qualified domain names over short names.</em></p></td></tr><tr id=Destination-subset><td><code>subset</code></td><td><code>string</code></td><td><p>The name of a subset within the service. Applicable only to services
within the mesh. The subset must be defined in a corresponding
DestinationRule.</p></td></tr><tr id=Destination-port><td><code>port</code></td><td><code><a href=#PortSelector>PortSelector</a></code></td><td><p>Specifies the port on the host that is being addressed. If a service
exposes only a single port it is not required to explicitly select the
port.</p></td></tr></tbody></table></section><h2 id=DestinationRule>DestinationRule</h2><section><p><code>DestinationRule</code> defines policies that apply to traffic intended for a
service after routing has occurred. These rules specify configuration
for load balancing, connection pool size from the sidecar, and outlier
detection settings to detect and evict unhealthy hosts from the load
balancing pool. For example, a simple load balancing policy for the
ratings service would look as follows:</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
</code></pre><p>Version specific policies can be specified by defining a named
<code>subset</code> and overriding the settings specified at the service level. The
following rule uses a round robin load balancing policy for all traffic
going to a subset named testversion that is composed of endpoints (e.g.,
pods) with labels (version:v3).</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
subsets:
- name: testversion
labels:
version: v3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre><p><strong>Note:</strong> Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.</p><p>Traffic policies can be customized to specific ports as well. The
following rule uses the least connection load balancing policy for all
traffic to port 80, while uses a round robin load balancing setting for
traffic to the port 9080.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings-port
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy: # Apply to all ports
portLevelSettings:
- port:
number: 80
loadBalancer:
simple: LEAST_CONN
- port:
number: 9080
loadBalancer:
simple: ROUND_ROBIN
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=DestinationRule-host><td><code>host</code></td><td><code>string</code></td><td><p>REQUIRED. The name of a service from the service registry. Service
names are looked up from the platform&rsquo;s service registry (e.g.,
Kubernetes services, Consul services, etc.) and from the hosts
declared by <a href=#ServiceEntry>ServiceEntries</a>. Rules defined for
services that do not exist in the service registry will be ignored.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. <em>To avoid
potential misconfigurations, it is recommended to always use fully
qualified domain names over short names.</em></p><p>Note that the host field applies to both HTTP and TCP services.</p></td></tr><tr id=DestinationRule-traffic_policy><td><code>trafficPolicy</code></td><td><code><a href=#TrafficPolicy>TrafficPolicy</a></code></td><td><p>Traffic policies to apply (load balancing policy, connection pool
sizes, outlier detection).</p></td></tr><tr id=DestinationRule-subsets><td><code>subsets</code></td><td><code><a href=#Subset>Subset[]</a></code></td><td><p>One or more named sets that represent individual versions of a
service. Traffic policies can be overridden at subset level.</p></td></tr></tbody></table></section><h2 id=DestinationWeight>DestinationWeight</h2><section><p>Each routing rule is associated with one or more service versions (see
glossary in beginning of document). Weights associated with the version
determine the proportion of traffic it receives. For example, the
following rule will route 25% of traffic for the &ldquo;reviews&rdquo; service to
instances with the &ldquo;v2&rdquo; tag and the remaining traffic (i.e., 75%) to
&ldquo;v1&rdquo;.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
weight: 25
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
weight: 75
</code></pre><p>And the associated DestinationRule</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre><p>Traffic can also be split across two entirely different services without
having to define new subsets. For example, the following rule forwards 25% of
traffic to reviews.com to dev.reviews.com</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route-two-domains
spec:
hosts:
- reviews.com
http:
- route:
- destination:
host: dev.reviews.com
weight: 25
- destination:
host: reviews.com
weight: 75
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=DestinationWeight-destination><td><code>destination</code></td><td><code><a href=#Destination>Destination</a></code></td><td><p>REQUIRED. Destination uniquely identifies the instances of a service
to which the request/connection should be forwarded to.</p></td></tr><tr id=DestinationWeight-weight><td><code>weight</code></td><td><code>int32</code></td><td><p>REQUIRED. The proportion of traffic to be forwarded to the service
version. (0-100). Sum of weights across destinations SHOULD BE == 100.
If there is only destination in a rule, the weight value is assumed to
be 100.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter>EnvoyFilter</h2><section><p><code>EnvoyFilter</code> describes Envoy proxy-specific filters that can be used to
customize the Envoy proxy configuration generated by Istio networking
subsystem (Pilot). This feature must be used with care, as incorrect
configurations could potentially destabilize the entire mesh.</p><p>NOTE 1: Since this is break glass configuration, there will not be any
backward compatibility across different Istio releases. In other words,
this configuration is subject to change based on internal implementation
of Istio networking subsystem.</p><p>NOTE 2: When multiple EnvoyFilters are bound to the same workload, all filter
configurations will be processed sequentially in order of creation time.
The behavior is undefined if multiple EnvoyFilter configurations conflict
with each other.</p><p>The following example for Kubernetes enables Envoy&rsquo;s Lua filter for all
inbound calls arriving at service port 8080 of the reviews service pod with
labels &ldquo;app: reviews&rdquo;.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: reviews-lua
spec:
workloadLabels:
app: reviews
filters:
- listenerMatch:
portNumber: 8080
listenerType: SIDECAR_INBOUND #will match with the inbound listener for reviews:8080
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
... lua code ...
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-workload_labels><td><code>workloadLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that indicate a specific set of pods/VMs whose
proxies should be configured to use these additional filters. The
scope of label search is platform dependent. On Kubernetes, for
example, the scope includes pods running in all reachable
namespaces. Omitting the selector applies the filter to all proxies in
the mesh.
NOTE: There can be only one EnvoyFilter bound to a specific workload.
The behavior is undefined if multiple EnvoyFilter configurations are
specified for the same workload.</p></td></tr><tr id=EnvoyFilter-filters><td><code>filters</code></td><td><code><a href=#EnvoyFilter-Filter>EnvoyFilter.Filter[]</a></code></td><td><p>REQUIRED: Envoy network filters/http filters to be added to matching
listeners. When adding network filters to http connections, care
should be taken to ensure that the filter is added before
envoy.http<em>connection</em>manager.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-Filter>EnvoyFilter.Filter</h2><section><p>Envoy filters to be added to a network or http filter chain.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-Filter-listener_match><td><code>listenerMatch</code></td><td><code><a href=#EnvoyFilter-ListenerMatch>EnvoyFilter.ListenerMatch</a></code></td><td><p>Filter will be added to the listener only if the match conditions are true.
If not specified, the filters will be applied to all listeners.</p></td></tr><tr id=EnvoyFilter-Filter-insert_position><td><code>insertPosition</code></td><td><code><a href=#EnvoyFilter-InsertPosition>EnvoyFilter.InsertPosition</a></code></td><td><p>Insert position in the filter chain. Defaults to FIRST</p></td></tr><tr id=EnvoyFilter-Filter-filter_type><td><code>filterType</code></td><td><code><a href=#EnvoyFilter-Filter-FilterType>EnvoyFilter.Filter.FilterType</a></code></td><td><p>REQUIRED: The type of filter to instantiate.</p></td></tr><tr id=EnvoyFilter-Filter-filter_name><td><code>filterName</code></td><td><code>string</code></td><td><p>REQUIRED: The name of the filter to instantiate. The name must match a supported
filter <em>compiled into</em> Envoy.</p></td></tr><tr id=EnvoyFilter-Filter-filter_config><td><code>filterConfig</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct>google.protobuf.Struct</a></code></td><td><p>REQUIRED: Filter specific configuration which depends on the filter being
instantiated.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-Filter-FilterType>EnvoyFilter.Filter.FilterType</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-Filter-FilterType-INVALID><td><code>INVALID</code></td><td><p>placeholder</p></td></tr><tr id=EnvoyFilter-Filter-FilterType-HTTP><td><code>HTTP</code></td><td><p>Http filter</p></td></tr><tr id=EnvoyFilter-Filter-FilterType-NETWORK><td><code>NETWORK</code></td><td><p>Network filter</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-InsertPosition>EnvoyFilter.InsertPosition</h2><section><p>Indicates the relative index in the filter chain where the filter should be inserted.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-InsertPosition-index><td><code>index</code></td><td><code><a href=#EnvoyFilter-InsertPosition-Index>EnvoyFilter.InsertPosition.Index</a></code></td><td><p>Position of this filter in the filter chain.</p></td></tr><tr id=EnvoyFilter-InsertPosition-relative_to><td><code>relativeTo</code></td><td><code>string</code></td><td><p>If BEFORE or AFTER position is specified, specify the name of the
filter relative to which this filter should be inserted.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-InsertPosition-Index>EnvoyFilter.InsertPosition.Index</h2><section><p>Index/position in the filter chain.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-InsertPosition-Index-FIRST><td><code>FIRST</code></td><td><p>Insert first</p></td></tr><tr id=EnvoyFilter-InsertPosition-Index-LAST><td><code>LAST</code></td><td><p>Insert last</p></td></tr><tr id=EnvoyFilter-InsertPosition-Index-BEFORE><td><code>BEFORE</code></td><td><p>Insert before the named filter.</p></td></tr><tr id=EnvoyFilter-InsertPosition-Index-AFTER><td><code>AFTER</code></td><td><p>Insert after the named filter.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-ListenerMatch>EnvoyFilter.ListenerMatch</h2><section><p>Select a listener to add the filter to based on the match conditions.
