istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.5/docs/reference/config/istio.mesh.v1alpha1/index.html

244 lines
110 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Global Mesh Options"><meta name=description content="Configuration affecting the service mesh as a whole."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Global Mesh Options"><meta property="og:type" content="website"><meta property="og:description" content="Configuration affecting the service mesh as a whole."><meta property="og:url" content="/v1.5/docs/reference/config/istio.mesh.v1alpha1/"><meta property="og:image" content="/v1.5/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.5 / Global Mesh Options</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.5/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.5/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.5/feed.xml><link rel="shortcut icon" href=/v1.5/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.5/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.5/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.5/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.5/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.5/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.5/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.5/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.5/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.5/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.5/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.5/css/all.css><script src=/v1.5/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.5";const docTitle="Global Mesh Options";const iconFile="\/v1.5/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.5/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.5/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.5</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.5/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.5/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.5/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.5/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.5/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/reference\/config\/istio.mesh.v1alpha1\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/reference\/config\/istio.mesh.v1alpha1\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.5/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card24 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card24-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card24 role=region id=card24-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card24><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.5/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.5/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.5/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.5/docs/concepts/observability/>Observability</a></li><li role=none><a role=treeitem title="Describes Istio's WebAssembly Plugin system." href=/v1.5/docs/concepts/wasm/>Extensibility</a></li></ul></div></div><div class=card><button class="header dynamic" id=card47 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card47-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card47 role=region id=card47-body><ul role=tree aria-expanded=true aria-labelledby=card47><li role=none><a role=treeitem title="Try Istios features quickly and easily." href=/v1.5/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.5/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.5/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.5/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.5/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.5/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.5/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup kind for Istio." href=/v1.5/docs/setup/platform-setup/kind/>kind</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.5/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup a KubeSphere Container Platform for Istio." href=/v1.5/docs/setup/platform-setup/kubesphere/>KubeSphere Container Platform</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.5/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.5/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.5/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.5/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.5/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.5/docs/setup/install/istioctl/>Customizable Install with Istioctl</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.5/docs/setup/install/helm/>Customizable Install with Helm</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.5/docs/setup/install/standalone-operator/>Standalone Operator Install</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.5/docs/setup/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with replicated control plane instances." href=/v1.5/docs/setup/install/multicluster/gateways/>Replicated control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane." href=/v1.5/docs/setup/install/multicluster/shared/>Shared control plane (single and multiple networks)</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Choose the upgrade guide that corresponds to the approach you previously used to install Istio." href=/v1.5/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade or downgrade Istio using the istioctl upgrade command." href=/v1.5/docs/setup/upgrade/istioctl-upgrade/>Upgrade Istio using istioctl</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane, and optionally, the CNI plug-in using Helm." href=/v1.5/docs/setup/upgrade/cni-helm-upgrade/>Upgrade using Helm</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.5/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.5/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.5/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.5/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card77 title="How to do single specific targeted activities with the Istio system." aria-controls=card77-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card77 role=region id=card77-body><ul role=tree aria-expanded=true aria-labelledby=card77><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.5/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.5/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.5/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.5/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.5/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.5/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.5/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.5/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.5/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.5/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.5/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.5/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.5/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.5/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.5/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.5/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.5/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.5/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.5/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.5/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.5/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress with Mixer (Deprecated)</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.5/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li><li role=none><a role=treeitem title="Shows how to configure Istio for Kubernetes External Services." href=/v1.5/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.5/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.5/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.5/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.5/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.5/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up access control for HTTP traffic." href=/v1.5/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></li><li role=none><a role=treeitem title="How to set up access control for TCP traffic." href=/v1.5/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></li><li role=none><a role=treeitem title="How to set up access control with JWT in Istio." href=/v1.5/docs/tasks/security/authorization/authz-jwt/>Authorization with JWT</a></li><li role=none><a role=treeitem title="Shows how to set up access control to deny traffic explicitly." href=/v1.5/docs/tasks/security/authorization/authz-deny/>Authorization policies with a deny action</a></li><li role=none><a role=treeitem title="How to set up access control on an ingress gateway." href=/v1.5/docs/tasks/security/authorization/authz-ingress/>Authorization on Ingress Gateway</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.5/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></li></ul></li><li role=none><a role=treeitem title="Shows how system administrators can configure Istio's CA with an existing root certificate, signing certificate and key." href=/v1.5/docs/tasks/security/plugin-ca-cert/>Plugging in existing CA Certificates</a></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.5/docs/tasks/security/dns-cert/>Istio DNS Certificate Management</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.5/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.5/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement (Deprecated)</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.5/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits (Deprecated)</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.5/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing (Deprecated)</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.5/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing (Deprecated)</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.5/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the collection and querying of metrics within Istio." href=/v1.5/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.5/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP Services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.5/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.5/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the collection of logs within Istio." href=/v1.5/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access logs to their standard output." href=/v1.5/docs/tasks/observability/logs/access-log/>Getting Envoy's Access Logs</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.5/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.5/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.5/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.5/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.5/docs/tasks/observability/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.5/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.5/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li><li role=treeitem aria-label="Using Mixer for Telemetry (deprecated)"><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh using Mixer." href=/v1.5/docs/tasks/observability/mixer/>Using Mixer for Telemetry (deprecated)</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics using Mixer." href=/v1.5/docs/tasks/observability/mixer/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio's Mixer to collect and customize metrics." href=/v1.5/docs/tasks/observability/mixer/metrics/collecting-metrics/>Collecting Metrics With Mixer</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio's Mixer to collect metrics for TCP services." href=/v1.5/docs/tasks/observability/mixer/metrics/tcp-metrics/>Collecting Metrics for TCP services with Mixer</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.5/docs/tasks/observability/mixer/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio's Mixer to collect and customize logs." href=/v1.5/docs/tasks/observability/mixer/logs/collecting-logs/>Collecting Logs with Mixer</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio's Mixer to log to a Fluentd daemon." href=/v1.5/docs/tasks/observability/mixer/logs/fluentd/>Logging with Mixer and Fluentd</a></li></ul></li></ul></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card92 