All conditions specified in the ListenerMatch must be met for the filter
to be applied to a listener.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-ListenerMatch-port_number><td><code>portNumber</code></td><td><code>uint32</code></td><td><p>The service port/gateway port to which traffic is being
sent/received. If not specified, matches all listeners. Even though
inbound listeners are generated for the instance/pod ports, only
service ports should be used to match listeners.</p></td></tr><tr id=EnvoyFilter-ListenerMatch-port_name_prefix><td><code>portNamePrefix</code></td><td><code>string</code></td><td><p>Instead of using specific port numbers, a set of ports matching a
given port name prefix can be selected. E.g., &ldquo;mongo&rdquo; selects ports
named mongo-port, mongo, mongoDB, MONGO, etc. Matching is case
insensitive.</p></td></tr><tr id=EnvoyFilter-ListenerMatch-listener_type><td><code>listenerType</code></td><td><code><a href=#EnvoyFilter-ListenerMatch-ListenerType>EnvoyFilter.ListenerMatch.ListenerType</a></code></td><td><p>Inbound vs outbound sidecar listener or gateway listener. If not specified,
matches all listeners.</p></td></tr><tr id=EnvoyFilter-ListenerMatch-listener_protocol><td><code>listenerProtocol</code></td><td><code><a href=#EnvoyFilter-ListenerMatch-ListenerProtocol>EnvoyFilter.ListenerMatch.ListenerProtocol</a></code></td><td><p>Selects a class of listeners for the same protocol. If not
specified, applies to listeners on all protocols. Use the protocol
selection to select all HTTP listeners (includes HTTP2/gRPC/HTTPS
where Envoy terminates TLS) or all TCP listeners (includes HTTPS
passthrough using SNI).</p></td></tr><tr id=EnvoyFilter-ListenerMatch-address><td><code>address</code></td><td><code>string[]</code></td><td><p>One or more IP addresses to which the listener is bound. If
specified, should match at least one address in the list.</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-ListenerMatch-ListenerProtocol>EnvoyFilter.ListenerMatch.ListenerProtocol</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-ListenerMatch-ListenerProtocol-ALL><td><code>ALL</code></td><td><p>All protocols</p></td></tr><tr id=EnvoyFilter-ListenerMatch-ListenerProtocol-HTTP><td><code>HTTP</code></td><td><p>HTTP or HTTPS (with termination) / HTTP2/gRPC</p></td></tr><tr id=EnvoyFilter-ListenerMatch-ListenerProtocol-TCP><td><code>TCP</code></td><td><p>Any non-HTTP listener</p></td></tr></tbody></table></section><h2 id=EnvoyFilter-ListenerMatch-ListenerType>EnvoyFilter.ListenerMatch.ListenerType</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=EnvoyFilter-ListenerMatch-ListenerType-ANY><td><code>ANY</code></td><td><p>All listeners</p></td></tr><tr id=EnvoyFilter-ListenerMatch-ListenerType-SIDECAR_INBOUND><td><code>SIDECAR_INBOUND</code></td><td><p>Inbound listener in sidecar</p></td></tr><tr id=EnvoyFilter-ListenerMatch-ListenerType-SIDECAR_OUTBOUND><td><code>SIDECAR_OUTBOUND</code></td><td><p>Outbound listener in sidecar</p></td></tr><tr id=EnvoyFilter-ListenerMatch-ListenerType-GATEWAY><td><code>GATEWAY</code></td><td><p>Gateway listener</p></td></tr></tbody></table></section><h2 id=Gateway>Gateway</h2><section><p><code>Gateway</code> describes a load balancer operating at the edge of the mesh
receiving incoming or outgoing HTTP/TCP connections. The specification
describes a set of ports that should be exposed, the type of protocol to
use, SNI configuration for the load balancer, etc.</p><p>For example, the following Gateway configuration sets up a proxy to act
as a load balancer exposing port 80 and 9080 (http), 443 (https), and
port 2379 (TCP) for ingress. The gateway will be applied to the proxy
running on a pod with labels <code>app: my-gateway-controller</code>. While Istio
will configure the proxy to listen on these ports, it is the
responsibility of the user to ensure that external traffic to these
ports are allowed into the mesh.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-gateway
spec:
selector:
app: my-gatweway-controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
httpsRedirect: true # sends 301 redirect for http requests
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
tls:
mode: SIMPLE #enables HTTPS on this port
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
- port:
number: 9080
name: http-wildcard
protocol: HTTP
hosts:
- &quot;*&quot;
- port:
number: 2379 # to expose internal service via external port 2379
name: mongo
protocol: MONGO
hosts:
- &quot;*&quot;
</code></pre><p>The Gateway specification above describes the L4-L6 properties of a load
balancer. A <code>VirtualService</code> can then be bound to a gateway to control
the forwarding of traffic arriving at a particular host or gateway port.</p><p>For example, the following VirtualService splits traffic for
&ldquo;https://uk.bookinfo.com/reviews&rdquo;, &ldquo;https://eu.bookinfo.com/reviews&rdquo;,
&ldquo;http://uk.bookinfo.com:9080/reviews&rdquo;,
&ldquo;http://eu.bookinfo.com:9080/reviews&rdquo; into two versions (prod and qa) of
an internal reviews service on port 9080. In addition, requests
containing the cookie &ldquo;user: dev-123&rdquo; will be sent to special port 7777
in the qa version. The same rule is also applicable inside the mesh for
requests to the &ldquo;reviews.prod.svc.cluster.local&rdquo; service. This rule is
applicable across ports 443, 9080. Note that &ldquo;http://uk.bookinfo.com&rdquo;
gets redirected to &ldquo;https://uk.bookinfo.com&rdquo; (i.e. 80 redirects to 443).</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-rule
spec:
hosts:
- reviews.prod.svc.cluster.local
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- my-gateway
- mesh # applies to all the sidecars in the mesh
http:
- match:
- headers:
cookie:
user: dev-123
route:
- destination:
port:
number: 7777
host: reviews.qa.svc.cluster.local
- match:
uri:
prefix: /reviews/
route:
- destination:
port:
number: 9080 # can be omitted if its the only port for reviews
host: reviews.prod.svc.cluster.local
weight: 80
- destination:
host: reviews.qa.svc.cluster.local
weight: 20
</code></pre><p>The following VirtualService forwards traffic arriving at (external)
port 27017 to internal Mongo server on port 5555. This rule is not
applicable internally in the mesh as the gateway list omits the
reserved name <code>mesh</code>.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-Mongo
spec:
hosts:
- mongosvr.prod.svc.cluster.local #name of internal Mongo service
gateways:
- my-gateway
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.prod.svc.cluster.local
port:
number: 5555
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Gateway-servers><td><code>servers</code></td><td><code><a href=#Server>Server[]</a></code></td><td><p>REQUIRED: A list of server specifications.</p></td></tr><tr id=Gateway-selector><td><code>selector</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>REQUIRED: One or more labels that indicate a specific set of pods/VMs
on which this gateway configuration should be applied.
The scope of label search is platform dependent.
On Kubernetes, for example, the scope includes pods running in
all reachable namespaces.</p></td></tr></tbody></table></section><h2 id=HTTPFaultInjection>HTTPFaultInjection</h2><section><p>HTTPFaultInjection can be used to specify one or more faults to inject
while forwarding http requests to the destination specified in a route.
Fault specification is part of a VirtualService rule. Faults include
aborting the Http request from downstream service, and/or delaying
proxying of requests. A fault rule MUST HAVE delay or abort or both.</p><p><em>Note:</em> Delay and abort faults are independent of one another, even if
both are specified simultaneously.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPFaultInjection-delay><td><code>delay</code></td><td><code><a href=#HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</a></code></td><td><p>Delay requests before forwarding, emulating various failures such as
network issues, overloaded upstream service, etc.</p></td></tr><tr id=HTTPFaultInjection-abort><td><code>abort</code></td><td><code><a href=#HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</a></code></td><td><p>Abort Http request attempts and return error codes back to downstream
service, giving the impression that the upstream service is faulty.</p></td></tr></tbody></table></section><h2 id=HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</h2><section><p>Abort specification is used to prematurely abort a request with a
pre-specified error code. The following example will return an HTTP
400 error code for 10% of the requests to the &ldquo;ratings&rdquo; service &ldquo;v1&rdquo;.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
fault:
abort:
percent: 10
httpStatus: 400
</code></pre><p>The <em>httpStatus</em> field is used to indicate the HTTP status code to
return to the caller. The optional <em>percent</em> field, a value between 0
and 100, is used to only abort a certain percentage of requests. If
not specified, all requests are aborted.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPFaultInjection-Abort-percent><td><code>percent</code></td><td><code>int32</code></td><td><p>Percentage of requests to be aborted with the error code provided (0-100).</p></td></tr><tr id=HTTPFaultInjection-Abort-http_status class="oneof oneof-start"><td><code>httpStatus</code></td><td><code>int32 (oneof)</code></td><td><p>REQUIRED. HTTP status code to use to abort the Http request.</p></td></tr></tbody></table></section><h2 id=HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</h2><section><p>Delay specification is used to inject latency into the request
forwarding path. The following example will introduce a 5 second delay
in 10% of the requests to the &ldquo;v1&rdquo; version of the &ldquo;reviews&rdquo;
service from all pods with label env: prod</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- match:
- sourceLabels:
env: prod
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
fault:
delay:
percent: 10
fixedDelay: 5s
</code></pre><p>The <em>fixedDelay</em> field is used to indicate the amount of delay in
seconds. An optional <em>percent</em> field, a value between 0 and 100, can
be used to only delay a certain percentage of requests. If left
unspecified, all request will be delayed.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPFaultInjection-Delay-percent><td><code>percent</code></td><td><code>int32</code></td><td><p>Percentage of requests on which the delay will be injected (0-100).</p></td></tr><tr id=HTTPFaultInjection-Delay-fixed_delay class="oneof oneof-start"><td><code>fixedDelay</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration (oneof)</a></code></td><td><p>REQUIRED. Add a fixed delay before forwarding the request. Format:
1h/1m/1s/1ms. MUST be >=1ms.</p></td></tr></tbody></table></section><h2 id=HTTPMatchRequest>HTTPMatchRequest</h2><section><p>HttpMatchRequest specifies a set of criterion to be met in order for the
rule to be applied to the HTTP request. For example, the following
restricts the rule to match only requests where the URL path
starts with /ratings/v2/ and the request contains a custom <code>end-user</code> header
with value <code>jason</code>.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- headers:
end-user:
exact: jason
uri:
prefix: &quot;/ratings/v2/&quot;
route:
- destination:
host: ratings.prod.svc.cluster.local
</code></pre><p>HTTPMatchRequest CANNOT be empty.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPMatchRequest-uri><td><code>uri</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>URI to match
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td></tr><tr id=HTTPMatchRequest-scheme><td><code>scheme</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>URI Scheme
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td></tr><tr id=HTTPMatchRequest-method><td><code>method</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>HTTP Method
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td></tr><tr id=HTTPMatchRequest-authority><td><code>authority</code></td><td><code><a href=#StringMatch>StringMatch</a></code></td><td><p>HTTP Authority
values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul></td></tr><tr id=HTTPMatchRequest-headers><td><code>headers</code></td><td><code>map&lt;string,&nbsp;<a href=#StringMatch>StringMatch</a>></code></td><td><p>The header keys must be lowercase and use hyphen as the separator,
e.g. <em>x-request-id</em>.</p><p>Header values are case-sensitive and formatted as follows:</p><ul><li><p><code>exact: "value"</code> for exact string match</p></li><li><p><code>prefix: "value"</code> for prefix-based match</p></li><li><p><code>regex: "value"</code> for ECMAscript style regex-based match</p></li></ul><p><strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p></td></tr><tr id=HTTPMatchRequest-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the ports on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they support,
in these cases it is not required to explicitly select the port.</p></td></tr><tr id=HTTPMatchRequest-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p></td></tr><tr id=HTTPMatchRequest-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied to. Gateway names
at the top of the VirtualService (if any) are overridden. The gateway match is
independent of sourceLabels.</p></td></tr></tbody></table></section><h2 id=HTTPRedirect>HTTPRedirect</h2><section><p>HTTPRedirect can be used to send a 301 redirect response to the caller,
where the Authority/Host and the URI in the response can be swapped with
the specified values. For example, the following rule redirects
requests for /v1/getProductRatings API on the ratings service to
/v1/bookRatings provided by the bookratings service.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
exact: /v1/getProductRatings
redirect:
uri: /v1/bookRatings
authority: newratings.default.svc.cluster.local
...
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPRedirect-uri><td><code>uri</code></td><td><code>string</code></td><td><p>On a redirect, overwrite the Path portion of the URL with this
value. Note that the entire path will be replaced, irrespective of the
request URI being matched as an exact path or prefix.</p></td></tr><tr id=HTTPRedirect-authority><td><code>authority</code></td><td><code>string</code></td><td><p>On a redirect, overwrite the Authority/Host portion of the URL with
this value.</p></td></tr></tbody></table></section><h2 id=HTTPRetry>HTTPRetry</h2><section><p>Describes the retry policy to use when a HTTP request fails. For
example, the following rule sets the maximum number of retries to 3 when
calling ratings:v1 service, with a 2s timeout per retry attempt.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
retries:
attempts: 3
perTryTimeout: 2s
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPRetry-attempts><td><code>attempts</code></td><td><code>int32</code></td><td><p>REQUIRED. Number of retries for a given request. The interval
between retries will be determined automatically (25ms+). Actual
number of retries attempted depends on the httpReqTimeout.</p></td></tr><tr id=HTTPRetry-per_try_timeout><td><code>perTryTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.</p></td></tr></tbody></table></section><h2 id=HTTPRewrite>HTTPRewrite</h2><section><p>HTTPRewrite can be used to rewrite specific parts of a HTTP request
before forwarding the request to the destination. Rewrite primitive can
be used only with the DestinationWeights. The following example
demonstrates how to rewrite the URL prefix for api call (/ratings) to
ratings service before making the actual API call.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ratings-route
spec:
hosts:
- ratings.prod.svc.cluster.local
http:
- match:
- uri:
prefix: /ratings
rewrite:
uri: /v1/bookRatings
route:
- destination:
host: ratings.prod.svc.cluster.local
subset: v1
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPRewrite-uri><td><code>uri</code></td><td><code>string</code></td><td><p>rewrite the path (or the prefix) portion of the URI with this
value. If the original URI was matched based on prefix, the value
provided in this field will replace the corresponding matched prefix.</p></td></tr><tr id=HTTPRewrite-authority><td><code>authority</code></td><td><code>string</code></td><td><p>rewrite the Authority/Host header with this value.</p></td></tr></tbody></table></section><h2 id=HTTPRoute>HTTPRoute</h2><section><p>Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
gRPC traffic. See VirtualService for usage examples.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=HTTPRoute-match><td><code>match</code></td><td><code><a href=#HTTPMatchRequest>HTTPMatchRequest[]</a></code></td><td><p>Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td></tr><tr id=HTTPRoute-route><td><code>route</code></td><td><code><a href=#DestinationWeight>DestinationWeight[]</a></code></td><td><p>A http rule can either redirect or forward (default) traffic. The
forwarding target can be one of several versions of a service (see
glossary in beginning of document). Weights associated with the
service version determine the proportion of traffic it receives.</p></td></tr><tr id=HTTPRoute-redirect><td><code>redirect</code></td><td><code><a href=#HTTPRedirect>HTTPRedirect</a></code></td><td><p>A http rule can either redirect or forward (default) traffic. If
traffic passthrough option is specified in the rule,
route/redirect will be ignored. The redirect primitive can be used to
send a HTTP 301 redirect to a different URI or Authority.</p></td></tr><tr id=HTTPRoute-rewrite><td><code>rewrite</code></td><td><code><a href=#HTTPRewrite>HTTPRewrite</a></code></td><td><p>Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
Redirect primitive. Rewrite will be performed before forwarding.</p></td></tr><tr id=HTTPRoute-timeout><td><code>timeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Timeout for HTTP requests.</p></td></tr><tr id=HTTPRoute-retries><td><code>retries</code></td><td><code><a href=#HTTPRetry>HTTPRetry</a></code></td><td><p>Retry policy for HTTP requests.</p></td></tr><tr id=HTTPRoute-fault><td><code>fault</code></td><td><code><a href=#HTTPFaultInjection>HTTPFaultInjection</a></code></td><td><p>Fault injection policy to apply on HTTP traffic at the client side.
Note that timeouts or retries will not be enabled when faults are
enabled on the client side.</p></td></tr><tr id=HTTPRoute-mirror><td><code>mirror</code></td><td><code><a href=#Destination>Destination</a></code></td><td><p>Mirror HTTP traffic to a another destination in addition to forwarding
the requests to the intended destination. Mirrored traffic is on a
best effort basis where the sidecar/gateway will not wait for the
mirrored cluster to respond before returning the response from the
original destination. Statistics will be generated for the mirrored
destination.</p></td></tr><tr id=HTTPRoute-cors_policy><td><code>corsPolicy</code></td><td><code><a href=#CorsPolicy>CorsPolicy</a></code></td><td><p>Cross-Origin Resource Sharing policy (CORS). Refer to
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access<em>control</em>CORS
for further details about cross origin resource sharing.</p></td></tr><tr id=HTTPRoute-append_headers><td><code>appendHeaders</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>Additional HTTP headers to add before forwarding a request to the
destination service.</p></td></tr></tbody></table></section><h2 id=L4MatchAttributes>L4MatchAttributes</h2><section><p>L4 connection match attributes. Note that L4 connection matching support
is incomplete.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=L4MatchAttributes-destination_subnets><td><code>destinationSubnets</code></td><td><code>string[]</code></td><td><p>IPv4 or IPv6 ip addresses of destination with optional subnet. E.g.,
a.b.c.d/xx form or just a.b.c.d.</p></td></tr><tr id=L4MatchAttributes-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the port on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they support,
in these cases it is not required to explicitly select the port.</p></td></tr><tr id=L4MatchAttributes-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p></td></tr><tr id=L4MatchAttributes-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied to. Gateway names
at the top of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p></td></tr></tbody></table></section><h2 id=LoadBalancerSettings>LoadBalancerSettings</h2><section><p>Load balancing policies to apply for a specific destination. See Envoy&rsquo;s
load balancing
<a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing.html>documentation</a>
for more details.</p><p>For example, the following rule uses a round robin load balancing policy
for all traffic going to the ratings service.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre><p>The following example sets up sticky sessions for the ratings service
hashing-based load balancer for the same ratings service using the
the User cookie as the hash key.</p><pre><code class=language-yaml> apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
consistentHash:
httpCookie:
name: user
ttl: 0s
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LoadBalancerSettings-simple class="oneof oneof-start"><td><code>simple</code></td><td><code><a href=#LoadBalancerSettings-SimpleLB>LoadBalancerSettings.SimpleLB (oneof)</a></code></td><td></td></tr><tr id=LoadBalancerSettings-consistent_hash class=oneof><td><code>consistentHash</code></td><td><code><a href=#LoadBalancerSettings-ConsistentHashLB>LoadBalancerSettings.ConsistentHashLB (oneof)</a></code></td><td></td></tr></tbody></table></section><h2 id=LoadBalancerSettings-ConsistentHashLB>LoadBalancerSettings.ConsistentHashLB</h2><section><p>Consistent Hash-based load balancing can be used to provide soft
session affinity based on HTTP headers, cookies or other
properties. This load balancing policy is applicable only for HTTP
connections. The affinity to a particular destination host will be
lost when one or more hosts are added/removed from the destination
service.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LoadBalancerSettings-ConsistentHashLB-http_header_name class="oneof oneof-start"><td><code>httpHeaderName</code></td><td><code>string (oneof)</code></td><td><p>Hash based on a specific HTTP header.</p></td></tr><tr id=LoadBalancerSettings-ConsistentHashLB-http_cookie class=oneof><td><code>httpCookie</code></td><td><code><a href=#LoadBalancerSettings-ConsistentHashLB-HTTPCookie>LoadBalancerSettings.ConsistentHashLB.HTTPCookie (oneof)</a></code></td><td><p>Hash based on HTTP cookie.</p></td></tr><tr id=LoadBalancerSettings-ConsistentHashLB-use_source_ip class=oneof><td><code>useSourceIp</code></td><td><code>bool (oneof)</code></td><td><p>Hash based on the source IP address.</p></td></tr><tr id=LoadBalancerSettings-ConsistentHashLB-minimum_ring_size><td><code>minimumRingSize</code></td><td><code>uint64</code></td><td><p>The minimum number of virtual nodes to use for the hash
ring. Defaults to 1024. Larger ring sizes result in more granular
load distributions. If the number of hosts in the load balancing
pool is larger than the ring size, each host will be assigned a
single virtual node.</p></td></tr></tbody></table></section><h2 id=LoadBalancerSettings-ConsistentHashLB-HTTPCookie>LoadBalancerSettings.ConsistentHashLB.HTTPCookie</h2><section><p>Describes a HTTP cookie that will be used as the hash key for the
Consistent Hash load balancer. If the cookie is not present, it will
be generated.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=LoadBalancerSettings-ConsistentHashLB-HTTPCookie-name><td><code>name</code></td><td><code>string</code></td><td><p>REQUIRED. Name of the cookie.</p></td></tr><tr id=LoadBalancerSettings-ConsistentHashLB-HTTPCookie-path><td><code>path</code></td><td><code>string</code></td><td><p>Path to set for the cookie.</p></td></tr><tr id=LoadBalancerSettings-ConsistentHashLB-HTTPCookie-ttl><td><code>ttl</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>REQUIRED. Lifetime of the cookie.</p></td></tr></tbody></table></section><h2 id=LoadBalancerSettings-SimpleLB>LoadBalancerSettings.SimpleLB</h2><section><p>Standard load balancing algorithms that require no tuning.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=LoadBalancerSettings-SimpleLB-ROUND_ROBIN><td><code>ROUND_ROBIN</code></td><td><p>Round Robin policy. Default</p></td></tr><tr id=LoadBalancerSettings-SimpleLB-LEAST_CONN><td><code>LEAST_CONN</code></td><td><p>The least request load balancer uses an O(1) algorithm which selects
two random healthy hosts and picks the host which has fewer active
requests.</p></td></tr><tr id=LoadBalancerSettings-SimpleLB-RANDOM><td><code>RANDOM</code></td><td><p>The random load balancer selects a random healthy host. The random
load balancer generally performs better than round robin if no health
checking policy is configured.</p></td></tr><tr id=LoadBalancerSettings-SimpleLB-PASSTHROUGH><td><code>PASSTHROUGH</code></td><td><p>This option will forward the connection to the original IP address
requested by the caller without doing any form of load
balancing. This option must be used with care. It is meant for
advanced use cases. Refer to Original Destination load balancer in
Envoy for further details.</p></td></tr></tbody></table></section><h2 id=OutlierDetection>OutlierDetection</h2><section><p>A Circuit breaker implementation that tracks the status of each
individual host in the upstream service. Applicable to both HTTP and
TCP services. For HTTP services, hosts that continually return 5xx