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card92-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card92 role=region id=card92-body><ul role=tree aria-expanded=true aria-labelledby=card92><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.5/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=treeitem aria-label="Virtual Machines"><button aria-hidden=true></button><a title="Examples that add workloads running on virtual machines to an Istio mesh." href=/v1.5/docs/examples/virtual-machines/>Virtual Machines</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your single network Istio mesh." href=/v1.5/docs/examples/virtual-machines/single-network/>Virtual Machines in Single-Network Meshes</a></li><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.5/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.5/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></li></ul></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.5/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/package-service/>Run ratings in Docker</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/bookinfo-kubernetes/>Run Bookinfo with Kubernetes</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/production-testing/>Test in production</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/add-new-microservice-version/>Add a new version of reviews</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/add-istio/>Enable Istio on productpage</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/enable-istio-all-microservices/>Enable Istio on all the microservices</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/istio-ingress-gateway/>Configure Istio Ingress Gateway</a></li><li role=none><a role=treeitem href=/v1.5/docs/examples/microservices-istio/logs-istio/>Monitoring with Istio</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card113 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card113-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card113 role=region id=card113-body><ul role=tree aria-expanded=true aria-labelledby=card113><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.5/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.5/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.5/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.5/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.5/docs/ops/deployment/requirements/>Pods and Services</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.5/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.5/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.5/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.5/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Describes how Citadel determines whether to create service account secrets." href=/v1.5/docs/ops/configuration/mesh/secret-creation/>Service Account Secret Creation</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.5/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.5/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.5/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.5/docs/ops/configuration/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.5/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.5/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.5/docs/ops/configuration/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.5/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.5/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.5/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.5/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.5/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.5/docs/ops/best-practices/security/>Security Best Practices</a></li><li role=none><a role=treeitem title="Best practices for observing applications using Istio." href=/v1.5/docs/ops/best-practices/observability/>Observability Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.5/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.5/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.5/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.5/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.5/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve configuration validation problems." href=/v1.5/docs/ops/common-problems/validation/>Configuration Validation Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.5/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.5/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.5/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Istiod</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.5/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.5/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.5/docs/ops/diagnostic-tools/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.5/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card161 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card161-body><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#reference"/></svg>Reference</button><div class="body default" aria-labelledby=card161 role=region id=card161-body><ul role=tree aria-expanded=true aria-labelledby=card161><li role=treeitem aria-label=Configuration><button class=show aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.5/docs/reference/config/>Configuration</a><ul role=group aria-expanded=true><li role=none><a role=treeitem title="Describes the options available when installing Istio using Helm charts." href=/v1.5/docs/reference/config/installation-options/>Installation Options (Helm)</a></li><li role=none><span role=treeitem class=current title="Configuration affecting the service mesh as a whole.">Global Mesh Options</span></li><li role=none><a role=treeitem title="Configuration affecting Istio control plane installation version and shape." href=/v1.5/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.5/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.5/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.5/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.5/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.5/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.5/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.5/docs/reference/config/networking/service-entry/>Service Entry</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.5/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration to validate JWT." href=/v1.5/docs/reference/config/security/jwt/>JWTRule</a></li><li role=none><a role=treeitem title="Request authentication configuration for workloads." href=/v1.5/docs/reference/config/security/request_authentication/>RequestAuthentication</a></li><li role=none><a role=treeitem title="Peer authentication configuration for workloads." href=/v1.5/docs/reference/config/security/peer_authentication/>PeerAuthentication</a></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.5/docs/reference/config/security/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.5/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.5/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.5/docs/reference/config/security/istio.rbac.v1alpha1/>RBAC (deprecated)</a></li><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.5/docs/reference/config/security/constraints-and-properties/>RBAC Constraints and Properties (deprecated)</a></li></ul></li><li role=treeitem aria-label="Telemetry V2"><button aria-hidden=true></button><a title="Describes how to configure Istio telemetry V2." href=/v1.5/docs/reference/config/telemetry/>Telemetry V2</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio standard metrics exported by Istio telemetry." href=/v1.5/docs/reference/config/telemetry/metrics/>Istio Standard Metrics</a></li><li role=none><a role=treeitem title="How to configure v2 metrics (experimental)." href=/v1.5/docs/reference/config/telemetry/configurable_metrics/>Configurable Metrics (Experimental)</a></li><li role=none><a role=treeitem title="How to enable Telemetry V2 with Wasm runtime (experimental)." href=/v1.5/docs/reference/config/telemetry/telemetry_v2_with_wasm/>Telemetry V2 with Wasm runtime (Experimental)</a></li></ul></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.5/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configurarion analysis." href=/v1.5/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0105/>IstioProxyImageMismatch</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0113/>MTLSPolicyConflict</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0118/>PortNameIsNotUnderNamingConvention</a></li><li role=none><a role=treeitem href=/v1.5/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li></ul></li><li role=treeitem aria-label="Mixer Policies and Telemetry (Deprecated)"><button aria-hidden=true></button><a title="Describes how to configure Mixer's policy and telemetry features." href=/v1.5/docs/reference/config/policy-and-telemetry/>Mixer Policies and Telemetry (Deprecated)</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.5/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.5/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.5/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model (Deprecated)</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.5/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary (Deprecated)</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.5/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label="Mixer Adapters (Deprecated)"><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/>Mixer Adapters (Deprecated)</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter to enforce authentication and authorization policies for web apps and APIs." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/app-identity-access-adapter/>App Identity and Access</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="An Istio Mixer adapter to send telemetry data to New Relic." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/newrelic/>New Relic</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Layer5." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/layer5/>Layer5</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.5/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.5/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.5/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li></ul></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.5/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.5/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.5/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.5/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.5/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.5/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.5/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.5/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.5/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.5/docs/reference/commands/node_agent/>node_agent</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.5/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.5/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.5/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.5/docs/reference/ title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters.">Reference</a></li><li><a href=/v1.5/docs/reference/config/ title="Detailed information on configuration options.">Configuration</a></li><li>Global Mesh Options</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Global Mesh Options</h1><p class=byline><span title="3676 words"><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#clock"/></svg><span>&nbsp;</span>18 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=Certificate><a href=#Certificate>Certificate</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=SDS><a href=#SDS>SDS</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Lightstep><a href=#Tracing-Lightstep>Tracing.Lightstep</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a></ol><hr></div></nav><p>Configuration affecting the service mesh as a whole.</p><h2 id=AuthenticationPolicy>AuthenticationPolicy</h2><section><p>AuthenticationPolicy defines authentication policy. It can be set for
different scopes (mesh, service …), and the most narrow scope with
non-INHERIT value will be used.
Mesh policy cannot be INHERIT.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=AuthenticationPolicy-NONE><td><code>NONE</code></td><td><p>Do not encrypt Envoy to Envoy traffic.</p></td></tr><tr id=AuthenticationPolicy-MUTUAL_TLS><td><code>MUTUAL_TLS</code></td><td><p>Envoy to Envoy traffic is wrapped into mutual TLS connections.</p></td></tr><tr id=AuthenticationPolicy-INHERIT><td><code>INHERIT</code></td><td><p>Use the policy defined by the parent scope. Should not be used for mesh
policy.</p></td></tr></tbody></table></section><h2 id=Certificate>Certificate</h2><section><p>Certificate configures the provision of a certificate and its key.
Example 1: key and cert stored in a secret
{ secretName: galley-cert
secretNamespace: istio-system
dnsNames:
- galley.istio-system.svc
- galley.mydomain.com
}
Example 2: key and cert stored in a directory
{ dnsNames:
- pilot.istio-system
- pilot.istio-system.svc
- pilot.mydomain.com
}</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Certificate-secret_name><td><code>secretName</code></td><td><code>string</code></td><td><p>Name of the secret the certificate and its key will be stored into.
If it is empty, it will not be stored into a secret.
Instead, the certificate and its key will be stored into a hard-coded directory.</p></td><td>No</td></tr><tr id=Certificate-dns_names><td><code>dnsNames</code></td><td><code>string[]</code></td><td><p>The DNS names for the certificate. A certificate may contain
multiple DNS names.</p></td><td>No</td></tr></tbody></table></section><h2 id=ConfigSource>ConfigSource</h2><section><p>ConfigSource describes information about a configuration store inside a
mesh. A single control plane instance can interact with one or more data
sources.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ConfigSource-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the server implementing the Istio Mesh Configuration
protocol (MCP). Can be IP address or a fully qualified DNS name.
Use fs:/// to specify a file-based backend with absolute path to the directory.</p></td><td>No</td></tr><tr id=ConfigSource-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.5/docs/reference/config/networking/destination-rule.html#TLSSettings>TLSSettings</a></code></td><td><p>Use the tls<em>settings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as ISTIO</em>MUTUAL.</p></td><td>No</td></tr><tr id=ConfigSource-subscribed_resources><td><code>subscribedResources</code></td><td><code><a href=#Resource>Resource[]</a></code></td><td><p>Describes the source of configuration, if nothing is specified default is MCP</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig>MeshConfig</h2><section><p>MeshConfig defines mesh-wide variables shared by all Envoy instances in the
Istio service mesh.</p><p>NOTE: This configuration type should be used for the low-level global
configuration, such as component addresses and port numbers. It should not
be used for the features of the mesh that can be scoped by service or by
namespace. Some of the fields in the mesh config are going to be deprecated
and replaced with several individual configuration types (for example,
tracing configuration).</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-mixer_check_server><td><code>mixerCheckServer</code></td><td><code>string</code></td><td><p>Address of the server that will be used by the proxies for policy
check calls. By using different names for mixerCheckServer and
mixerReportServer, it is possible to have one set of Mixer servers handle
policy check calls while another set of Mixer servers handle telemetry
calls.</p><p>NOTE: Omitting mixerCheckServer while specifying mixerReportServer is
equivalent to setting disablePolicyChecks to true.</p></td><td>No</td></tr><tr id=MeshConfig-mixer_report_server><td><code>mixerReportServer</code></td><td><code>string</code></td><td><p>Address of the server that will be used by the proxies for policy report
calls.</p></td><td>No</td></tr><tr id=MeshConfig-disable_policy_checks><td><code>disablePolicyChecks</code></td><td><code>bool</code></td><td><p>Disable policy checks by the Mixer service. Default
is false, i.e. Mixer policy check is enabled by default.</p></td><td>No</td></tr><tr id=MeshConfig-policy_check_fail_open><td><code>policyCheckFailOpen</code></td><td><code>bool</code></td><td><p>Allow all traffic in cases when the Mixer policy service cannot be reached.
Default is false which means the traffic is denied when the client is unable
to connect to Mixer.</p></td><td>No</td></tr><tr id=MeshConfig-sidecar_to_telemetry_session_affinity><td><code>sidecarToTelemetrySessionAffinity</code></td><td><code>bool</code></td><td><p>Enable session affinity for Envoy Mixer reports so that calls from a proxy will
always target the same Mixer instance.</p></td><td>No</td></tr><tr id=MeshConfig-proxy_listen_port><td><code>proxyListenPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for incoming connections from
other services.</p></td><td>No</td></tr><tr id=MeshConfig-proxy_http_port><td><code>proxyHttpPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for HTTP PROXY requests if set.</p></td><td>No</td></tr><tr id=MeshConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Connection timeout used by Envoy. (MUST BE >=1ms)</p></td><td>No</td></tr><tr id=MeshConfig-protocol_detection_timeout><td><code>protocolDetectionTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Automatic protocol detection uses a set of heuristics to
determine whether the connection is using TLS or not (on the
server side), as well as the application protocol being used
(e.g., http vs tcp). These heuristics rely on the client sending
the first bits of data. For server first protocols like MySQL,
MongoDB, etc., Envoy will timeout on the protocol detection after
the specified period, defaulting to non mTLS plain TCP
traffic. Set this field to tweak the period that Envoy will wait
for the client to send the first bits of data. (MUST BE >=1ms or
0s to disable)</p></td><td>No</td></tr><tr id=MeshConfig-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.5/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_class><td><code>ingressClass</code></td><td><code>string</code></td><td><p>Class of ingress resources to be processed by Istio ingress
controller. This corresponds to the value of
&ldquo;kubernetes.io/ingress.class&rdquo; annotation.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_service><td><code>ingressService</code></td><td><code>string</code></td><td><p>Name of theKubernetes service used for the istio ingress controller.</p></td><td>No</td></tr><tr id=MeshConfig-ingress_controller_mode><td><code>ingressControllerMode</code></td><td><code><a href=#MeshConfig-IngressControllerMode>IngressControllerMode</a></code></td><td><p>Defines whether to use Istio ingress controller for annotated or all ingress resources.</p></td><td>No</td></tr><tr id=MeshConfig-enable_tracing><td><code>enableTracing</code></td><td><code>bool</code></td><td><p>Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_file><td><code>accessLogFile</code></td><td><code>string</code></td><td><p>File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.</p></td><td>No</td></tr><tr id=MeshConfig-access_log_format><td><code>accessLogFormat</code></td><td><code>string</code></td><td><p>Format for the proxy access log
Empty value results in proxy&rsquo;s default access log format</p></td><td>No</td></tr><tr id=MeshConfig-access_log_encoding><td><code>accessLogEncoding</code></td><td><code><a href=#MeshConfig-AccessLogEncoding>AccessLogEncoding</a></code></td><td><p>Encoding for the proxy access log (text or json).