errors for API calls are ejected from the pool for a pre-defined period
of time. For TCP services, connection timeouts or connection
failures to a given host counts as an error when measuring the
consecutive errors metric. See Envoy&rsquo;s <a href=https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/outlier>outlier
detection</a>
for more details.</p><p>The following rule sets a connection pool size of 100 connections and
1000 concurrent HTTP2 requests, with no more than 10 req/connection to
&ldquo;reviews&rdquo; service. In addition, it configures upstream hosts to be
scanned every 5 mins, such that any host that fails 7 consecutive times
with 5XX error code will be ejected for 15 minutes.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-cb-policy
spec:
host: reviews.prod.svc.cluster.local
trafficPolicy:
connectionPool:
tcp:
maxConnections: 100
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 10
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=OutlierDetection-consecutive_errors><td><code>consecutiveErrors</code></td><td><code>int32</code></td><td><p>Number of errors before a host is ejected from the connection
pool. Defaults to 5. When the upstream host is accessed over HTTP, a
5xx return code qualifies as an error. When the upstream host is
accessed over an opaque TCP connection, connect timeouts and
connection error/failure events qualify as an error.</p></td></tr><tr id=OutlierDetection-interval><td><code>interval</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Time interval between ejection sweep analysis. format:
1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.</p></td></tr><tr id=OutlierDetection-base_ejection_time><td><code>baseEjectionTime</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>google.protobuf.Duration</a></code></td><td><p>Minimum ejection duration. A host will remain ejected for a period
equal to the product of minimum ejection duration and the number of
times the host has been ejected. This technique allows the system to
automatically increase the ejection period for unhealthy upstream
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.</p></td></tr><tr id=OutlierDetection-max_ejection_percent><td><code>maxEjectionPercent</code></td><td><code>int32</code></td><td><p>Maximum % of hosts in the load balancing pool for the upstream
service that can be ejected. Defaults to 10%.</p></td></tr></tbody></table></section><h2 id=Port>Port</h2><section><p>Port describes the properties of a specific port of a service.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Port-number><td><code>number</code></td><td><code>uint32</code></td><td><p>REQUIRED: A valid non-negative integer port number.</p></td></tr><tr id=Port-protocol><td><code>protocol</code></td><td><code>string</code></td><td><p>REQUIRED: The protocol exposed on the port.
MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
TLS is used to indicate secure connections to non HTTP services.</p></td></tr><tr id=Port-name><td><code>name</code></td><td><code>string</code></td><td><p>Label assigned to the port.</p></td></tr></tbody></table></section><h2 id=PortSelector>PortSelector</h2><section><p>PortSelector specifies the number of a port to be used for
matching or selection for final routing.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=PortSelector-number class="oneof oneof-start"><td><code>number</code></td><td><code>uint32 (oneof)</code></td><td><p>Valid port number</p></td></tr></tbody></table></section><h2 id=Server>Server</h2><section><p><code>Server</code> describes the properties of the proxy on a given load balancer
port. For example,</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-ingress
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: http2
protocol: HTTP2
hosts:
- &quot;*&quot;
</code></pre><p>Another example</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-tcp-ingress
spec:
selector:
app: my-tcp-ingress-gateway
servers:
- port:
number: 27018
name: mongo
protocol: MONGO
hosts:
- &quot;*&quot;
</code></pre><p>The following is an example of TLS configuration for port 443</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: my-tls-ingress
spec:
selector:
app: my-tls-ingress-gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- &quot;*&quot;
tls:
mode: SIMPLE
serverCertificate: /etc/certs/server.pem
privateKey: /etc/certs/privatekey.pem
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Server-port><td><code>port</code></td><td><code><a href=#Port>Port</a></code></td><td><p>REQUIRED: The Port on which the proxy should listen for incoming
connections</p></td></tr><tr id=Server-hosts><td><code>hosts</code></td><td><code>string[]</code></td><td><p>REQUIRED. A list of hosts exposed by this gateway. At least one
host is required. While typically applicable to
HTTP services, it can also be used for TCP services using TLS with
SNI. May contain a wildcard prefix for the bottom-level component of
a domain name. For example <code>*.foo.com</code> matches <code>bar.foo.com</code>
and <code>*.com</code> matches <code>bar.foo.com</code>, <code>example.com</code>, and so on.</p><p><strong>Note</strong>: A <code>VirtualService</code> that is bound to a gateway must have one
or more hosts that match the hosts specified in a server. The match
could be an exact match or a suffix match with the server&rsquo;s hosts. For
example, if the server&rsquo;s hosts specifies &ldquo;*.example.com&rdquo;,
VirtualServices with hosts dev.example.com, prod.example.com will
match. However, VirtualServices with hosts example.com or
newexample.com will not match.</p></td></tr><tr id=Server-tls><td><code>tls</code></td><td><code><a href=#Server-TLSOptions>Server.TLSOptions</a></code></td><td><p>Set of TLS related options that govern the server&rsquo;s behavior. Use
these options to control if all http requests should be redirected to
https, and the TLS modes to use.</p></td></tr></tbody></table></section><h2 id=Server-TLSOptions>Server.TLSOptions</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Server-TLSOptions-https_redirect><td><code>httpsRedirect</code></td><td><code>bool</code></td><td><p>If set to true, the load balancer will send a 301 redirect for all
http connections, asking the clients to use HTTPS.</p></td></tr><tr id=Server-TLSOptions-mode><td><code>mode</code></td><td><code><a href=#Server-TLSOptions-TLSmode>Server.TLSOptions.TLSmode</a></code></td><td><p>Optional: Indicates whether connections to this port should be
secured using TLS. The value of this field determines how TLS is
enforced.</p></td></tr><tr id=Server-TLSOptions-server_certificate><td><code>serverCertificate</code></td><td><code>string</code></td><td><p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server-side TLS certificate to use.</p></td></tr><tr id=Server-TLSOptions-private_key><td><code>privateKey</code></td><td><code>string</code></td><td><p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server&rsquo;s private key.</p></td></tr><tr id=Server-TLSOptions-ca_certificates><td><code>caCertificates</code></td><td><code>string</code></td><td><p>REQUIRED if mode is <code>MUTUAL</code>. The path to a file containing
certificate authority certificates to use in verifying a presented
client side certificate.</p></td></tr><tr id=Server-TLSOptions-subject_alt_names><td><code>subjectAltNames</code></td><td><code>string[]</code></td><td><p>A list of alternate names to verify the subject identity in the
certificate presented by the client.</p></td></tr></tbody></table></section><h2 id=Server-TLSOptions-TLSmode>Server.TLSOptions.TLSmode</h2><section><p>TLS modes enforced by the proxy</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Server-TLSOptions-TLSmode-PASSTHROUGH><td><code>PASSTHROUGH</code></td><td><p>Forward the connection to the upstream server selected based on
the SNI string presented by the client.</p></td></tr><tr id=Server-TLSOptions-TLSmode-SIMPLE><td><code>SIMPLE</code></td><td><p>Secure connections with standard TLS semantics.</p></td></tr><tr id=Server-TLSOptions-TLSmode-MUTUAL><td><code>MUTUAL</code></td><td><p>Secure connections to the upstream using mutual TLS by presenting
client certificates for authentication.</p></td></tr></tbody></table></section><h2 id=ServiceEntry>ServiceEntry</h2><section><p><code>ServiceEntry</code> enables adding additional entries into Istio&rsquo;s internal
service registry, so that auto-discovered services in the mesh can
access/route to these manually specified services. A service entry
describes the properties of a service (DNS name, VIPs ,ports, protocols,
endpoints). These services could be external to the mesh (e.g., web
APIs) or mesh-internal services that are not part of the platform&rsquo;s
service registry (e.g., a set of VMs talking to services in Kubernetes).</p><p>The following configuration adds a set of MongoDB instances running on
unmanaged VMs to Istio&rsquo;s registry, so that these services can be treated
as any other service in the mesh. The associated DestinationRule is used
to initiate mTLS connections to the database instances.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-mongocluster
spec:
hosts:
- mymongodb.somedomain # not used
addresses:
- 192.192.192.192/24 # VIPs
ports:
- number: 27018
name: mongodb
protocol: MONGO
location: MESH_INTERNAL
resolution: STATIC
endpoints:
- address: 2.2.2.2
- address: 3.3.3.3
</code></pre><p>and the associated DestinationRule</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-mongocluster
spec:
host: mymongodb.somedomain
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre><p>The following example uses a combination of service entry and TLS
routing in virtual service to demonstrate the use of SNI routing to
forward unterminated TLS traffic from the application to external
services via the sidecar. The sidecar inspects the SNI value in the
ClientHello message to route to the appropriate external service.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-https
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
</code></pre><p>And the associated VirtualService to route based on the SNI value.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tls-routing
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
tls:
- match:
- port: 443
sniHosts:
- api.dropboxapi.com
route:
- destination:
host: api.dropboxapi.com
- match:
- port: 443
sniHosts:
- www.googleapis.com
route:
- destination:
host: www.googleapis.com
- match:
- port: 443
sniHosts:
- api.facebook.com
route:
- destination:
host: api.facebook.com
</code></pre><p>The following example demonstrates the use of a dedicated egress gateway
through which all external service traffic is forwarded.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-httpbin
spec:
hosts:
- httpbin.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
</code></pre><p>Define a gateway to handle all egress traffic.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- &quot;*&quot;
</code></pre><p>And the associated VirtualService to route from the sidecar to the
gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
well as route from the gateway to the external service.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gateway-routing
spec:
hosts:
- httpbin.com
gateways:
- mesh
- istio-egressgateway
http:
- match:
- port: 80
gateways:
- mesh
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
- match:
- port: 80
gateway:
- istio-egressgateway
route:
- destination:
host: httpbin.com
</code></pre><p>The following example demonstrates the use of wildcards in the hosts for
external services. If the connection has to be routed to the IP address
requested by the application (i.e. application resolves DNS and attempts
to connect to a specific IP), the discovery mode must be set to <code>NONE</code>.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-wildcard-example
spec:
hosts:
- &quot;*.bar.com&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: NONE
</code></pre><p>The following example demonstrates a service that is available via a
Unix Domain Socket on the host of the client. The resolution must be
set to STATIC to use unix address endpoints.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: unix-domain-socket-example
spec:
hosts:
- &quot;example.unix.local&quot;
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
endpoints:
- address: unix:///var/run/example/socket
</code></pre><p>For HTTP based services, it is possible to create a VirtualService
backed by multiple DNS addressable endpoints. In such a scenario, the
application can use the HTTP_PROXY environment variable to transparently
reroute API calls for the VirtualService to a chosen backend. For
example, the following configuration creates a non-existent external
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
uk.foo.bar.com:9080, and in.foo.bar.com:7080</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-dns
spec:
hosts:
- foo.bar.com
location: MESH_EXTERNAL
ports:
- number: 80
name: https
protocol: HTTP
resolution: DNS
endpoints:
- address: us.foo.bar.com
ports:
https: 8080
- address: uk.foo.bar.com
ports:
https: 9080
- address: in.foo.bar.com
ports:
https: 7080
</code></pre><p>With HTTP_PROXY=http://localhost/, calls from the application to
http://foo.bar.com will be load balanced across the three domains
specified above. In other words, a call to http://foo.bar.com/baz would
be translated to http://uk.foo.bar.com/baz.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-hosts><td><code>hosts</code></td><td><code>string[]</code></td><td><p>REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
name with wildcard prefix (external services only). DNS names in hosts
will be ignored if the application accesses the service over non-HTTP
protocols such as mongo/opaque TCP/even HTTPS. In such scenarios, the
IP addresses specified in the Addresses field or the port will be used
to uniquely identify the destination.</p></td></tr><tr id=ServiceEntry-addresses><td><code>addresses</code></td><td><code>string[]</code></td><td><p>The virtual IP addresses associated with the service. Could be CIDR
prefix. For HTTP services, the addresses field will be ignored and
the destination will be identified based on the HTTP Host/Authority
header. For non-HTTP protocols such as mongo/opaque TCP/even HTTPS,
the hosts will be ignored. If one or more IP addresses are specified,
the incoming traffic will be identified as belonging to this service
if the destination IP matches the IP/CIDRs specified in the addresses
field. If the Addresses field is empty, traffic will be identified
solely based on the destination port. In such scenarios, the port on
which the service is being accessed must not be shared by any other
service in the mesh. In other words, the sidecar will behave as a
simple TCP proxy, forwarding incoming traffic on a specified port to
the specified destination endpoint IP/host. Unix domain socket
addresses are not supported in this field.</p></td></tr><tr id=ServiceEntry-ports><td><code>ports</code></td><td><code><a href=#Port>Port[]</a></code></td><td><p>REQUIRED. The ports associated with the external service. If the
Endpoints are unix domain socket addresses, there must be exactly one
port.</p></td></tr><tr id=ServiceEntry-location><td><code>location</code></td><td><code><a href=#ServiceEntry-Location>ServiceEntry.Location</a></code></td><td><p>Specify whether the service should be considered external to the mesh
or part of the mesh.</p></td></tr><tr id=ServiceEntry-resolution><td><code>resolution</code></td><td><code><a href=#ServiceEntry-Resolution>ServiceEntry.Resolution</a></code></td><td><p>REQUIRED: Service discovery mode for the hosts. Care must be taken
when setting the resolution mode to NONE for a TCP port without
accompanying IP addresses. In such cases, traffic to any IP on
said port will be allowed (i.e. 0.0.0.0:<port>).</p></td></tr><tr id=ServiceEntry-endpoints><td><code>endpoints</code></td><td><code><a href=#ServiceEntry-Endpoint>ServiceEntry.Endpoint[]</a></code></td><td><p>One or more endpoints associated with the service.</p></td></tr></tbody></table></section><h2 id=ServiceEntry-Endpoint>ServiceEntry.Endpoint</h2><section><p>Endpoint defines a network address (IP or hostname) associated with
the mesh service.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-Endpoint-address><td><code>address</code></td><td><code>string</code></td><td><p>REQUIRED: Address associated with the network endpoint without the
port. Domain names can be used if and only if the resolution is set
to DNS, and must be fully-qualified without wildcards. Use the form
unix:///absolute/path/to/socket for unix domain socket endpoints.</p></td></tr><tr id=ServiceEntry-Endpoint-ports><td><code>ports</code></td><td><code>map&lt;string,&nbsp;uint32></code></td><td><p>Set of ports associated with the endpoint. The ports must be
associated with a port name that was declared as part of the
service. Do not use for unix:// addresses.</p></td></tr><tr id=ServiceEntry-Endpoint-labels><td><code>labels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels associated with the endpoint.</p></td></tr></tbody></table></section><h2 id=ServiceEntry-Location>ServiceEntry.Location</h2><section><p>Location specifies whether the service is part of Istio mesh or
outside the mesh. Location determines the behavior of several
features, such as service-to-service mTLS authentication, policy
enforcement, etc. When communicating with services outside the mesh,
Istio&rsquo;s mTLS authentication is disabled, and policy enforcement is
performed on the client-side as opposed to server-side.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-Location-MESH_EXTERNAL><td><code>MESH_EXTERNAL</code></td><td><p>Signifies that the service is external to the mesh. Typically used
to indicate external services consumed through APIs.</p></td></tr><tr id=ServiceEntry-Location-MESH_INTERNAL><td><code>MESH_INTERNAL</code></td><td><p>Signifies that the service is part of the mesh. Typically used to
indicate services added explicitly as part of expanding the service
mesh to include unmanaged infrastructure (e.g., VMs added to a
Kubernetes based service mesh).</p></td></tr></tbody></table></section><h2 id=ServiceEntry-Resolution>ServiceEntry.Resolution</h2><section><p>Resolution determines how the proxy will resolve the IP addresses of
the network endpoints associated with the service, so that it can
route to one of them. The resolution mode specified here has no impact
on how the application resolves the IP address associated with the
service. The application may still have to use DNS to resolve the
service to an IP so that the outbound traffic can be captured by the
Proxy. Alternatively, for HTTP services, the application could
directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
talk to these services.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ServiceEntry-Resolution-NONE><td><code>NONE</code></td><td><p>Assume that incoming connections have already been resolved (to a
specific destination IP address). Such connections are typically
routed via the proxy using mechanisms such as IP table REDIRECT/
eBPF. After performing any routing related transformations, the
proxy will forward the connection to the IP address to which the
connection was bound.</p></td></tr><tr id=ServiceEntry-Resolution-STATIC><td><code>STATIC</code></td><td><p>Use the static IP addresses specified in endpoints (see below) as the
backing instances associated with the service.</p></td></tr><tr id=ServiceEntry-Resolution-DNS><td><code>DNS</code></td><td><p>Attempt to resolve the IP address by querying the ambient DNS,
during request processing. If no endpoints are specified, the proxy
will resolve the DNS address specified in the hosts field, if
wildcards are not used. If endpoints are specified, the DNS
addresses specified in the endpoints will be resolved to determine
the destination IP address. DNS resolution cannot be used with unix
domain socket endpoints.</p></td></tr></tbody></table></section><h2 id=StringMatch>StringMatch</h2><section><p>Describes how to match a given string in HTTP headers. Match is
case-sensitive.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=StringMatch-exact class="oneof oneof-start"><td><code>exact</code></td><td><code>string (oneof)</code></td><td><p>exact string match</p></td></tr><tr id=StringMatch-prefix class=oneof><td><code>prefix</code></td><td><code>string (oneof)</code></td><td><p>prefix-based match</p></td></tr><tr id=StringMatch-regex class=oneof><td><code>regex</code></td><td><code>string (oneof)</code></td><td><p>ECMAscript style regex-based match</p></td></tr></tbody></table></section><h2 id=Subset>Subset</h2><section><p>A subset of endpoints of a service. Subsets can be used for scenarios
like A/B testing, or routing to a specific version of a service. Refer
to <a href=#VirtualService>VirtualService</a> documentation for examples of using
subsets in these scenarios. In addition, traffic policies defined at the
service-level can be overridden at a subset-level. The following rule
uses a round robin load balancing policy for all traffic going to a
subset named testversion that is composed of endpoints (e.g., pods) with
labels (version:v3).</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-ratings
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
subsets:
- name: testversion
labels:
version: v3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
</code></pre><p><strong>Note:</strong> Policies specified for subsets will not take effect until
a route rule explicitly sends traffic to this subset.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=Subset-name><td><code>name</code></td><td><code>string</code></td><td><p>REQUIRED. Name of the subset. The service name and the subset name can
be used for traffic splitting in a route rule.</p></td></tr><tr id=Subset-labels><td><code>labels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>REQUIRED. Labels apply a filter over the endpoints of a service in the
service registry. See route rules for examples of usage.</p></td></tr><tr id=Subset-traffic_policy><td><code>trafficPolicy</code></td><td><code><a href=#TrafficPolicy>TrafficPolicy</a></code></td><td><p>Traffic policies that apply to this subset. Subsets inherit the
traffic policies specified at the DestinationRule level. Settings
specified at the subset level will override the corresponding settings
specified at the DestinationRule level.</p></td></tr></tbody></table></section><h2 id=TCPRoute>TCPRoute</h2><section><p>Describes match conditions and actions for routing TCP traffic. The
following routing rule forwards traffic arriving at port 27017 for
mongo.prod.svc.cluster.local to another Mongo server on port 5555.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-Mongo
spec:
hosts:
- mongo.prod.svc.cluster.local
tcp:
- match:
- port: 27017
route:
- destination:
host: mongo.backup.svc.cluster.local
port:
number: 5555
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TCPRoute-match><td><code>match</code></td><td><code><a href=#L4MatchAttributes>L4MatchAttributes[]</a></code></td><td><p>Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td></tr><tr id=TCPRoute-route><td><code>route</code></td><td><code><a href=#DestinationWeight>DestinationWeight[]</a></code></td><td><p>The destination to which the connection should be forwarded to.
Currently, only one destination is allowed for TCP services. When TCP
weighted routing support is introduced in Envoy, multiple destinations
with weights can be specified.</p></td></tr></tbody></table></section><h2 id=TLSMatchAttributes>TLSMatchAttributes</h2><section><p>TLS connection match attributes.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TLSMatchAttributes-sni_hosts><td><code>sniHosts</code></td><td><code>string[]</code></td><td><p>REQUIRED. SNI (server name indicator) to match on. Wildcard prefixes
can be used in the SNI value. E.g., *.com will match foo.example.com
as well as example.com.</p></td></tr><tr id=TLSMatchAttributes-destination_subnets><td><code>destinationSubnets</code></td><td><code>string[]</code></td><td><p>IPv4 or IPv6 ip addresses of destination with optional subnet. E.g.,
a.b.c.d/xx form or just a.b.c.d.</p></td></tr><tr id=TLSMatchAttributes-port><td><code>port</code></td><td><code>uint32</code></td><td><p>Specifies the port on the host that is being addressed. Many services
only expose a single port or label ports with the protocols they
support, in these cases it is not required to explicitly select the
port.</p></td></tr><tr id=TLSMatchAttributes-source_labels><td><code>sourceLabels</code></td><td><code>map&lt;string,&nbsp;string></code></td><td><p>One or more labels that constrain the applicability of a rule to
workloads with the given labels. If the VirtualService has a list of
gateways specified at the top, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p></td></tr><tr id=TLSMatchAttributes-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>Names of gateways where the rule should be applied to. Gateway names
at the top of the VirtualService (if any) are overridden. The gateway
match is independent of sourceLabels.</p></td></tr></tbody></table></section><h2 id=TLSRoute>TLSRoute</h2><section><p>Describes match conditions and actions for routing unterminated TLS
traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
traffic arriving at port 443 of gateway called &ldquo;mygateway&rdquo; to internal
services in the mesh based on the SNI value.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-sni
spec:
hosts:
- &quot;*.bookinfo.com&quot;
gateways:
- mygateway
tls:
- match:
- port: 443
sniHosts:
- login.bookinfo.com
route:
- destination:
host: login.prod.svc.cluster.local
- match:
- port: 443
sniHosts:
- reviews.bookinfo.com
route:
- destination:
host: reviews.prod.svc.cluster.local
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TLSRoute-match><td><code>match</code></td><td><code><a href=#TLSMatchAttributes>TLSMatchAttributes[]</a></code></td><td><p>REQUIRED. Match conditions to be satisfied for the rule to be
activated. All conditions inside a single match block have AND
semantics, while the list of match blocks have OR semantics. The rule
is matched if any one of the match blocks succeed.</p></td></tr><tr id=TLSRoute-route><td><code>route</code></td><td><code><a href=#DestinationWeight>DestinationWeight[]</a></code></td><td><p>The destination to which the connection should be forwarded to.
Currently, only one destination is allowed for TLS services. When TCP
weighted routing support is introduced in Envoy, multiple destinations
with weights can be specified.</p></td></tr></tbody></table></section><h2 id=TLSSettings>TLSSettings</h2><section><p>SSL/TLS related settings for upstream connections. See Envoy&rsquo;s <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v1/cluster_manager/cluster_ssl.html#config-cluster-manager-cluster-ssl>TLS
context</a>
for more details. These settings are common to both HTTP and TCP upstreams.</p><p>For example, the following rule configures a client to use mutual TLS
for connections to upstream database cluster.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: db-mtls
spec:
host: mydbserver.prod.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
</code></pre><p>The following rule configures a client to use TLS when talking to a
foreign service whose domain matches *.foo.com.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tls-foo
spec:
host: &quot;*.foo.com&quot;
trafficPolicy:
tls:
mode: SIMPLE
</code></pre><p>The following rule configures a client to use Istio mutual TLS when talking
to rating services.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TLSSettings-mode><td><code>mode</code></td><td><code><a href=#TLSSettings-TLSmode>TLSSettings.TLSmode</a></code></td><td><p>REQUIRED: Indicates whether connections to this port should be secured
using TLS. The value of this field determines how TLS is enforced.</p></td></tr><tr id=TLSSettings-client_certificate><td><code>clientCertificate</code></td><td><code>string</code></td><td><p>REQUIRED if mode is <code>MUTUAL</code>. The path to the file holding the
client-side TLS certificate to use.
Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=TLSSettings-private_key><td><code>privateKey</code></td><td><code>string</code></td><td><p>REQUIRED if mode is <code>MUTUAL</code>. The path to the file holding the
client&rsquo;s private key.
Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=TLSSettings-ca_certificates><td><code>caCertificates</code></td><td><code>string</code></td><td><p>OPTIONAL: The path to the file containing certificate authority
certificates to use in verifying a presented server certificate. If
omitted, the proxy will not verify the server&rsquo;s certificate.
Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=TLSSettings-subject_alt_names><td><code>subjectAltNames</code></td><td><code>string[]</code></td><td><p>A list of alternate names to verify the subject identity in the
certificate. If specified, the proxy will verify that the server
certificate&rsquo;s subject alt name matches one of the specified values.
Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p></td></tr><tr id=TLSSettings-sni><td><code>sni</code></td><td><code>string</code></td><td><p>SNI string to present to the server during TLS handshake.
Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p></td></tr></tbody></table></section><h2 id=TLSSettings-TLSmode>TLSSettings.TLSmode</h2><section><p>TLS connection mode</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=TLSSettings-TLSmode-DISABLE><td><code>DISABLE</code></td><td><p>Do not setup a TLS connection to the upstream endpoint.</p></td></tr><tr id=TLSSettings-TLSmode-SIMPLE><td><code>SIMPLE</code></td><td><p>Originate a TLS connection to the upstream endpoint.</p></td></tr><tr id=TLSSettings-TLSmode-MUTUAL><td><code>MUTUAL</code></td><td><p>Secure connections to the upstream using mutual TLS by presenting
client certificates for authentication.</p></td></tr><tr id=TLSSettings-TLSmode-ISTIO_MUTUAL><td><code>ISTIO_MUTUAL</code></td><td><p>Secure connections to the upstream using mutual TLS by presenting
client certificates for authentication.
Compared to Mutual mode, this mode uses certificates generated
automatically by Istio for mTLS authentication. When this mode is
used, all other fields in <code>TLSSettings</code> should be empty.</p></td></tr></tbody></table></section><h2 id=TrafficPolicy>TrafficPolicy</h2><section><p>Traffic policies to apply for a specific destination, across all
destination ports. See DestinationRule for examples.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TrafficPolicy-load_balancer><td><code>loadBalancer</code></td><td><code><a href=#LoadBalancerSettings>LoadBalancerSettings</a></code></td><td><p>Settings controlling the load balancer algorithms.</p></td></tr><tr id=TrafficPolicy-connection_pool><td><code>connectionPool</code></td><td><code><a href=#ConnectionPoolSettings>ConnectionPoolSettings</a></code></td><td><p>Settings controlling the volume of connections to an upstream service</p></td></tr><tr id=TrafficPolicy-outlier_detection><td><code>outlierDetection</code></td><td><code><a href=#OutlierDetection>OutlierDetection</a></code></td><td><p>Settings controlling eviction of unhealthy hosts from the load balancing pool</p></td></tr><tr id=TrafficPolicy-tls><td><code>tls</code></td><td><code><a href=#TLSSettings>TLSSettings</a></code></td><td><p>TLS related settings for connections to the upstream service.</p></td></tr><tr id=TrafficPolicy-port_level_settings><td><code>portLevelSettings</code></td><td><code><a href=#TrafficPolicy-PortTrafficPolicy>TrafficPolicy.PortTrafficPolicy[]</a></code></td><td><p>Traffic policies specific to individual ports. Note that port level
settings will override the destination-level settings. Traffic
settings specified at the destination-level will not be inherited when
overridden by port-level settings, i.e. default values will be applied
to fields omitted in port-level traffic policies.</p></td></tr></tbody></table></section><h2 id=TrafficPolicy-PortTrafficPolicy>TrafficPolicy.PortTrafficPolicy</h2><section><p>Traffic policies that apply to specific ports of the service</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=TrafficPolicy-PortTrafficPolicy-port><td><code>port</code></td><td><code><a href=#PortSelector>PortSelector</a></code></td><td><p>Specifies the port name or number of a port on the destination service
on which this policy is being applied.</p><p>Names must comply with DNS label syntax (rfc1035) and therefore cannot