Default value is text.</p></td><td>No</td></tr><tr id=MeshConfig-enable_envoy_access_log_service><td><code>enableEnvoyAccessLogService</code></td><td><code>bool</code></td><td><p>This flag enables Envoy&rsquo;s gRPC Access Log Service.
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto>Access Log Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.</p></td><td>No</td></tr><tr id=MeshConfig-default_config><td><code>defaultConfig</code></td><td><code><a href=#ProxyConfig>ProxyConfig</a></code></td><td><p>Default proxy config used by the proxy injection mechanism operating in the mesh
(e.g. Kubernetes admission controller)
In case of Kubernetes, the proxy config is applied once during the injection process,
and remain constant for the duration of the pod. The rest of the mesh config can be changed
at runtime and config gets distributed dynamically.</p></td><td>No</td></tr><tr id=MeshConfig-outbound_traffic_policy><td><code>outboundTrafficPolicy</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy>OutboundTrafficPolicy</a></code></td><td><p>Set the default behavior of the sidecar for handling outbound traffic
from the application. If your application uses one or more external
services that are not known apriori, setting the policy to ALLOW<em>ANY
will cause the sidecars to route any unknown traffic originating from
the application to its requested destination. Users are strongly
encouraged to use ServiceEntries to explicitly declare any external
dependencies, instead of using allow</em>any, so that traffic to these
services can be monitored.</p></td><td>No</td></tr><tr id=MeshConfig-enable_client_side_policy_check><td><code>enableClientSidePolicyCheck</code></td><td><code>bool</code></td><td><p>Enables client side policy checks.</p></td><td>No</td></tr><tr id=MeshConfig-config_sources><td><code>configSources</code></td><td><code><a href=#ConfigSource>ConfigSource[]</a></code></td><td><p>ConfigSource describes a source of configuration data for networking
rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.</p></td><td>No</td></tr><tr id=MeshConfig-enable_auto_mtls><td><code>enableAutoMtls</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue>BoolValue</a></code></td><td><p>This flag is used to enable mutual TLS automatically for service to service communication
within the mesh, default false.
If set to true, and a given service does not have a corresponding DestinationRule configured,
or its DestinationRule does not have TLSSettings specified, Istio configures client side
TLS configuration appropriately. More specifically,
If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
for mutual TLS to connect to upstream.
If upstream service is in plain text mode, use plain text.
If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
mutual TLS when server sides are capable of accepting mutual TLS traffic.
If service DestinationRule exists and has TLSSettings specified, that is always used instead.</p></td><td>No</td></tr><tr id=MeshConfig-trust_domain><td><code>trustDomain</code></td><td><code>string</code></td><td><p>The trust domain corresponds to the trust root of a system.
Refer to <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain>SPIFFE-ID</a></p></td><td>No</td></tr><tr id=MeshConfig-trust_domain_aliases><td><code>trustDomainAliases</code></td><td><code>string[]</code></td><td><p>The trust domain aliases represent the aliases of <code>trust_domain</code>.
For example, if we have</p><pre><code class=language-yaml>trustDomain: td1
trustDomainAliases: [&quot;td2&quot;, &quot;td3&quot;]
</code></pre><p>Any service with the identity <code>td1/ns/foo/sa/a-service-account</code>, <code>td2/ns/foo/sa/a-service-account</code>,
or <code>td3/ns/foo/sa/a-service-account</code> will be treated the same in the Istio mesh.</p></td><td>No</td></tr><tr id=MeshConfig-default_service_export_to><td><code>defaultServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the ServiceEntry.export_to field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:</p><ul><li>- All Namespaces
. - Current Namespace
~ - No Namespace</li></ul><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
services are exported to all namespaces.</p><p>&lsquo;All namespaces&rsquo; is a reasonable default for implementations that don&rsquo;t
need to restrict access or visibility of services across namespace
boundaries. If that requirement is present it is generally good practice to
make the default &lsquo;Current namespace&rsquo; so that services are only visible
within their own namespaces by default. Operators can then expand the
visibility of services to other namespaces as needed. Use of &lsquo;No Namespace&rsquo;
is expected to be rare but can have utility for deployments where
dependency management needs to be precise even within the scope of a single
namespace.</p><p>For further discussion see the reference documentation for ServiceEntry,
Sidecar, and Gateway.</p></td><td>No</td></tr><tr id=MeshConfig-default_virtual_service_export_to><td><code>defaultVirtualServiceExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the VirtualService.export<em>to field. Has the same
syntax as &lsquo;default</em>service<em>export</em>to&rsquo;.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
virtual services are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-default_destination_rule_export_to><td><code>defaultDestinationRuleExportTo</code></td><td><code>string[]</code></td><td><p>The default value for the DestinationRule.export<em>to field. Has the same
syntax as &lsquo;default</em>service<em>export</em>to&rsquo;.</p><p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
destination rules are exported to all namespaces</p></td><td>No</td></tr><tr id=MeshConfig-root_namespace><td><code>rootNamespace</code></td><td><code>string</code></td><td><p>The namespace to treat as the administrative root namespace for
Istio configuration. When processing a leaf namespace Istio will search for
declarations in that namespace first and if none are found it will
search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.</p><p>The precise semantics of this processing are documented on each resource
type.</p></td><td>No</td></tr><tr id=MeshConfig-locality_lb_setting><td><code>localityLbSetting</code></td><td><code><a href=/v1.5/docs/reference/config/networking/destination-rule.html#LocalityLoadBalancerSetting>LocalityLoadBalancerSetting</a></code></td><td><p>Locality based load balancing distribution or failover settings.</p></td><td>No</td></tr><tr id=MeshConfig-dns_refresh_rate><td><code>dnsRefreshRate</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Configures DNS refresh rate for Envoy clusters of type STRICT_DNS</p></td><td>No</td></tr><tr id=MeshConfig-disable_report_batch><td><code>disableReportBatch</code></td><td><code>bool</code></td><td><p>The flag to disable report batch.</p></td><td>No</td></tr><tr id=MeshConfig-report_batch_max_entries><td><code>reportBatchMaxEntries</code></td><td><code>uint32</code></td><td><p>When disable<em>report</em>batch is false, this value specifies the maximum number
of requests that are batched in report. If left unspecified, the default value
of report<em>batch</em>max_entries == 0 will use the hardcoded defaults of
istio::mixerclient::ReportOptions.</p></td><td>No</td></tr><tr id=MeshConfig-report_batch_max_time><td><code>reportBatchMaxTime</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>When disable<em>report</em>batch is false, this value specifies the maximum elapsed
time a batched report will be sent after a user request is processed. If left
unspecified, the default report<em>batch</em>max_time == 0 will use the hardcoded
defaults of istio::mixerclient::ReportOptions.</p></td><td>No</td></tr><tr id=MeshConfig-h2_upgrade_policy><td><code>h2UpgradePolicy</code></td><td><code><a href=#MeshConfig-H2UpgradePolicy>H2UpgradePolicy</a></code></td><td><p>Specify if http1.1 connections should be upgraded to http2 by default.
if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
If one or more services or namespaces do not have sidecar(s), then this should be set to DO<em>NOT</em>UPGRADE.
It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.</p></td><td>No</td></tr><tr id=MeshConfig-inbound_cluster_stat_name><td><code>inboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for inbound clusters.
By default, Istio emits statistics with the pattern <code>inbound|&lt;port>|&lt;port-name>|&lt;service-FQDN></code>.
For example <code>inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-outbound_cluster_stat_name><td><code>outboundClusterStatName</code></td><td><code>string</code></td><td><p>Name to be used while emitting statistics for outbound clusters.
By default, Istio emits statistics with the pattern <code>outbound|&lt;port>|&lt;subsetname>|&lt;service-FQDN></code>.
For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This can be used to override that pattern.</p><p>A Pattern can be composed of various pre-defined variables. The following variables are supported.</p><ul><li><code>%SERVICE%</code> - Will be substituted with name of the service.</li><li><code>%SERVICE_FQDN%</code> - Will be substituted with FQDN of the service.</li><li><code>%SERVICE_PORT%</code> - Will be substituted with port of the service.</li><li><code>%SERVICE_PORT_NAME%</code> - Will be substituted with port name of the service.</li><li><code>%SUBSET_NAME%</code> - Will be substituted with subset.</li></ul><p>Following are some examples of supported patterns for reviews:</p><ul><li><code>%SERVICE_FQDN%_%SERVICE_PORT%</code> will use reviews.prod.svc.cluster.local_7443 as the stats name.</li><li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li></ul></td><td>No</td></tr><tr id=MeshConfig-certificates><td><code>certificates</code></td><td><code><a href=#Certificate>Certificate[]</a></code></td><td><p>Configure the provision of certificates.</p></td><td>No</td></tr><tr id=MeshConfig-thrift_config><td><code>thriftConfig</code></td><td><code><a href=#MeshConfig-ThriftConfig>ThriftConfig</a></code></td><td><p>Set configuration for Thrift protocol</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-AccessLogEncoding-TEXT><td><code>TEXT</code></td><td></td></tr><tr id=MeshConfig-AccessLogEncoding-JSON><td><code>JSON</code></td><td></td></tr></tbody></table></section><h2 id=MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</h2><section><p>Default Policy for upgrading http1.1 connections to http2.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-H2UpgradePolicy-DO_NOT_UPGRADE><td><code>DO_NOT_UPGRADE</code></td><td><p>Do not upgrade connections to http2.</p></td></tr><tr id=MeshConfig-H2UpgradePolicy-UPGRADE><td><code>UPGRADE</code></td><td><p>Upgrade the connections to http2.</p></td></tr></tbody></table></section><h2 id=MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-IngressControllerMode-OFF><td><code>OFF</code></td><td><p>Disables Istio ingress controller.</p></td></tr><tr id=MeshConfig-IngressControllerMode-DEFAULT><td><code>DEFAULT</code></td><td><p>Istio ingress controller will act on ingress resources that do not
contain any annotation or whose annotations match the value
specified in the ingress_class parameter described earlier. Use this
mode if Istio ingress controller will be the default ingress
controller for the entireKubernetes cluster.</p></td></tr><tr id=MeshConfig-IngressControllerMode-STRICT><td><code>STRICT</code></td><td><p>Istio ingress controller will only act on ingress resources whose
annotations match the value specified in the ingress_class parameter
described earlier. Use this mode if Istio ingress controller will be
a secondary ingress controller (e.g., in addition to a
cloud-provided ingress controller).</p></td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-mode><td><code>mode</code></td><td><code><a href=#MeshConfig-OutboundTrafficPolicy-Mode>Mode</a></code></td><td></td><td>No</td></tr></tbody></table></section><h2 id=MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</h2><section><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=MeshConfig-OutboundTrafficPolicy-Mode-REGISTRY_ONLY><td><code>REGISTRY_ONLY</code></td><td><p>outbound traffic will be restricted to services defined in the
service registry as well as those defined through ServiceEntries</p></td></tr><tr id=MeshConfig-OutboundTrafficPolicy-Mode-ALLOW_ANY><td><code>ALLOW_ANY</code></td><td><p>outbound traffic to unknown destinations will be allowed, in case
there are no services or ServiceEntries for the destination port</p></td></tr></tbody></table></section><h2 id=MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshConfig-ThriftConfig-rate_limit_url><td><code>rateLimitUrl</code></td><td><code>string</code></td><td><p>Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
this will enable the rate limit service for destinations that have matching rate
limit configurations.</p></td><td>No</td></tr><tr id=MeshConfig-ThriftConfig-rate_limit_timeout><td><code>rateLimitTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Specify thrift rate limit service timeout, in milliseconds. Default is 50ms</p></td><td>No</td></tr></tbody></table></section><h2 id=MeshNetworks>MeshNetworks</h2><section><p>MeshNetworks (config map) provides information about the set of networks
inside a mesh and how to route to endpoints in each network. For example</p><p>MeshNetworks(file/config map):</p><pre><code class=language-yaml>networks:
network1:
- endpoints:
- fromRegistry: registry1 #must match kubeconfig name in Kubernetes secret
- fromCidr: 192.168.100.0/22 #a VM network for example
gateways:
- registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
port: 15443
locality: us-east-1a
- address: 192.168.100.1
port: 15443
locality: us-east-1a
</code></pre><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=MeshNetworks-networks><td><code>networks</code></td><td><code>map&lt;string,&nbsp;<a href=#Network>Network</a>></code></td><td><p>The set of networks inside this mesh. Each network should
have a unique name and information about how to infer the endpoints in