collide with numbers. If there are multiple ports on a service with
the same protocol the names should be of the form <protocol-name>-<dns label>.</p></td></tr><tr id=TrafficPolicy-PortTrafficPolicy-load_balancer><td><code>loadBalancer</code></td><td><code><a href=#LoadBalancerSettings>LoadBalancerSettings</a></code></td><td><p>Settings controlling the load balancer algorithms.</p></td></tr><tr id=TrafficPolicy-PortTrafficPolicy-connection_pool><td><code>connectionPool</code></td><td><code><a href=#ConnectionPoolSettings>ConnectionPoolSettings</a></code></td><td><p>Settings controlling the volume of connections to an upstream service</p></td></tr><tr id=TrafficPolicy-PortTrafficPolicy-outlier_detection><td><code>outlierDetection</code></td><td><code><a href=#OutlierDetection>OutlierDetection</a></code></td><td><p>Settings controlling eviction of unhealthy hosts from the load balancing pool</p></td></tr><tr id=TrafficPolicy-PortTrafficPolicy-tls><td><code>tls</code></td><td><code><a href=#TLSSettings>TLSSettings</a></code></td><td><p>TLS related settings for connections to the upstream service.</p></td></tr></tbody></table></section><h2 id=VirtualService>VirtualService</h2><section><p>A <code>VirtualService</code> defines a set of traffic routing rules to apply when a host is
addressed. Each routing rule defines matching criteria for traffic of a specific
protocol. If the traffic is matched, then it is sent to a named destination service
(or subset/version of it) defined in the registry.</p><p>The source of traffic can also be matched in a routing rule. This allows routing
to be customized for specific client contexts.</p><p>The following example on Kubernetes, routes all HTTP traffic by default to
pods of the reviews service with label &ldquo;version: v1&rdquo;. In addition,
HTTP requests containing /wpcatalog/, /consumercatalog/ url prefixes will
be rewritten to /newcatalog and sent to pods with label &ldquo;version: v2&rdquo;.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: reviews-route
spec:
hosts:
- reviews.prod.svc.cluster.local
http:
- match:
- uri:
prefix: &quot;/wpcatalog&quot;
- uri:
prefix: &quot;/consumercatalog&quot;
rewrite:
uri: &quot;/newcatalog&quot;
route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v2
- route:
- destination:
host: reviews.prod.svc.cluster.local
subset: v1
</code></pre><p>A subset/version of a route destination is identified with a reference
to a named service subset which must be declared in a corresponding
<code>DestinationRule</code>.</p><pre><code class=language-yaml>apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: reviews-destination
spec:
host: reviews.prod.svc.cluster.local
subsets:
- name: v1
labels:
version: v1
- name: v2
labels:
version: v2
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th></tr></thead><tbody><tr id=VirtualService-hosts><td><code>hosts</code></td><td><code>string[]</code></td><td><p>REQUIRED. The destination hosts to which traffic is being sent. Could
be a DNS name with wildcard prefix or an IP address. Depending on the
platform, short-names can also be used instead of a FQDN (i.e. has no
dots in the name). In such a scenario, the FQDN of the host would be
derived based on the underlying platform.</p><p>A single VirtualService can be used to describe all the traffic
properties of the corresponding hosts, including those for multiple
HTTP and TCP ports. Alternatively, the traffic properties of a host
can be defined using more than one VirtualService, with certain
caveats. Refer to the
<a href=/v1.0/help/ops/traffic-management/deploy-guidelines/#multiple-virtual-services-and-destination-rules-for-the-same-host>Operations Guide</a>
for details.</p><p><em>Note for Kubernetes users</em>: When short names are used (e.g. &ldquo;reviews&rdquo;
instead of &ldquo;reviews.default.svc.cluster.local&rdquo;), Istio will interpret
the short name based on the namespace of the rule, not the service. A
rule in the &ldquo;default&rdquo; namespace containing a host &ldquo;reviews will be
interpreted as &ldquo;reviews.default.svc.cluster.local&rdquo;, irrespective of
the actual namespace associated with the reviews service. <em>To avoid
potential misconfigurations, it is recommended to always use fully
qualified domain names over short names.</em></p><p>The hosts field applies to both HTTP and TCP services. Service inside
the mesh, i.e., those found in the service registry, must always be
referred to using their alphanumeric names. IP addresses are allowed
only for services defined via the Gateway.</p></td></tr><tr id=VirtualService-gateways><td><code>gateways</code></td><td><code>string[]</code></td><td><p>The names of gateways and sidecars that should apply these routes. A
single VirtualService is used for sidecars inside the mesh as well as
for one or more gateways. The selection condition imposed by this
field can be overridden using the source field in the match conditions
of protocol-specific routes. The reserved word <code>mesh</code> is used to imply
all the sidecars in the mesh. When this field is omitted, the default
gateway (<code>mesh</code>) will be used, which would apply the rule to all
sidecars in the mesh. If a list of gateway names is provided, the
rules will apply only to the gateways. To apply the rules to both
gateways and sidecars, specify <code>mesh</code> as one of the gateway names.</p></td></tr><tr id=VirtualService-http><td><code>http</code></td><td><code><a href=#HTTPRoute>HTTPRoute[]</a></code></td><td><p>An ordered list of route rules for HTTP traffic. HTTP routes will be
applied to platform service ports named &lsquo;http-<em>&rsquo;/&lsquo;http2-</em>&rsquo;/&lsquo;grpc-*&rsquo;, gateway
ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching
an incoming request is used.</p></td></tr><tr id=VirtualService-tls><td><code>tls</code></td><td><code><a href=#TLSRoute>TLSRoute[]</a></code></td><td><p>An ordered list of route rule for non-terminated TLS & HTTPS
traffic. Routing is typically performed using the SNI value presented
by the ClientHello message. TLS routes will be applied to platform
service ports named &lsquo;https-<em>&rsquo;, &lsquo;tls-</em>&rsquo;, unterminated gateway ports using
HTTPS/TLS protocols (i.e. with &ldquo;passthrough&rdquo; TLS mode) and service
entry ports using HTTPS/TLS protocols. The first rule matching an
incoming request is used. NOTE: Traffic &lsquo;https-<em>&rsquo; or &lsquo;tls-</em>&rsquo; ports
without associated virtual service will be treated as opaque TCP
traffic.</p></td></tr><tr id=VirtualService-tcp><td><code>tcp</code></td><td><code><a href=#TCPRoute>TCPRoute[]</a></code></td><td><p>An ordered list of route rules for opaque TCP traffic. TCP routes will
be applied to any port that is not a HTTP or TLS port. The first rule
matching an incoming request is used.</p></td></tr></tbody></table></section></main><div class="container-fluid d-print-none"><br><div class=row><div class="col-6 pagenav"><p><a title="Authentication policy for Istio services." href=/v1.0/docs/reference/config/istio.authentication.v1alpha1/><i class="fa fa-long-arrow-alt-left"></i>Authentication Policy</a></p></div><div class="col-6 pagenav" style=text-align:right></div></div></div><div class="d-none d-print-block" aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class="col-12 col-md-2 d-none d-xl-block d-print-none"><nav class=toc><div class=spacer></div><div id=toc class=directory role=directory><nav id=TableOfContents><ul><li><a href=#ConnectionPoolSettings>ConnectionPoolSettings</a></li><li><a href=#ConnectionPoolSettings-HTTPSettings>ConnectionPoolSettings.HTTPSettings</a></li><li><a href=#ConnectionPoolSettings-TCPSettings>ConnectionPoolSettings.TCPSettings</a></li><li><a href=#CorsPolicy>CorsPolicy</a></li><li><a href=#Destination>Destination</a></li><li><a href=#DestinationRule>DestinationRule</a></li><li><a href=#DestinationWeight>DestinationWeight</a></li><li><a href=#EnvoyFilter>EnvoyFilter</a></li><li><a href=#EnvoyFilter-Filter>EnvoyFilter.Filter</a></li><li><a href=#EnvoyFilter-Filter-FilterType>EnvoyFilter.Filter.FilterType</a></li><li><a href=#EnvoyFilter-InsertPosition>EnvoyFilter.InsertPosition</a></li><li><a href=#EnvoyFilter-InsertPosition-Index>EnvoyFilter.InsertPosition.Index</a></li><li><a href=#EnvoyFilter-ListenerMatch>EnvoyFilter.ListenerMatch</a></li><li><a href=#EnvoyFilter-ListenerMatch-ListenerProtocol>EnvoyFilter.ListenerMatch.ListenerProtocol</a></li><li><a href=#EnvoyFilter-ListenerMatch-ListenerType>EnvoyFilter.ListenerMatch.ListenerType</a></li><li><a href=#Gateway>Gateway</a></li><li><a href=#HTTPFaultInjection>HTTPFaultInjection</a></li><li><a href=#HTTPFaultInjection-Abort>HTTPFaultInjection.Abort</a></li><li><a href=#HTTPFaultInjection-Delay>HTTPFaultInjection.Delay</a></li><li><a href=#HTTPMatchRequest>HTTPMatchRequest</a></li><li><a href=#HTTPRedirect>HTTPRedirect</a></li><li><a href=#HTTPRetry>HTTPRetry</a></li><li><a href=#HTTPRewrite>HTTPRewrite</a></li><li><a href=#HTTPRoute>HTTPRoute</a></li><li><a href=#L4MatchAttributes>L4MatchAttributes</a></li><li><a href=#LoadBalancerSettings>LoadBalancerSettings</a></li><li><a href=#LoadBalancerSettings-ConsistentHashLB>LoadBalancerSettings.ConsistentHashLB</a></li><li><a href=#LoadBalancerSettings-ConsistentHashLB-HTTPCookie>LoadBalancerSettings.ConsistentHashLB.HTTPCookie</a></li><li><a href=#LoadBalancerSettings-SimpleLB>LoadBalancerSettings.SimpleLB</a></li><li><a href=#OutlierDetection>OutlierDetection</a></li><li><a href=#Port>Port</a></li><li><a href=#PortSelector>PortSelector</a></li><li><a href=#Server>Server</a></li><li><a href=#Server-TLSOptions>Server.TLSOptions</a></li><li><a href=#Server-TLSOptions-TLSmode>Server.TLSOptions.TLSmode</a></li><li><a href=#ServiceEntry>ServiceEntry</a></li><li><a href=#ServiceEntry-Endpoint>ServiceEntry.Endpoint</a></li><li><a href=#ServiceEntry-Location>ServiceEntry.Location</a></li><li><a href=#ServiceEntry-Resolution>ServiceEntry.Resolution</a></li><li><a href=#StringMatch>StringMatch</a></li><li><a href=#Subset>Subset</a></li><li><a href=#TCPRoute>TCPRoute</a></li><li><a href=#TLSMatchAttributes>TLSMatchAttributes</a></li><li><a href=#TLSRoute>TLSRoute</a></li><li><a href=#TLSSettings>TLSSettings</a></li><li><a href=#TLSSettings-TLSmode>TLSSettings.TLSmode</a></li><li><a href=#TrafficPolicy>TrafficPolicy</a></li><li><a href=#TrafficPolicy-PortTrafficPolicy>TrafficPolicy.PortTrafficPolicy</a></li><li><a href=#VirtualService>VirtualService</a></li></ul></nav></div></nav></div></div></div><footer class="d-print-none container-fluid"><div class=row><div class="col-5 col-lg-4" role=navigation><div class=container-fluid><div class=row><div class=icon><span>discuss</span>
<a title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M225.9 32C103.3 32 0 130.5.0 252.1.0 256 .1 480 .1 480l225.8-.2c122.7.0 222.1-102.3 222.1-223.9S348.6 32 225.9 32zM224 384c-19.4.0-37.9-4.3-54.4-12.1L88.5 392l22.9-75c-9.8-18.1-15.4-38.9-15.4-61 0-70.7 57.3-128 128-128s128 57.3 128 128-57.3 128-128 128z" /></svg></a></div><div class=icon><span>slack</span>
<a title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><svg viewBox="0 0 31.444 31.443"><path d="M31.202 16.369c-.62-1.388-2.249-2.011-3.637-1.391l-1.325.594-3.396-7.591 1.325-.592c1.388-.622 2.01-2.25 1.389-3.637-.62-1.389-2.248-2.012-3.637-1.39l-1.324.593-.593-1.326c-.621-1.388-2.249-2.009-3.637-1.388-1.388.62-2.009 2.247-1.389 3.637l.593 1.325L7.98 8.598 7.388 7.273c-.621-1.39-2.249-2.009-3.637-1.39C2.363 6.504 1.742 8.132 2.362 9.52l.592 1.324L1.63 11.438c-1.388.621-2.01 2.247-1.389 3.636.62 1.388 2.249 2.01 3.637 1.39l1.325-.594 3.394 7.592-1.325.592c-1.388.621-2.009 2.25-1.389 3.637.621 1.389 2.249 2.011 3.637 1.391l1.324-.593.593 1.325c.621 1.389 2.249 2.01 3.637 1.389 1.387-.62 2.009-2.248 1.388-3.636l-.591-1.326 7.591-3.394.592 1.321c.621 1.391 2.248 2.013 3.637 1.392 1.388-.619 2.01-2.248 1.389-3.637l-.592-1.324 1.323-.594C31.201 19.384 31.823 17.757 31.202 16.369zM13.623 21.215l-3.395-7.593 7.591-3.394 3.395 7.591L13.623 21.215z"/></svg></a></div><div class=icon><span>twitter</span>
<a title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg viewBox="0 0 310 310"><path d="M302.973 57.388c-4.87 2.16-9.877 3.983-14.993 5.463 6.057-6.85 10.675-14.91 13.494-23.73.632-1.977-.023-4.141-1.648-5.434-1.623-1.294-3.878-1.449-5.665-.39-10.865 6.444-22.587 11.075-34.878 13.783-12.381-12.098-29.197-18.983-46.581-18.983-36.695.0-66.549 29.853-66.549 66.547.0 2.89.183 5.764.545 8.598C101.163 99.244 58.83 76.863 29.76 41.204c-1.036-1.271-2.632-1.956-4.266-1.825-1.635.128-3.104 1.05-3.93 2.467-5.896 10.117-9.013 21.688-9.013 33.461.0 16.035 5.725 31.249 15.838 43.137-3.075-1.065-6.059-2.396-8.907-3.977-1.529-.851-3.395-.838-4.914.033-1.52.871-2.473 2.473-2.513 4.224-.007.295-.007.59-.007.889.0 23.935 12.882 45.484 32.577 57.229-1.692-.169-3.383-.414-5.063-.735-1.732-.331-3.513.276-4.681 1.597-1.17 1.32-1.557 3.16-1.018 4.84 7.29 22.76 26.059 39.501 48.749 44.605-18.819 11.787-40.34 17.961-62.932 17.961-4.714.0-9.455-.277-14.095-.826-2.305-.274-4.509 1.087-5.294 3.279-.785 2.193.047 4.638 2.008 5.895 29.023 18.609 62.582 28.445 97.047 28.445 67.754.0 110.139-31.95 133.764-58.753 29.46-33.421 46.356-77.658 46.356-121.367.0-1.826-.028-3.67-.084-5.508 11.623-8.757 21.63-19.355 29.773-31.536 1.237-1.85 1.103-4.295-.33-5.998C307.394 57.037 305.009 56.486 302.973 57.388z"/></svg></a></div><div class=icon><span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8"/><path d="M38.8 68.4l37.8 7.9 1.6-7.6-37.8-7.9L38.8 68.4zM43.8 50.4l35 16.3 3.2-7-35-16.4L43.8 50.4zM53.5 33.2l29.7 24.7 4.9-5.9L58.4 27.3 53.5 33.2zM72.7 14.9l-6.2 4.6 23 31 6.2-4.6-23-31zM38 86h38.6v-7.7H38V86z"/></svg></a></div></div><div class="tag row d-none d-lg-flex">for everyone</div></div></div><div class="col-7 col-lg-4"><p class="text-center copyright" role=contentinfo>Istio
Archive
1.0<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 19, 2019</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role=navigation><div class=container-fluid><div class="row justify-content-end"><div class=icon><span>github</span>
<a title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg viewBox="0 0 478.165 478.165"><path d="M349.22 55.768c6.136 14.046 10.241 37.556 4.224 54.69 24.426 20.999 33.073 71.904 21.079 113.704 35.006 2.73 76.666-1.235 103.642 9.484-25.183-3.248-59.651-9.563-91.987-7.431-6.136.458-15.361-.239-14.903 8.408 37.735 3.008 75.092 6.117 105.894 15.779-30.702-4.981-67.74-12.552-105.894-13.668-15.54 30.921-47.239 46.262-90.991 49.49 4.682 10.261 13.847 14.066 15.879 30.702 3.267 24.406-4.881 60.328 3.208 76.686 4.064 7.89 10.579 8.009 14.863 14.604-10.699 12.871-37.257-1.395-40.186-14.604-5.14-22.852 7.89-58.256-6.415-73.737.996 24.865-5.718 59.85.996 82.145 2.789 8.806 10.659 12.113 8.647 20.063-49.809 5.08-28.989-64.373-37.177-105.356-7.471.697-4.204 11.197-4.224 15.76-.199 40.106 8.189 94.836-34.846 89.556-1.315-8.348 5.838-11.217 8.467-19.007 7.91-22.434-1.454-56.045 2.112-83.161-16.417 12.512 1.793 55.666-8.428 77.961-5.838 12.671-24.785 18.27-39.19 12.651 1.873-9.464 11.695-7.989 15.879-16.875 5.818-12.452.02-30.244 2.092-48.494-30.423 6.097-53.993-.877-65.608-20.023-5.12-8.507-6.356-18.708-12.632-26.219-6.117-7.551-16.098-8.507-19.087-18.808 37.755-9.185 39.17 38.771 73.06 39.807 10.44.418 15.799-2.909 25.402-5.16 2.749-12.113 8.428-21.039 16.875-27.494-42.078-5.658-76.865-18.788-93.023-50.466-38.293 1.893-73.339 7.013-105.894 14.843 29.547-10.679 65.807-14.604 104.778-15.819-2.351-13.807-22.434-10.022-34.866-9.543C47.677 227.17 18.449 230.138.0 233.645c26.817-9.543 64.233-8.348 100.454-8.428-11.038-34.767-7.232-90.014 17.015-110.615-6.854-17.254-4.722-45.346 4.184-58.834 27.036 1.175 43.374 12.891 60.388 24.247 21.019-6.017 43.035-9.045 71.904-7.451 12.133.677 24.705 6.097 33.731 5.32 8.906-.877 18.728-10.898 27.534-14.843C326.507 58.099 336.17 56.206 349.22 55.768z"/></svg></a></div><div class=icon><span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg viewBox="0 0 207.027 207.027"><path d="M69.866 15.557.0 138.919l28.732 52.552 143.288-.029 35.008-59.588L136.39 15.735 69.866 15.557zM17.166 139.046 74.268 38.205 91.21 67.783 33.24 168.447 17.166 139.046zM99.841 82.851l23.805 41.558-47.732-.006L99.841 82.851zM163.434 176.443l-117.332.024 21.53-37.065 64.606.008.067.119 52.865-.085L163.434 176.443zM140.932 124.411 90.157 35.767l-2.966-5.178 40.751.121 57.003 93.706L140.932 124.411z"/></svg></a></div><div class=icon><span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><svg viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927 11.558c-23.854.0-37.057 12.362-36.814 36.182.348 32.623 14.211 52.414 36.814 52.068.0.0 36.802 1.492 36.802-52.068C256.729 23.918 244.294 11.558 219.927 11.558z"/><path d="M285.017 124.567l-36.77-14.659-8.608-7.256c-2.274-1.922-5.636-1.78-7.741.317l-11.973 11.904-12.008-11.907c-2.109-2.094-5.465-2.229-7.736-.313l-8.611 7.256-36.77 14.661c-11.842 4.715-11.83 46.647-12.848 50.497h155.93C296.866 171.228 296.862 129.28 285.017 124.567z"/><path d="M77.976 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.814 36.182C41.509 209.124 55.372 228.915 77.976 228.568z"/><path d="M143.065 253.329l-36.77-14.658-8.609-7.256c-2.275-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.611 7.256-36.77 14.66C1.006 258.045 1.018 299.977.0 303.827h155.93C154.915 299.988 154.911 258.042 143.065 253.329z"/><path d="M361.878 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.812 36.182C325.411 209.124 339.274 228.915 361.878 228.568z"/><path d="M426.968 253.329l-36.77-14.658-8.609-7.256c-2.273-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.61 7.256-36.771 14.66c-11.842 4.715-11.83 46.646-12.848 50.497h155.93C438.817 299.988 438.812 258.042 426.968 253.329z"/></svg></a></div></div><div class="tag row justify-content-end text-right">for developers</div></div></div></div></footer><div class="d-xl-none d-print-none"><button id=scroll-to-top aria-hidden=true onclick=scrollToTop() title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button></div><script src=https://code.jquery.com/jquery-3.2.1.slim.min.js integrity=sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN crossorigin=anonymous></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js integrity=sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl crossorigin=anonymous></script><script src=https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js></script><script src="https://www.google.com/cse/brand?form=search_form"></script><script src=/v1.0/js/all.min.js data-manual></script></body></html>
Reference in New Issue View Git Blame Copy Permalink