the network as well as the gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=Network>Network</h2><section><p>Network provides information about the endpoints in a routable L3
network. A single routable L3 network can have one or more service
registries. Note that the network has no relation to the locality of the
endpoint. The endpoint locality will be obtained from the service
registry.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-endpoints><td><code>endpoints</code></td><td><code><a href=#Network-NetworkEndpoints>NetworkEndpoints[]</a></code></td><td><p>The list of endpoints in the network (obtained through the
constituent service registries or from CIDR ranges). All endpoints in
the network are directly accessible to one another.</p></td><td>Yes</td></tr><tr id=Network-gateways><td><code>gateways</code></td><td><code><a href=#Network-IstioNetworkGateway>IstioNetworkGateway[]</a></code></td><td><p>Set of gateways associated with the network.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=Network-IstioNetworkGateway>Network.IstioNetworkGateway</h2><section><p>The gateway associated with this network. Traffic from remote networks
will arrive at the specified gateway:port. All incoming traffic must
use mTLS.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-IstioNetworkGateway-registry_service_name class="oneof oneof-start"><td><code>registryServiceName</code></td><td><code>string (oneof)</code></td><td><p>A fully qualified domain name of the gateway service. Pilot will
lookup the service from the service registries in the network and
obtain the endpoint IPs of the gateway from the service
registry. Note that while the service name is a fully qualified
domain name, it need not be resolvable outside the orchestration
platform for the registry. e.g., this could be
istio-ingressgateway.istio-system.svc.cluster.local.</p></td><td>Yes</td></tr><tr id=Network-IstioNetworkGateway-address class=oneof><td><code>address</code></td><td><code>string (oneof)</code></td><td><p>IP address or externally resolvable DNS address associated with the gateway.</p></td><td>Yes</td></tr><tr id=Network-IstioNetworkGateway-port><td><code>port</code></td><td><code>uint32</code></td><td><p>The port associated with the gateway.</p></td><td>Yes</td></tr><tr id=Network-IstioNetworkGateway-locality><td><code>locality</code></td><td><code>string</code></td><td><p>The locality associated with an explicitly specified gateway (i.e. ip)</p></td><td>No</td></tr></tbody></table></section><h2 id=Network-NetworkEndpoints>Network.NetworkEndpoints</h2><section><p>NetworkEndpoints describes how the network associated with an endpoint
should be inferred. An endpoint will be assigned to a network based on
the following rules:</p><ol><li><p>Implicitly: If the registry explicitly provides information about
the network to which the endpoint belongs to. In some cases, its
possible to indicate the network associated with the endpoint by
adding the <code>ISTIO_META_NETWORK</code> environment variable to the sidecar.</p></li><li><p>Explicitly:</p></li></ol><p>a. By matching the registry name with one of the &ldquo;fromRegistry&rdquo;
in the mesh config. A &ldquo;from_registry&rdquo; can only be assigned to a
single network.</p><p>b. By matching the IP against one of the CIDR ranges in a mesh
config network. The CIDR ranges must not overlap and be assigned to
a single network.</p><p>(2) will override (1) if both are present.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Network-NetworkEndpoints-from_cidr class="oneof oneof-start"><td><code>fromCidr</code></td><td><code>string (oneof)</code></td><td><p>A CIDR range for the set of endpoints in this network. The CIDR
ranges for endpoints from different networks must not overlap.</p></td><td>Yes</td></tr><tr id=Network-NetworkEndpoints-from_registry class=oneof><td><code>fromRegistry</code></td><td><code>string (oneof)</code></td><td><p>Add all endpoints from the specified registry into this network.
The names of the registries should correspond to the kubeconfig file name
inside the secret that was used to configure the registry (Kubernetes
multicluster) or supplied by MCP server.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=ProxyConfig>ProxyConfig</h2><section><p>ProxyConfig defines variables for individual Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=ProxyConfig-config_path><td><code>configPath</code></td><td><code>string</code></td><td><p>Path to the generated configuration file directory.
Proxy agent generates the actual configuration and stores it in this directory.</p></td><td>No</td></tr><tr id=ProxyConfig-binary_path><td><code>binaryPath</code></td><td><code>string</code></td><td><p>Path to the proxy binary</p></td><td>No</td></tr><tr id=ProxyConfig-service_cluster><td><code>serviceCluster</code></td><td><code>string</code></td><td><p>Service cluster defines the name for the service_cluster that is
shared by all Envoy instances. This setting corresponds to
<em>&ndash;service-cluster</em> flag in Envoy. In a typical Envoy deployment, the
<em>service-cluster</em> flag is used to identify the caller, for
source-based routing scenarios.</p><p>Since Istio does not assign a local service/service version to each
Envoy instance, the name is same for all of them. However, the
source/caller&rsquo;s identity (e.g., IP address) is encoded in the
<em>&ndash;service-node</em> flag when launching Envoy. When the RDS service
receives API calls from Envoy, it uses the value of the <em>service-node</em>
flag to compute routes that are relative to the service instances
located at that IP address.</p></td><td>No</td></tr><tr id=ProxyConfig-drain_duration><td><code>drainDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will drain connections during a hot
restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>)</p></td><td>No</td></tr><tr id=ProxyConfig-parent_shutdown_duration><td><code>parentShutdownDuration</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>The time in seconds that Envoy will wait before shutting down the
parent process during a hot restart. MUST be >=1s (e.g., <em>1s/1m/1h</em>).
MUST BE greater than <em>drain</em>duration_ parameter.</p></td><td>No</td></tr><tr id=ProxyConfig-discovery_address><td><code>discoveryAddress</code></td><td><code>string</code></td><td><p>Address of the discovery service exposing xDS with mTLS connection.
The inject configuration may override this value.</p></td><td>No</td></tr><tr id=ProxyConfig-connect_timeout><td><code>connectTimeout</code></td><td><code><a href=https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration>Duration</a></code></td><td><p>Connection timeout used by Envoy for supporting services. (MUST BE >=1ms)</p></td><td>No</td></tr><tr id=ProxyConfig-statsd_udp_address><td><code>statsdUdpAddress</code></td><td><code>string</code></td><td><p>IP Address and Port of a statsd UDP listener (e.g. <em>10.75.241.127:9125</em>).</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_admin_port><td><code>proxyAdminPort</code></td><td><code>int32</code></td><td><p>Port on which Envoy should listen for administrative commands.</p></td><td>No</td></tr><tr id=ProxyConfig-control_plane_auth_policy><td><code>controlPlaneAuthPolicy</code></td><td><code><a href=#AuthenticationPolicy>AuthenticationPolicy</a></code></td><td><p>Authentication policy defines the global switch to control authentication
for Envoy-to-Envoy communication for istio components Mixer and Pilot.</p></td><td>No</td></tr><tr id=ProxyConfig-custom_config_file><td><code>customConfigFile</code></td><td><code>string</code></td><td><p>File path of custom proxy configuration, currently used by proxies
in front of Mixer and Pilot.</p></td><td>No</td></tr><tr id=ProxyConfig-stat_name_length><td><code>statNameLength</code></td><td><code>int32</code></td><td><p>Maximum length of name field in Envoy&rsquo;s metrics. The length of the name field
is determined by the length of a name field in a service and the set of labels that
comprise a particular version of the service. The default value is set to 189 characters.
Envoy&rsquo;s internal metrics take up 67 characters, for a total of 256 character name per metric.
Increase the value of this field if you find that the metrics from Envoys are truncated.</p></td><td>No</td></tr><tr id=ProxyConfig-concurrency><td><code>concurrency</code></td><td><code>int32</code></td><td><p>The number of worker threads to run. Default value is number of cores on the machine.</p></td><td>No</td></tr><tr id=ProxyConfig-proxy_bootstrap_template_path><td><code>proxyBootstrapTemplatePath</code></td><td><code>string</code></td><td><p>Path to the proxy bootstrap template file</p></td><td>No</td></tr><tr id=ProxyConfig-interception_mode><td><code>interceptionMode</code></td><td><code><a href=#ProxyConfig-InboundInterceptionMode>InboundInterceptionMode</a></code></td><td><p>The mode used to redirect inbound traffic to Envoy.</p></td><td>No</td></tr><tr id=ProxyConfig-tracing><td><code>tracing</code></td><td><code><a href=#Tracing>Tracing</a></code></td><td><p>Tracing configuration to be used by the proxy.</p></td><td>No</td></tr><tr id=ProxyConfig-sds><td><code>sds</code></td><td><code><a href=#SDS>SDS</a></code></td><td><p>secret discovery service(SDS) configuration to be used by the proxy.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_access_log_service><td><code>envoyAccessLogService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the service to which access logs from Envoys should be
sent. (e.g. accesslog-service:15000). See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto>Access Log
Service</a>
for details about Envoy&rsquo;s gRPC Access Log Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-envoy_metrics_service><td><code>envoyMetricsService</code></td><td><code><a href=#RemoteService>RemoteService</a></code></td><td><p>Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
See <a href=https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto>Metric Service</a>
for details about Envoy&rsquo;s Metrics Service API.</p></td><td>No</td></tr><tr id=ProxyConfig-zipkin_address class=deprecated><td><code>zipkinAddress</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).
DEPRECATED: Use <a href=#ProxyConfig-tracing>tracing</a> instead.</p></td><td>No</td></tr></tbody></table></section><h2 id=ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</h2><section><p>The mode used to redirect inbound traffic to Envoy.
This setting has no effect on outbound traffic: iptables REDIRECT is always used for
outbound connections.</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=ProxyConfig-InboundInterceptionMode-REDIRECT><td><code>REDIRECT</code></td><td><p>The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
source IP addresses during redirection.</p></td></tr><tr id=ProxyConfig-InboundInterceptionMode-TPROXY><td><code>TPROXY</code></td><td><p>The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
source and destination IP addresses and ports, so that they can be used for advanced
filtering and manipulation. This mode also configures the sidecar to run with the
CAP<em>NET</em>ADMIN capability, which is required to use TPROXY.</p></td></tr></tbody></table></section><h2 id=RemoteService>RemoteService</h2><section><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=RemoteService-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of a remove service used for various purposes (access log
receiver, metrics receiver, etc.). Can be IP address or a fully
qualified DNS name.</p></td><td>No</td></tr><tr id=RemoteService-tls_settings><td><code>tlsSettings</code></td><td><code><a href=/v1.5/docs/reference/config/networking/destination-rule.html#TLSSettings>TLSSettings</a></code></td><td><p>Use the tls_settings to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as <code>ISTIO_MUTUAL</code>.</p></td><td>No</td></tr><tr id=RemoteService-tcp_keepalive><td><code>tcpKeepalive</code></td><td><code><a href=/v1.5/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings-TCPSettings-TcpKeepalive>TcpKeepalive</a></code></td><td><p>If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.</p></td><td>No</td></tr></tbody></table></section><h2 id=Resource>Resource</h2><section><p>Resource describes the source of configuration</p><table class=enum-values><thead><tr><th>Name</th><th>Description</th></tr></thead><tbody><tr id=Resource-SERVICE_REGISTRY><td><code>SERVICE_REGISTRY</code></td><td><p>Set to only receive service entries that are generated by the platform.
These auto generated service entries are combination of services and endpoints
that are generated by a specific platform e.g. k8</p></td></tr></tbody></table></section><h2 id=SDS>SDS</h2><section><p>SDS defines secret discovery service(SDS) configuration to be used by the proxy.
For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
For pilot/mixer, it&rsquo;s passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=SDS-enabled><td><code>enabled</code></td><td><code>bool</code></td><td><p>True if SDS is enabled.</p></td><td>No</td></tr><tr id=SDS-k8s_sa_jwt_path><td><code>k8sSaJwtPath</code></td><td><code>string</code></td><td><p>Path of k8s service account JWT path.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing>Tracing</h2><section><p>Tracing defines configuration for the tracing performed by Envoy instances.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-zipkin class="oneof oneof-start"><td><code>zipkin</code></td><td><code><a href=#Tracing-Zipkin>Zipkin (oneof)</a></code></td><td><p>Use a Zipkin tracer.</p></td><td>Yes</td></tr><tr id=Tracing-lightstep class=oneof><td><code>lightstep</code></td><td><code><a href=#Tracing-Lightstep>Lightstep (oneof)</a></code></td><td><p>Use a LightStep tracer.</p></td><td>Yes</td></tr><tr id=Tracing-datadog class=oneof><td><code>datadog</code></td><td><code><a href=#Tracing-Datadog>Datadog (oneof)</a></code></td><td><p>Use a Datadog tracer.</p></td><td>Yes</td></tr><tr id=Tracing-stackdriver class=oneof><td><code>stackdriver</code></td><td><code><a href=#Tracing-Stackdriver>Stackdriver (oneof)</a></code></td><td><p>Use a Stackdriver tracer.</p></td><td>Yes</td></tr></tbody></table></section><h2 id=Tracing-Datadog>Tracing.Datadog</h2><section><p>Datadog defines configuration for a Datadog tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Datadog-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Datadog Agent.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Lightstep>Tracing.Lightstep</h2><section><p>Defines configuration for a LightStep tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Lightstep-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the LightStep Satellite pool.</p></td><td>No</td></tr><tr id=Tracing-Lightstep-access_token><td><code>accessToken</code></td><td><code>string</code></td><td><p>The LightStep access token.</p></td><td>No</td></tr><tr id=Tracing-Lightstep-secure><td><code>secure</code></td><td><code>bool</code></td><td><p>True if a secure connection should be used when communicating with the pool.</p></td><td>No</td></tr><tr id=Tracing-Lightstep-cacert_path><td><code>cacertPath</code></td><td><code>string</code></td><td><p>Path to the trusted cacert used to authenticate the pool.</p></td><td>No</td></tr></tbody></table></section><h2 id=Tracing-Stackdriver>Tracing.Stackdriver</h2><section><p>Stackdriver defines configuration for a Stackdriver tracer.
See <a href=https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto>Opencensus trace config</a> for details.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody></tbody></table></section><h2 id=Tracing-Zipkin>Tracing.Zipkin</h2><section><p>Zipkin defines configuration for a Zipkin tracer.</p><table class=message-fields><thead><tr><th>Field</th><th>Type</th><th>Description</th><th>Required</th></tr></thead><tbody><tr id=Tracing-Zipkin-address><td><code>address</code></td><td><code>string</code></td><td><p>Address of the Zipkin service (e.g. <em>zipkin:9411</em>).</p></td><td>No</td></tr></tbody></table></section></article><nav class=pagenav><div class=left><a title="Describes the options available when installing Istio using Helm charts." href=/v1.5/docs/reference/config/installation-options/><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#left-arrow"/></svg>Installation Options (Helm)</a></div><div class=right><a title="Configuration affecting Istio control plane installation version and shape." href=/v1.5/docs/reference/config/istio.operator.v1alpha1/>IstioOperator Options<svg class="icon"><use xlink:href="/v1.5/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=AuthenticationPolicy><a href=#AuthenticationPolicy>AuthenticationPolicy</a><li role=none aria-label=Certificate><a href=#Certificate>Certificate</a><li role=none aria-label=ConfigSource><a href=#ConfigSource>ConfigSource</a><li role=none aria-label=MeshConfig><a href=#MeshConfig>MeshConfig</a><li role=none aria-label=MeshConfig.AccessLogEncoding><a href=#MeshConfig-AccessLogEncoding>MeshConfig.AccessLogEncoding</a><li role=none aria-label=MeshConfig.H2UpgradePolicy><a href=#MeshConfig-H2UpgradePolicy>MeshConfig.H2UpgradePolicy</a><li role=none aria-label=MeshConfig.IngressControllerMode><a href=#MeshConfig-IngressControllerMode>MeshConfig.IngressControllerMode</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy><a href=#MeshConfig-OutboundTrafficPolicy>MeshConfig.OutboundTrafficPolicy</a><li role=none aria-label=MeshConfig.OutboundTrafficPolicy.Mode><a href=#MeshConfig-OutboundTrafficPolicy-Mode>MeshConfig.OutboundTrafficPolicy.Mode</a><li role=none aria-label=MeshConfig.ThriftConfig><a href=#MeshConfig-ThriftConfig>MeshConfig.ThriftConfig</a><li role=none aria-label=MeshNetworks><a href=#MeshNetworks>MeshNetworks</a><li role=none aria-label=Network><a href=#Network>Network</a><li role=none aria-label=Network.IstioNetworkGateway><a href=#Network-IstioNetworkGateway>Network.IstioNetworkGateway</a><li role=none aria-label=Network.NetworkEndpoints><a href=#Network-NetworkEndpoints>Network.NetworkEndpoints</a><li role=none aria-label=ProxyConfig><a href=#ProxyConfig>ProxyConfig</a><li role=none aria-label=ProxyConfig.InboundInterceptionMode><a href=#ProxyConfig-InboundInterceptionMode>ProxyConfig.InboundInterceptionMode</a><li role=none aria-label=RemoteService><a href=#RemoteService>RemoteService</a><li role=none aria-label=Resource><a href=#Resource>Resource</a><li role=none aria-label=SDS><a href=#SDS>SDS</a><li role=none aria-label=Tracing><a href=#Tracing>Tracing</a><li role=none aria-label=Tracing.Datadog><a href=#Tracing-Datadog>Tracing.Datadog</a><li role=none aria-label=Tracing.Lightstep><a href=#Tracing-Lightstep>Tracing.Lightstep</a><li role=none aria-label=Tracing.Stackdriver><a href=#Tracing-Stackdriver>Tracing.Stackdriver</a><li role=none aria-label=Tracing.Zipkin><a href=#Tracing-Zipkin>Tracing.Zipkin</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.5.4 now" href=/v1.5/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.5.4<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 21, 2020</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.5/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink