# Resources for Base component apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio rules: - apiGroups: - "config.istio.io" - "rbac.istio.io" - "security.istio.io" - "networking.istio.io" - "authentication.istio.io" resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-reader-istio-system labels: app: istio-reader release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-reader-istio-system subjects: - kind: ServiceAccount name: istio-reader-service-account namespace: istio-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: mixer chart: istio heritage: Tiller istio: core package: istio.io.mixer release: istio name: attributemanifests.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: attributemanifest plural: attributemanifests singular: attributemanifest scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Describes the rules used to configure Mixer''s policy and telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: attributes: additionalProperties: properties: description: description: A human-readable description of the attribute's purpose. format: string type: string valueType: description: The type of data carried by this attribute. enum: - VALUE_TYPE_UNSPECIFIED - STRING - INT64 - DOUBLE - BOOL - TIMESTAMP - IP_ADDRESS - EMAIL_ADDRESS - URI - DNS_NAME - DURATION - STRING_MAP type: string type: object description: The set of attributes this Istio component will be responsible for producing at runtime. type: object name: description: Name of the component producing these attributes. format: string type: string revision: description: The revision of this document. format: string type: string type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot heritage: Tiller istio: rbac release: istio name: clusterrbacconfigs.rbac.istio.io spec: group: rbac.istio.io names: categories: - istio-io - rbac-istio-io kind: ClusterRbacConfig plural: clusterrbacconfigs singular: clusterrbacconfig scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration for Role Based Access Control. See more details at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' properties: enforcementMode: enum: - ENFORCED - PERMISSIVE type: string exclusion: description: A list of services or namespaces that should not be enforced by Istio RBAC policies. properties: namespaces: description: A list of namespaces. items: format: string type: string type: array services: description: A list of services. items: format: string type: string type: array type: object inclusion: description: A list of services or namespaces that should be enforced by Istio RBAC policies. properties: namespaces: description: A list of namespaces. items: format: string type: string type: array services: description: A list of services. items: format: string type: string type: array type: object mode: description: Istio RBAC mode. enum: - "OFF" - "ON" - ON_WITH_INCLUSION - ON_WITH_EXCLUSION type: string type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: destinationrules.networking.istio.io spec: additionalPrinterColumns: - JSONPath: .spec.host description: The name of a service from the service registry name: Host type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: DestinationRule listKind: DestinationRuleList plural: destinationrules shortNames: - dr singular: destinationrule scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html' properties: exportTo: description: A list of namespaces to which this destination rule is exported. items: format: string type: string type: array host: description: The name of a service from the service registry. format: string type: string subsets: items: properties: labels: additionalProperties: format: string type: string type: object name: description: Name of the subset. format: string type: string trafficPolicy: description: Traffic policies that apply to this subset. properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - required: - simple - properties: consistentHash: oneOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutiveErrors: format: int32 type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - required: - simple - properties: consistentHash: oneOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutiveErrors: format: int32 type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object type: array trafficPolicy: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - required: - simple - properties: consistentHash: oneOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutiveErrors: format: int32 type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object portLevelSettings: description: Traffic policies specific to individual ports. items: properties: connectionPool: properties: http: description: HTTP connection pool settings. properties: h2UpgradePolicy: description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - DEFAULT - DO_NOT_UPGRADE - UPGRADE type: string http1MaxPendingRequests: description: Maximum number of pending HTTP requests to a destination. format: int32 type: integer http2MaxRequests: description: Maximum number of requests to a backend. format: int32 type: integer idleTimeout: description: The idle timeout for upstream connection pool connections. type: string maxRequestsPerConnection: description: Maximum number of requests per connection to a backend. format: int32 type: integer maxRetries: format: int32 type: integer type: object tcp: description: Settings common to both HTTP and TCP upstream connections. properties: connectTimeout: description: TCP connection timeout. type: string maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. format: int32 type: integer tcpKeepalive: description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. properties: interval: description: The time duration between keep-alive probes. type: string probes: type: integer time: type: string type: object type: object type: object loadBalancer: description: Settings controlling the load balancer algorithms. oneOf: - required: - simple - properties: consistentHash: oneOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp required: - consistentHash properties: consistentHash: properties: httpCookie: description: Hash based on HTTP cookie. properties: name: description: Name of the cookie. format: string type: string path: description: Path to set for the cookie. format: string type: string ttl: description: Lifetime of the cookie. type: string type: object httpHeaderName: description: Hash based on a specific HTTP header. format: string type: string minimumRingSize: type: integer useSourceIp: description: Hash based on the source IP address. type: boolean type: object simple: enum: - ROUND_ROBIN - LEAST_CONN - RANDOM - PASSTHROUGH type: string type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string consecutiveErrors: format: int32 type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: format: int32 type: integer minHealthPercent: format: int32 type: integer type: object port: properties: number: type: integer type: object tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: array tls: description: TLS related settings for connections to the upstream service. properties: caCertificates: format: string type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. format: string type: string mode: enum: - DISABLE - SIMPLE - MUTUAL - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `MUTUAL`. format: string type: string sni: description: SNI string to present to the server during TLS handshake. format: string type: string subjectAltNames: items: format: string type: string type: array type: object type: object type: object type: object versions: - name: v1alpha3 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: envoyfilters.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: EnvoyFilter plural: envoyfilters singular: envoyfilter scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html' properties: configPatches: description: One or more patches with match conditions. items: properties: applyTo: enum: - INVALID - LISTENER - FILTER_CHAIN - NETWORK_FILTER - HTTP_FILTER - ROUTE_CONFIGURATION - VIRTUAL_HOST - HTTP_ROUTE - CLUSTER type: string match: description: Match on listener/route configuration/cluster. oneOf: - required: - listener - required: - routeConfiguration - required: - cluster properties: cluster: description: Match on envoy cluster attributes. properties: name: description: The exact name of the cluster to match. format: string type: string portNumber: description: The service port for which this cluster was generated. type: integer service: description: The fully qualified service name for this cluster. format: string type: string subset: description: The subset associated with the service. format: string type: string type: object context: description: The specific config generation context to match on. enum: - ANY - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY type: string listener: description: Match on envoy listener attributes. properties: filterChain: description: Match a specific filter chain in a listener. properties: applicationProtocols: description: Applies only to sidecars. format: string type: string filter: description: The name of a specific filter to apply the patch to. properties: name: description: The filter name to match on. format: string type: string subFilter: properties: name: description: The filter name to match on. format: string type: string type: object type: object name: description: The name assigned to the filter chain. format: string type: string sni: description: The SNI value used by a filter chain's match condition. format: string type: string transportProtocol: description: Applies only to SIDECAR_INBOUND context. format: string type: string type: object name: description: Match a specific listener by its name. format: string type: string portName: format: string type: string portNumber: type: integer type: object proxy: description: Match on properties associated with a proxy. properties: metadata: additionalProperties: format: string type: string type: object proxyVersion: format: string type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: format: string type: string name: description: Route configuration name to match on. format: string type: string portName: description: Applicable only for GATEWAY context. format: string type: string portNumber: type: integer vhost: properties: name: format: string type: string route: description: Match a specific route within the virtual host. properties: action: description: Match a route with specific action type. enum: - ANY - ROUTE - REDIRECT - DIRECT_RESPONSE type: string name: format: string type: string type: object type: object type: object type: object patch: description: The patch to apply along with the operation. properties: operation: description: Determines how the patch should be applied. enum: - INVALID - MERGE - ADD - REMOVE - INSERT_BEFORE - INSERT_AFTER type: string value: description: The JSON config of the object being patched. type: object type: object type: object type: array filters: items: properties: filterConfig: type: object filterName: description: The name of the filter to instantiate. format: string type: string filterType: description: The type of filter to instantiate. enum: - INVALID - HTTP - NETWORK type: string insertPosition: description: Insert position in the filter chain. properties: index: description: Position of this filter in the filter chain. enum: - FIRST - LAST - BEFORE - AFTER type: string relativeTo: format: string type: string type: object listenerMatch: properties: address: description: One or more IP addresses to which the listener is bound. items: format: string type: string type: array listenerProtocol: description: Selects a class of listeners for the same protocol. enum: - ALL - HTTP - TCP type: string listenerType: description: Inbound vs outbound sidecar listener or gateway listener. enum: - ANY - SIDECAR_INBOUND - SIDECAR_OUTBOUND - GATEWAY type: string portNamePrefix: format: string type: string portNumber: type: integer type: object type: object type: array workloadLabels: additionalProperties: format: string type: string description: Deprecated. type: object workloadSelector: properties: labels: additionalProperties: format: string type: string type: object type: object type: object type: object versions: - name: v1alpha3 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: gateways.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Gateway plural: gateways shortNames: - gw singular: gateway scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html' properties: selector: additionalProperties: format: string type: string type: object servers: description: A list of server specifications. items: properties: bind: format: string type: string defaultEndpoint: format: string type: string hosts: description: One or more hosts exposed by this gateway. items: format: string type: string type: array port: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string type: object tls: description: Set of TLS related options that govern the server's behavior. properties: caCertificates: description: REQUIRED if mode is `MUTUAL`. format: string type: string cipherSuites: description: 'Optional: If specified, only support the specified cipher list.' items: format: string type: string type: array credentialName: format: string type: string httpsRedirect: type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string minProtocolVersion: description: 'Optional: Minimum TLS protocol version.' enum: - TLS_AUTO - TLSV1_0 - TLSV1_1 - TLSV1_2 - TLSV1_3 type: string mode: enum: - PASSTHROUGH - SIMPLE - MUTUAL - AUTO_PASSTHROUGH - ISTIO_MUTUAL type: string privateKey: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string serverCertificate: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. format: string type: string subjectAltNames: items: format: string type: string type: array verifyCertificateHash: items: format: string type: string type: array verifyCertificateSpki: items: format: string type: string type: array type: object type: object type: array type: object type: object versions: - name: v1alpha3 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: httpapispecbindings.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: HTTPAPISpecBinding plural: httpapispecbindings singular: httpapispecbinding scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: api_specs: items: properties: name: description: The short name of the HTTPAPISpec. format: string type: string namespace: description: Optional namespace of the HTTPAPISpec. format: string type: string type: object type: array apiSpecs: items: properties: name: description: The short name of the HTTPAPISpec. format: string type: string namespace: description: Optional namespace of the HTTPAPISpec. format: string type: string type: object type: array services: description: One or more services to map the listed HTTPAPISpec onto. items: properties: domain: description: Domain suffix used to construct the service FQDN in implementations that support such specification. format: string type: string labels: additionalProperties: format: string type: string description: Optional one or more labels that uniquely identify the service version. type: object name: description: The short name of the service such as "foo". format: string type: string namespace: description: Optional namespace of the service. format: string type: string service: description: The service FQDN. format: string type: string type: object type: array type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: httpapispecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: HTTPAPISpec plural: httpapispecs singular: httpapispec scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: api_keys: items: oneOf: - required: - query - required: - header - required: - cookie properties: cookie: format: string type: string header: description: API key is sent in a request header. format: string type: string query: description: API Key is sent as a query parameter. format: string type: string type: object type: array apiKeys: items: oneOf: - required: - query - required: - header - required: - cookie properties: cookie: format: string type: string header: description: API key is sent in a request header. format: string type: string query: description: API Key is sent as a query parameter. format: string type: string type: object type: array attributes: properties: attributes: additionalProperties: oneOf: - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue properties: boolValue: type: boolean bytesValue: format: binary type: string doubleValue: format: double type: number durationValue: type: string int64Value: format: int64 type: integer stringMapValue: properties: entries: additionalProperties: format: string type: string description: Holds a set of name/value pairs. type: object type: object stringValue: format: string type: string timestampValue: format: dateTime type: string type: object description: A map of attribute name to its value. type: object type: object patterns: description: List of HTTP patterns to match. items: oneOf: - required: - uriTemplate - required: - regex properties: attributes: properties: attributes: additionalProperties: oneOf: - required: - stringValue - required: - int64Value - required: - doubleValue - required: - boolValue - required: - bytesValue - required: - timestampValue - required: - durationValue - required: - stringMapValue properties: boolValue: type: boolean bytesValue: format: binary type: string doubleValue: format: double type: number durationValue: type: string int64Value: format: int64 type: integer stringMapValue: properties: entries: additionalProperties: format: string type: string description: Holds a set of name/value pairs. type: object type: object stringValue: format: string type: string timestampValue: format: dateTime type: string type: object description: A map of attribute name to its value. type: object type: object httpMethod: format: string type: string regex: format: string type: string uriTemplate: format: string type: string type: object type: array type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-citadel chart: istio heritage: Tiller release: istio name: meshpolicies.authentication.istio.io spec: group: authentication.istio.io names: categories: - istio-io - authentication-istio-io kind: MeshPolicy listKind: MeshPolicyList plural: meshpolicies singular: meshpolicy scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Authentication policy for Istio services. See more details at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' properties: originIsOptional: type: boolean origins: description: List of authentication methods that can be used for origin authentication. items: properties: jwt: description: Jwt params for the method. properties: audiences: items: format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. format: string type: string jwks_uri: format: string type: string jwksUri: format: string type: string jwt_headers: description: JWT is sent in a request header. items: format: string type: string type: array jwtHeaders: description: JWT is sent in a request header. items: format: string type: string type: array jwtParams: description: JWT is sent in a query parameter. items: format: string type: string type: array trigger_rules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array triggerRules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array type: object type: object type: array peerIsOptional: type: boolean peers: description: List of authentication methods that can be used for peer authentication. items: oneOf: - required: - mtls - required: - jwt properties: jwt: properties: audiences: items: format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. format: string type: string jwks_uri: format: string type: string jwksUri: format: string type: string jwt_headers: description: JWT is sent in a request header. items: format: string type: string type: array jwtHeaders: description: JWT is sent in a request header. items: format: string type: string type: array jwtParams: description: JWT is sent in a query parameter. items: format: string type: string type: array trigger_rules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array triggerRules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array type: object mtls: description: Set if mTLS is used. properties: allowTls: description: WILL BE DEPRECATED, if set, will translates to `TLS_PERMISSIVE` mode. type: boolean mode: description: Defines the mode of mTLS authentication. enum: - STRICT - PERMISSIVE type: string type: object type: object type: array principalBinding: description: Define whether peer or origin identity should be use for principal. enum: - USE_PEER - USE_ORIGIN type: string targets: description: List rules to select workloads that the policy should be applied on. items: properties: labels: additionalProperties: format: string type: string type: object name: description: The name must be a short name from the service registry. format: string type: string ports: description: Specifies the ports. items: oneOf: - required: - number - required: - name properties: name: format: string type: string number: type: integer type: object type: array type: object type: array type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-citadel chart: istio heritage: Tiller release: istio name: policies.authentication.istio.io spec: group: authentication.istio.io names: categories: - istio-io - authentication-istio-io kind: Policy plural: policies singular: policy scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Authentication policy for Istio services. See more details at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html' properties: originIsOptional: type: boolean origins: description: List of authentication methods that can be used for origin authentication. items: properties: jwt: description: Jwt params for the method. properties: audiences: items: format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. format: string type: string jwks_uri: format: string type: string jwksUri: format: string type: string jwt_headers: description: JWT is sent in a request header. items: format: string type: string type: array jwtHeaders: description: JWT is sent in a request header. items: format: string type: string type: array jwtParams: description: JWT is sent in a query parameter. items: format: string type: string type: array trigger_rules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array triggerRules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array type: object type: object type: array peerIsOptional: type: boolean peers: description: List of authentication methods that can be used for peer authentication. items: oneOf: - required: - mtls - required: - jwt properties: jwt: properties: audiences: items: format: string type: string type: array issuer: description: Identifies the issuer that issued the JWT. format: string type: string jwks: description: JSON Web Key Set of public keys to validate signature of the JWT. format: string type: string jwks_uri: format: string type: string jwksUri: format: string type: string jwt_headers: description: JWT is sent in a request header. items: format: string type: string type: array jwtHeaders: description: JWT is sent in a request header. items: format: string type: string type: array jwtParams: description: JWT is sent in a query parameter. items: format: string type: string type: array trigger_rules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array triggerRules: items: properties: excluded_paths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array excludedPaths: description: List of paths to be excluded from the request. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array included_paths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array includedPaths: description: List of paths that the request must include. items: oneOf: - required: - exact - required: - prefix - required: - suffix - required: - regex properties: exact: description: exact string match. format: string type: string prefix: description: prefix-based match. format: string type: string regex: description: ECMAscript style regex-based match as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript). format: string type: string suffix: description: suffix-based match. format: string type: string type: object type: array type: object type: array type: object mtls: description: Set if mTLS is used. properties: allowTls: description: WILL BE DEPRECATED, if set, will translates to `TLS_PERMISSIVE` mode. type: boolean mode: description: Defines the mode of mTLS authentication. enum: - STRICT - PERMISSIVE type: string type: object type: object type: array principalBinding: description: Define whether peer or origin identity should be use for principal. enum: - USE_PEER - USE_ORIGIN type: string targets: description: List rules to select workloads that the policy should be applied on. items: properties: labels: additionalProperties: format: string type: string type: object name: description: The name must be a short name from the service registry. format: string type: string ports: description: Specifies the ports. items: oneOf: - required: - number - required: - name properties: name: format: string type: string number: type: integer type: object type: array type: object type: array type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: quotaspecbindings.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: QuotaSpecBinding plural: quotaspecbindings singular: quotaspecbinding scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: properties: quotaSpecs: items: properties: name: description: The short name of the QuotaSpec. format: string type: string namespace: description: Optional namespace of the QuotaSpec. format: string type: string type: object type: array services: description: One or more services to map the listed QuotaSpec onto. items: properties: domain: description: Domain suffix used to construct the service FQDN in implementations that support such specification. format: string type: string labels: additionalProperties: format: string type: string description: Optional one or more labels that uniquely identify the service version. type: object name: description: The short name of the service such as "foo". format: string type: string namespace: description: Optional namespace of the service. format: string type: string service: description: The service FQDN. format: string type: string type: object type: array type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-mixer chart: istio heritage: Tiller release: istio name: quotaspecs.config.istio.io spec: group: config.istio.io names: categories: - istio-io - apim-istio-io kind: QuotaSpec plural: quotaspecs singular: quotaspec scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: Determines the quotas used for individual requests. properties: rules: description: A list of Quota rules. items: properties: match: description: If empty, match all request. items: properties: clause: additionalProperties: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object description: Map of attribute names to StringMatch type. type: object type: object type: array quotas: description: The list of quotas to charge. items: properties: charge: format: int32 type: integer quota: format: string type: string type: object type: array type: object type: array type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: mixer chart: istio heritage: Tiller istio: rbac package: istio.io.mixer release: istio name: rbacconfigs.rbac.istio.io spec: group: rbac.istio.io names: categories: - istio-io - rbac-istio-io kind: RbacConfig plural: rbacconfigs singular: rbacconfig scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration for Role Based Access Control. See more details at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' properties: enforcementMode: enum: - ENFORCED - PERMISSIVE type: string exclusion: description: A list of services or namespaces that should not be enforced by Istio RBAC policies. properties: namespaces: description: A list of namespaces. items: format: string type: string type: array services: description: A list of services. items: format: string type: string type: array type: object inclusion: description: A list of services or namespaces that should be enforced by Istio RBAC policies. properties: namespaces: description: A list of namespaces. items: format: string type: string type: array services: description: A list of services. items: format: string type: string type: array type: object mode: description: Istio RBAC mode. enum: - "OFF" - "ON" - ON_WITH_INCLUSION - ON_WITH_EXCLUSION type: string type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: mixer chart: istio heritage: Tiller istio: core package: istio.io.mixer release: istio name: rules.config.istio.io spec: group: config.istio.io names: categories: - istio-io - policy-istio-io kind: rule plural: rules singular: rule scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Describes the rules used to configure Mixer''s policy and telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html' properties: actions: description: The actions that will be executed when match evaluates to `true`. items: properties: handler: description: Fully qualified name of the handler to invoke. format: string type: string instances: items: format: string type: string type: array name: description: A handle to refer to the results of the action. format: string type: string type: object type: array match: description: Match is an attribute based predicate. format: string type: string requestHeaderOperations: items: properties: name: description: Header name literal value. format: string type: string operation: description: Header operation type. enum: - REPLACE - REMOVE - APPEND type: string values: description: Header value expressions. items: format: string type: string type: array type: object type: array responseHeaderOperations: items: properties: name: description: Header name literal value. format: string type: string operation: description: Header operation type. enum: - REPLACE - REMOVE - APPEND type: string values: description: Header value expressions. items: format: string type: string type: array type: object type: array sampling: properties: random: description: Provides filtering of actions based on random selection per request. properties: attributeExpression: description: Specifies an attribute expression to use to override the numerator in the `percent_sampled` field. format: string type: string percentSampled: description: The default sampling rate, expressed as a percentage. properties: denominator: description: Specifies the denominator. enum: - HUNDRED - TEN_THOUSAND type: string numerator: description: Specifies the numerator. type: integer type: object useIndependentRandomness: description: By default sampling will be based on the value of the request header `x-request-id`. type: boolean type: object rateLimit: properties: maxUnsampledEntries: description: Number of entries to allow during the `sampling_duration` before sampling is enforced. format: int64 type: integer samplingDuration: description: Window in which to enforce the sampling rate. type: string samplingRate: description: The rate at which to sample entries once the unsampled limit has been reached. format: int64 type: integer type: object type: object type: object type: object versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: serviceentries.networking.istio.io spec: additionalPrinterColumns: - JSONPath: .spec.hosts description: The hosts associated with the ServiceEntry name: Hosts type: string - JSONPath: .spec.location description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) name: Location type: string - JSONPath: .spec.resolution description: Service discovery mode for the hosts (NONE, STATIC, or DNS) name: Resolution type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: ServiceEntry listKind: ServiceEntryList plural: serviceentries shortNames: - se singular: serviceentry scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html' properties: addresses: description: The virtual IP addresses associated with the service. items: format: string type: string type: array endpoints: description: One or more endpoints associated with the service. items: properties: address: format: string type: string labels: additionalProperties: format: string type: string description: One or more labels associated with the endpoint. type: object locality: description: The locality associated with the endpoint. format: string type: string network: format: string type: string ports: additionalProperties: type: integer description: Set of ports associated with the endpoint. type: object weight: description: The load balancing weight associated with the endpoint. type: integer type: object type: array exportTo: description: A list of namespaces to which this service is exported. items: format: string type: string type: array hosts: description: The hosts associated with the ServiceEntry. items: format: string type: string type: array location: enum: - MESH_EXTERNAL - MESH_INTERNAL type: string ports: description: The ports associated with the external service. items: properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string type: object type: array resolution: description: Service discovery mode for the hosts. enum: - NONE - STATIC - DNS type: string subjectAltNames: items: format: string type: string type: array type: object type: object versions: - name: v1alpha3 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: mixer chart: istio heritage: Tiller istio: rbac package: istio.io.mixer release: istio name: servicerolebindings.rbac.istio.io spec: additionalPrinterColumns: - JSONPath: .spec.roleRef.name description: The name of the ServiceRole object being referenced name: Reference type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date group: rbac.istio.io names: categories: - istio-io - rbac-istio-io kind: ServiceRoleBinding plural: servicerolebindings singular: servicerolebinding scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration for Role Based Access Control. See more details at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' properties: actions: items: properties: constraints: description: Optional. items: properties: key: description: Key of the constraint. format: string type: string values: description: List of valid values for the constraint. items: format: string type: string type: array type: object type: array hosts: items: format: string type: string type: array methods: description: Optional. items: format: string type: string type: array notHosts: items: format: string type: string type: array notMethods: items: format: string type: string type: array notPaths: items: format: string type: string type: array notPorts: items: format: int32 type: integer type: array paths: description: Optional. items: format: string type: string type: array ports: items: format: int32 type: integer type: array services: description: A list of service names. items: format: string type: string type: array type: object type: array mode: enum: - ENFORCED - PERMISSIVE type: string role: format: string type: string roleRef: description: Reference to the ServiceRole object. properties: kind: description: The type of the role being referenced. format: string type: string name: description: The name of the ServiceRole object being referenced. format: string type: string type: object subjects: description: List of subjects that are assigned the ServiceRole object. items: properties: group: format: string type: string groups: items: format: string type: string type: array ips: items: format: string type: string type: array names: items: format: string type: string type: array namespaces: items: format: string type: string type: array notGroups: items: format: string type: string type: array notIps: items: format: string type: string type: array notNames: items: format: string type: string type: array notNamespaces: items: format: string type: string type: array properties: additionalProperties: format: string type: string description: Optional. type: object user: description: Optional. format: string type: string type: object type: array type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: mixer chart: istio heritage: Tiller istio: rbac package: istio.io.mixer release: istio name: serviceroles.rbac.istio.io spec: group: rbac.istio.io names: categories: - istio-io - rbac-istio-io kind: ServiceRole plural: serviceroles singular: servicerole scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration for Role Based Access Control. See more details at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html' properties: rules: description: The set of access rules (permissions) that the role has. items: properties: constraints: description: Optional. items: properties: key: description: Key of the constraint. format: string type: string values: description: List of valid values for the constraint. items: format: string type: string type: array type: object type: array hosts: items: format: string type: string type: array methods: description: Optional. items: format: string type: string type: array notHosts: items: format: string type: string type: array notMethods: items: format: string type: string type: array notPaths: items: format: string type: string type: array notPorts: items: format: int32 type: integer type: array paths: description: Optional. items: format: string type: string type: array ports: items: format: int32 type: integer type: array services: description: A list of service names. items: format: string type: string type: array type: object type: array type: object type: object versions: - name: v1alpha1 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: virtualservices.networking.istio.io spec: additionalPrinterColumns: - JSONPath: .spec.gateways description: The names of gateways and sidecars that should apply these routes name: Gateways type: string - JSONPath: .spec.hosts description: The destination hosts to which traffic is being sent name: Hosts type: string - JSONPath: .metadata.creationTimestamp description: |- CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata name: Age type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: VirtualService listKind: VirtualServiceList plural: virtualservices shortNames: - vs singular: virtualservice scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html' properties: exportTo: description: A list of namespaces to which this virtual service is exported. items: format: string type: string type: array gateways: description: The names of gateways and sidecars that should apply these routes. items: format: string type: string type: array hosts: description: The destination hosts to which traffic is being sent. items: format: string type: string type: array http: description: An ordered list of route rules for HTTP traffic. items: properties: appendHeaders: additionalProperties: format: string type: string type: object appendRequestHeaders: additionalProperties: format: string type: string type: object appendResponseHeaders: additionalProperties: format: string type: string type: object corsPolicy: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: nullable: true type: boolean allowHeaders: items: format: string type: string type: array allowMethods: description: List of HTTP methods allowed to access the resource. items: format: string type: string type: array allowOrigin: description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array exposeHeaders: items: format: string type: string type: array maxAge: type: string type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: oneOf: - properties: percent: {} required: - httpStatus - properties: percent: {} required: - grpcStatus - properties: percent: {} required: - http2Error properties: grpcStatus: format: string type: string http2Error: format: string type: string httpStatus: description: HTTP status code to use to abort the Http request. format: int32 type: integer percent: description: Percentage of requests to be aborted with the error code provided (0-100). format: int32 type: integer percentage: description: Percentage of requests to be aborted with the error code provided. properties: value: format: double type: number type: object type: object delay: oneOf: - properties: percent: {} required: - fixedDelay - properties: percent: {} required: - exponentialDelay properties: exponentialDelay: type: string fixedDelay: description: Add a fixed delay before forwarding the request. type: string percent: description: Percentage of requests on which the delay will be injected (0-100). format: int32 type: integer percentage: description: Percentage of requests on which the delay will be injected. properties: value: format: double type: number type: object type: object type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object match: items: properties: authority: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object gateways: items: format: string type: string type: array headers: additionalProperties: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object name: description: The name assigned to a match. format: string type: string port: description: Specifies the ports on the host that is being addressed. type: integer queryParams: additionalProperties: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object description: Query parameters for matching. type: object scheme: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object sourceLabels: additionalProperties: format: string type: string type: object uri: oneOf: - required: - exact - required: - prefix - required: - regex properties: exact: format: string type: string prefix: format: string type: string regex: format: string type: string type: object type: object type: array mirror: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object mirror_percent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer mirrorPercent: description: Percentage of the traffic to be mirrored by the `mirror` field. nullable: true type: integer name: description: The name assigned to the route for debugging purposes. format: string type: string redirect: description: A http rule can either redirect or forward (default) traffic. properties: authority: format: string type: string redirectCode: type: integer uri: format: string type: string type: object removeRequestHeaders: items: format: string type: string type: array removeResponseHeaders: items: format: string type: string type: array retries: description: Retry policy for HTTP requests. properties: attempts: description: Number of retries for a given request. format: int32 type: integer perTryTimeout: description: Timeout per retry attempt for a given request. type: string retryOn: description: Specifies the conditions under which retry takes place. format: string type: string type: object rewrite: description: Rewrite HTTP URIs and Authority headers. properties: authority: description: rewrite the Authority/Host header with this value. format: string type: string uri: format: string type: string type: object route: description: A http rule can either redirect or forward (default) traffic. items: properties: appendRequestHeaders: additionalProperties: format: string type: string description: Use of `append_request_headers` is deprecated. type: object appendResponseHeaders: additionalProperties: format: string type: string description: Use of `append_response_headers` is deprecated. type: object destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object headers: properties: request: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object response: properties: add: additionalProperties: format: string type: string type: object remove: items: format: string type: string type: array set: additionalProperties: format: string type: string type: object type: object type: object removeRequestHeaders: description: Use of `remove_request_headers` is deprecated. items: format: string type: string type: array removeResponseHeaders: description: Use of `remove_response_header` is deprecated. items: format: string type: string type: array weight: format: int32 type: integer type: object type: array timeout: description: Timeout for HTTP requests. type: string websocketUpgrade: description: Deprecated. type: boolean type: object type: array tcp: description: An ordered list of route rules for opaque TCP traffic. items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied to. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sourceLabels: additionalProperties: format: string type: string type: object sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array tls: items: properties: match: items: properties: destinationSubnets: description: IPv4 or IPv6 ip addresses of destination with optional subnet. items: format: string type: string type: array gateways: description: Names of gateways where the rule should be applied to. items: format: string type: string type: array port: description: Specifies the port on the host that is being addressed. type: integer sniHosts: description: SNI (server name indicator) to match on. items: format: string type: string type: array sourceLabels: additionalProperties: format: string type: string type: object sourceSubnet: description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object type: array route: description: The destination to which the connection should be forwarded to. items: properties: destination: properties: host: description: The name of a service from the service registry. format: string type: string port: description: Specifies the port on the host that is being addressed. properties: number: type: integer type: object subset: description: The name of a subset within the service. format: string type: string type: object weight: format: int32 type: integer type: object type: array type: object type: array type: object type: object versions: - name: v1alpha3 served: true storage: true --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: adapters.config.istio.io labels: app: mixer package: adapter istio: mixer-adapter chart: istio heritage: Tiller release: istio spec: group: config.istio.io names: kind: adapter plural: adapters singular: adapter categories: - istio-io - policy-istio-io scope: Namespaced subresources: status: {} versions: - name: v1alpha2 served: true storage: true --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: instances.config.istio.io labels: app: mixer package: instance istio: mixer-instance chart: istio heritage: Tiller release: istio spec: group: config.istio.io names: kind: instance plural: instances singular: instance categories: - istio-io - policy-istio-io scope: Namespaced subresources: status: {} versions: - name: v1alpha2 served: true storage: true --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: templates.config.istio.io labels: app: mixer package: template istio: mixer-template chart: istio heritage: Tiller release: istio spec: group: config.istio.io names: kind: template plural: templates singular: template categories: - istio-io - policy-istio-io scope: Namespaced subresources: status: {} versions: - name: v1alpha2 served: true storage: true --- kind: CustomResourceDefinition apiVersion: apiextensions.k8s.io/v1beta1 metadata: name: handlers.config.istio.io labels: app: mixer package: handler istio: mixer-handler chart: istio heritage: Tiller release: istio spec: group: config.istio.io names: kind: handler plural: handlers singular: handler categories: - istio-io - policy-istio-io scope: Namespaced subresources: status: {} versions: - name: v1alpha2 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot chart: istio heritage: Tiller release: istio name: sidecars.networking.istio.io spec: group: networking.istio.io names: categories: - istio-io - networking-istio-io kind: Sidecar plural: sidecars singular: sidecar scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html' properties: egress: items: properties: bind: format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string hosts: items: format: string type: string type: array port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string type: object type: object type: array ingress: items: properties: bind: description: The ip to which the listener should be bound. format: string type: string captureMode: enum: - DEFAULT - IPTABLES - NONE type: string defaultEndpoint: format: string type: string port: description: The port associated with the listener. properties: name: description: Label assigned to the port. format: string type: string number: description: A valid non-negative integer port number. type: integer protocol: description: The protocol exposed on the port. format: string type: string type: object type: object type: array outboundTrafficPolicy: description: This allows to configure the outbound traffic policy. properties: mode: enum: - REGISTRY_ONLY - ALLOW_ANY type: string type: object workloadSelector: properties: labels: additionalProperties: format: string type: string type: object type: object type: object type: object versions: - name: v1alpha3 served: true storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: labels: app: istio-pilot heritage: Tiller istio: security release: istio name: authorizationpolicies.security.istio.io spec: group: security.istio.io names: categories: - istio-io - security-istio-io kind: AuthorizationPolicy plural: authorizationpolicies singular: authorizationpolicy scope: Namespaced subresources: status: {} validation: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html' properties: rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: format: string type: string type: array namespaces: description: Optional. items: format: string type: string type: array principals: description: Optional. items: format: string type: string type: array requestPrincipals: description: Optional. items: format: string type: string type: array type: object type: object type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: format: string type: string type: array methods: description: Optional. items: format: string type: string type: array paths: description: Optional. items: format: string type: string type: array ports: description: Optional. items: format: string type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. format: string type: string values: description: The allowed values for the attribute. items: format: string type: string type: array type: object type: array type: object type: array selector: description: Optional. properties: matchLabels: additionalProperties: format: string type: string type: object type: object type: object type: object versions: - name: v1beta1 served: true storage: true --- apiVersion: v1 kind: Namespace metadata: name: istio-system labels: istio-operator-managed: Reconcile istio-injection: disabled --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-reader-service-account namespace: istio-system labels: app: istio-reader release: istio --- # CertManager component is disabled. # Resources for Citadel component apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-citadel-istio-system labels: app: citadel release: istio rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "update"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: [""] resources: ["serviceaccounts", "services", "namespaces"] verbs: ["get", "watch", "list"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-citadel-istio-system labels: release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-citadel-istio-system subjects: - kind: ServiceAccount name: istio-citadel-service-account namespace: istio-system --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: security istio: citadel release: istio name: istio-citadel namespace: istio-system spec: replicas: 1 selector: matchLabels: istio: citadel strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: citadel istio: citadel spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - --append-dns-names=true - --grpc-port=8060 - --citadel-storage-namespace=istio-system - --custom-dns-names=istio-galley-service-account.istio-config:istio-galley.istio-config.svc,istio-galley-service-account.istio-control:istio-galley.istio-control.svc,istio-galley-service-account.istio-control-master:istio-galley.istio-control-master.svc,istio-galley-service-account.istio-master:istio-galley.istio-master.svc,istio-galley-service-account.istio-pilot11:istio-galley.istio-pilot11.svc,istio-pilot-service-account.istio-control:istio-pilot.istio-control,istio-pilot-service-account.istio-pilot11:istio-pilot.istio-system,istio-sidecar-injector-service-account.istio-control:istio-sidecar-injector.istio-control.svc,istio-sidecar-injector-service-account.istio-control-master:istio-sidecar-injector.istio-control-master.svc,istio-sidecar-injector-service-account.istio-master:istio-sidecar-injector.istio-master.svc,istio-sidecar-injector-service-account.istio-pilot11:istio-sidecar-injector.istio-pilot11.svc,istio-sidecar-injector-service-account.istio-remote:istio-sidecar-injector.istio-remote.svc, - --self-signed-ca=true - --trust-domain=cluster.local - --workload-cert-ttl=2160h env: - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT value: "true" image: docker.io/istio/citadel:1.4.5 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /version port: 15014 initialDelaySeconds: 5 periodSeconds: 5 name: citadel resources: requests: cpu: 10m serviceAccountName: istio-citadel-service-account --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-citadel namespace: istio-system labels: app: security istio: citadel release: istio spec: minAvailable: 1 selector: matchLabels: app: citadel istio: citadel --- apiVersion: v1 kind: Service metadata: # Must match the certificate, this is used in the node agent in same namespace. name: istio-citadel namespace: istio-system labels: app: security istio: citadel release: istio spec: ports: - name: grpc-citadel port: 8060 targetPort: 8060 protocol: TCP - name: http-monitoring port: 15014 selector: app: citadel --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-citadel-service-account namespace: istio-system labels: app: security release: istio --- # Cni component is disabled. # CoreDNS component is disabled. # EgressGateway component is disabled. # Resources for Galley component apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-galley-istio-system labels: release: istio rules: # For reading Istio resources - apiGroups: [ "authentication.istio.io", "config.istio.io", "networking.istio.io", "rbac.istio.io", "security.istio.io"] resources: ["*"] verbs: ["get", "list", "watch"] # For updating Istio resource statuses - apiGroups: [ "authentication.istio.io", "config.istio.io", "networking.istio.io", "rbac.istio.io", "security.istio.io"] resources: ["*/status"] verbs: ["update"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["*"] - apiGroups: ["extensions","apps"] resources: ["deployments"] resourceNames: ["istio-galley"] verbs: ["get"] - apiGroups: [""] resources: ["pods", "nodes", "services", "endpoints", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces/finalizers"] verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-galley-admin-role-binding-istio-system labels: release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-galley-istio-system subjects: - kind: ServiceAccount name: istio-galley-service-account namespace: istio-system --- apiVersion: v1 kind: ConfigMap metadata: namespace: istio-system name: galley-envoy-config labels: app: galley istio: galley release: istio data: envoy.yaml.tmpl: |- admin: access_log_path: /dev/null address: socket_address: address: 127.0.0.1 port_value: 15000 static_resources: clusters: - name: in.9901 http2_protocol_options: {} connect_timeout: 1.000s hosts: - socket_address: address: 127.0.0.1 port_value: 9901 circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 listeners: - name: "15019" address: socket_address: address: 0.0.0.0 port_value: 15019 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: HTTP2 stat_prefix: "15010" http2_protocol_options: max_concurrent_streams: 1073741824 access_log: - name: envoy.file_access_log config: path: /dev/stdout http_filters: - name: envoy.router route_config: name: "15019" virtual_hosts: - name: istio-galley domains: - '*' routes: - match: prefix: / route: cluster: in.9901 timeout: 0.000s tls_context: common_tls_context: alpn_protocols: - h2 tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true --- apiVersion: v1 kind: ConfigMap metadata: name: istio-mesh-galley namespace: istio-system labels: release: istio data: mesh: |- {} --- apiVersion: v1 kind: ConfigMap metadata: name: istio-galley-configuration namespace: istio-system labels: release: istio data: validatingwebhookconfiguration.yaml: |- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: istio-galley-istio-system namespace: istio-system labels: app: galley release: istio istio: galley webhooks: - name: pilot.validation.istio.io clientConfig: service: name: istio-galley namespace: istio-system path: "/admitpilot" caBundle: "" rules: - operations: - CREATE - UPDATE apiGroups: - config.istio.io apiVersions: - v1alpha2 resources: - httpapispecs - httpapispecbindings - quotaspecs - quotaspecbindings - operations: - CREATE - UPDATE apiGroups: - rbac.istio.io apiVersions: - "*" resources: - "*" - operations: - CREATE - UPDATE apiGroups: - security.istio.io apiVersions: - "*" resources: - "*" - operations: - CREATE - UPDATE apiGroups: - authentication.istio.io apiVersions: - "*" resources: - "*" - operations: - CREATE - UPDATE apiGroups: - networking.istio.io apiVersions: - "*" resources: - destinationrules - envoyfilters - gateways - serviceentries - sidecars - virtualservices failurePolicy: Fail sideEffects: None - name: mixer.validation.istio.io clientConfig: service: name: istio-galley namespace: istio-system path: "/admitmixer" caBundle: "" rules: - operations: - CREATE - UPDATE apiGroups: - config.istio.io apiVersions: - v1alpha2 resources: - rules - attributemanifests - circonuses - deniers - fluentds - kubernetesenvs - listcheckers - memquotas - noops - opas - prometheuses - rbacs - solarwindses - stackdrivers - cloudwatches - dogstatsds - statsds - stdios - apikeys - authorizations - checknothings # - kuberneteses - listentries - logentries - metrics - quotas - reportnothings - tracespans - adapters - handlers - instances - templates - zipkins failurePolicy: Fail sideEffects: None --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: galley istio: galley release: istio name: istio-galley namespace: istio-system spec: replicas: 1 selector: matchLabels: istio: galley strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: galley chart: galley heritage: Tiller istio: galley release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - command: - /usr/local/bin/galley - server - --meshConfigFile=/etc/mesh-config/mesh - --livenessProbeInterval=1s - --livenessProbePath=/tmp/healthliveness - --readinessProbePath=/tmp/healthready - --readinessProbeInterval=1s - --insecure=true - --enable-validation=true - --enable-reconcileWebhookConfiguration=true - --enable-server=true - --deployment-namespace=istio-system - --validation-webhook-config-file - /etc/config/validatingwebhookconfiguration.yaml - --monitoringPort=15014 - --validation-port=9443 - --log_output_level=default:info image: docker.io/istio/galley:1.4.5 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - /usr/local/bin/galley - probe - --probe-path=/tmp/healthliveness - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 name: galley ports: - containerPort: 9443 - containerPort: 15014 - containerPort: 15019 - containerPort: 9901 readinessProbe: exec: command: - /usr/local/bin/galley - probe - --probe-path=/tmp/healthready - --interval=10s initialDelaySeconds: 5 periodSeconds: 5 resources: requests: cpu: 100m volumeMounts: - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /etc/config name: config readOnly: true - mountPath: /etc/mesh-config name: mesh-config readOnly: true - args: - proxy - --serviceCluster - istio-galley - --templateFile - /var/lib/istio/galley/envoy/envoy.yaml.tmpl - --controlPlaneAuthPolicy - MUTUAL_TLS - --trust-domain=cluster.local env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SDS_ENABLED value: "false" image: docker.io/istio/proxyv2:1.4.5 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 9902 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /var/lib/istio/galley/envoy name: envoy-config - mountPath: /etc/certs name: istio-certs readOnly: true serviceAccountName: istio-galley-service-account volumes: - name: istio-certs secret: secretName: istio.istio-galley-service-account - configMap: name: galley-envoy-config name: envoy-config - configMap: name: istio-galley-configuration name: config - configMap: name: istio-mesh-galley name: mesh-config --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-galley namespace: istio-system labels: app: galley release: istio istio: galley spec: minAvailable: 1 selector: matchLabels: app: galley release: istio istio: galley --- apiVersion: v1 kind: Service metadata: name: istio-galley namespace: istio-system labels: app: galley istio: galley release: istio spec: ports: - port: 443 name: https-validation targetPort: 9443 - port: 15014 name: http-monitoring - port: 9901 name: grpc-mcp - port: 15019 name: grpc-tls-mcp selector: istio: galley --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-galley-service-account namespace: istio-system labels: app: galley release: istio --- # Grafana component is disabled. # Resources for IngressGateway component apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: labels: app: istio-ingressgateway istio: ingressgateway release: istio name: istio-ingressgateway namespace: istio-system spec: maxReplicas: 5 metrics: - resource: name: cpu targetAverageUtilization: 80 type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-ingressgateway --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istio-ingressgateway istio: ingressgateway release: istio name: istio-ingressgateway namespace: istio-system spec: selector: matchLabels: app: istio-ingressgateway istio: ingressgateway strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: istio-ingressgateway chart: gateways heritage: Tiller istio: ingressgateway release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - proxy - router - --domain - $(POD_NAMESPACE).svc.cluster.local - --proxyLogLevel=warning - --proxyComponentLogLevel=misc:error - --log_output_level=default:info - --drainDuration - 45s - --parentShutdownDuration - 1m0s - --connectTimeout - 10s - --serviceCluster - istio-ingressgateway - --zipkinAddress - zipkin.istio-system:9411 - --proxyAdminPort - "15000" - --statusPort - "15020" - --controlPlaneAuthPolicy - MUTUAL_TLS - --discoveryAddress - istio-pilot.istio-system:15011 - --trust-domain=cluster.local env: - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: HOST_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.hostIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: ISTIO_META_WORKLOAD_NAME value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - name: ISTIO_META_MESH_ID value: cluster.local - name: ISTIO_META_POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: ISTIO_META_ROUTER_MODE value: sni-dnat - name: ISTIO_METAJSON_LABELS value: | {"app":"istio-ingressgateway","istio":"ingressgateway"} - name: ISTIO_META_CLUSTER_ID value: Kubernetes - name: SDS_ENABLED value: "false" image: docker.io/istio/proxyv2:1.4.5 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15020 - containerPort: 80 - containerPort: 443 - containerPort: 15029 - containerPort: 15030 - containerPort: 15031 - containerPort: 15032 - containerPort: 15443 - containerPort: 15011 - containerPort: 8060 - containerPort: 853 - containerPort: 15090 name: http-envoy-prom protocol: TCP readinessProbe: failureThreshold: 30 httpGet: path: /healthz/ready port: 15020 scheme: HTTP initialDelaySeconds: 1 periodSeconds: 2 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /etc/istio/ingressgateway-certs name: ingressgateway-certs readOnly: true - mountPath: /etc/istio/ingressgateway-ca-certs name: ingressgateway-ca-certs readOnly: true serviceAccountName: istio-ingressgateway-service-account volumes: - name: istio-certs secret: optional: true secretName: istio.istio-ingressgateway-service-account - name: ingressgateway-certs secret: optional: true secretName: istio-ingressgateway-certs - name: ingressgateway-ca-certs secret: optional: true secretName: istio-ingressgateway-ca-certs --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: ingressgateway namespace: istio-system labels: release: istio spec: selector: istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*" # Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: ingressgateway namespace: istio-system labels: app: istio-ingressgateway release: istio istio: ingressgateway spec: minAvailable: 1 selector: matchLabels: app: istio-ingressgateway release: istio istio: ingressgateway --- apiVersion: v1 kind: Service metadata: name: istio-ingressgateway namespace: istio-system annotations: labels: app: istio-ingressgateway release: istio istio: ingressgateway spec: type: LoadBalancer selector: app: istio-ingressgateway ports: - name: status-port port: 15020 targetPort: 15020 - name: http2 port: 80 targetPort: 80 - name: https port: 443 - name: kiali port: 15029 targetPort: 15029 - name: prometheus port: 15030 targetPort: 15030 - name: grafana port: 15031 targetPort: 15031 - name: tracing port: 15032 targetPort: 15032 - name: tls port: 15443 targetPort: 15443 --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-ingressgateway-service-account namespace: istio-system labels: app: istio-ingressgateway release: istio --- apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: default namespace: istio-system labels: release: istio spec: egress: - hosts: - "*/*" --- # Resources for Injector component apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-sidecar-injector-istio-system labels: app: sidecar-injector release: istio istio: sidecar-injector rules: - apiGroups: [""] resources: ["configmaps"] resourceNames: ["istio-sidecar-injector"] verbs: ["get", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"] verbs: ["get", "list", "watch", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-sidecar-injector-admin-role-binding-istio-system labels: app: sidecar-injector release: istio istio: sidecar-injector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-sidecar-injector-istio-system subjects: - kind: ServiceAccount name: istio-sidecar-injector-service-account namespace: istio-system --- apiVersion: v1 kind: ConfigMap metadata: name: injector-mesh namespace: istio-system labels: release: istio data: # This is the 'mesh' config, loaded by the sidecar injector. # It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model # of reducing blast-radius of config changes and avoiding globals. # Note that injector uses a subset of the mesh config only - for clarity this is only generating the # required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings. mesh: |- # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: "" defaultConfig: # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s # ### ADVANCED SETTINGS ############# # Where should envoy's configuration be stored in the istio-proxy container configPath: "/etc/istio/proxy" # The pseudo service name used for Envoy. serviceCluster: istio-proxy # These settings that determine how long an old Envoy # process should be kept alive after an occasional reload. drainDuration: 45s parentShutdownDuration: 1m0s # # Port where Envoy listens (on local host) for admin commands # You can exec into the istio-proxy container in a pod and # curl the admin port (curl http://localhost:15000/) to obtain # diagnostic information from Envoy. See # https://lyft.github.io/envoy/docs/operations/admin.html # for more details proxyAdminPort: 15000 # # Set concurrency to a specific number to control the number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 2 # tracing: zipkin: # Address of the Zipkin collector address: zipkin.istio-system:9411 # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running discoveryAddress: istio-pilot.istio-system:15011 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: sidecarInjectorWebhook istio: sidecar-injector release: istio name: istio-sidecar-injector namespace: istio-system spec: replicas: 1 selector: matchLabels: istio: sidecar-injector strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: sidecarInjectorWebhook chart: sidecarInjectorWebhook heritage: Tiller istio: sidecar-injector release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - --caCertFile=/etc/istio/certs/root-cert.pem - --tlsCertFile=/etc/istio/certs/cert-chain.pem - --tlsKeyFile=/etc/istio/certs/key.pem - --injectConfig=/etc/istio/inject/config - --meshConfig=/etc/istio/config/mesh - --port=9443 - --healthCheckInterval=2s - --healthCheckFile=/tmp/health - --reconcileWebhookConfig=true - --webhookConfigName=istio-sidecar-injector - --log_output_level=debug image: docker.io/istio/sidecar_injector:1.4.5 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - /usr/local/bin/sidecar-injector - probe - --probe-path=/tmp/health - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 name: sidecar-injector-webhook readinessProbe: exec: command: - /usr/local/bin/sidecar-injector - probe - --probe-path=/tmp/health - --interval=4s initialDelaySeconds: 4 periodSeconds: 4 resources: requests: cpu: 10m volumeMounts: - mountPath: /etc/istio/config name: config-volume readOnly: true - mountPath: /etc/istio/certs name: certs readOnly: true - mountPath: /etc/istio/inject name: inject-config readOnly: true serviceAccountName: istio-sidecar-injector-service-account volumes: - configMap: name: injector-mesh name: config-volume - name: certs secret: secretName: istio.istio-sidecar-injector-service-account - configMap: items: - key: config path: config - key: values path: values name: istio-sidecar-injector name: inject-config --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector labels: app: sidecar-injector release: istio webhooks: - name: sidecar-injector.istio.io clientConfig: service: name: istio-sidecar-injector namespace: istio-system path: "/inject" caBundle: "" rules: - operations: [ "CREATE" ] apiGroups: [""] apiVersions: ["v1"] resources: ["pods"] failurePolicy: Fail namespaceSelector: matchLabels: istio-injection: enabled --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-sidecar-injector namespace: istio-system labels: app: sidecar-injector release: istio istio: sidecar-injector spec: minAvailable: 1 selector: matchLabels: app: sidecar-injector release: istio istio: sidecar-injector --- apiVersion: v1 kind: Service metadata: name: istio-sidecar-injector namespace: istio-system labels: app: sidecarInjectorWebhook release: istio istio: sidecar-injector spec: ports: - port: 443 targetPort: 9443 selector: istio: sidecar-injector --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-sidecar-injector-service-account namespace: istio-system labels: app: sidecarInjectorWebhook release: istio istio: sidecar-injector --- apiVersion: v1 kind: ConfigMap metadata: name: istio-sidecar-injector namespace: istio-system labels: release: istio app: sidecar-injector istio: sidecar-injector data: values: |- {"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","tag":"1.4.5","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.9"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":true,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":true},"v2":{"enabled":false,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"enabled":false,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""} config: |- policy: enabled alwaysInjectSelector: [] neverInjectSelector: [] template: | {{- $cniDisabled := (not .Values.istio_cni.enabled) }} {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} {{- if $enableInitContainer }} initContainers: {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} {{ if $cniRepairEnabled -}} - name: istio-validation {{ else -}} - name: istio-init {{ end -}} {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} command: {{- if $cniRepairEnabled }} - istio-iptables-go {{- else }} - istio-iptables {{- end }} - "-p" - "15001" - "-z" - "15006" - "-u" - 1337 - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - "-x" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - "-b" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" - "-d" - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - "-o" - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" {{ end -}} {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - "-k" - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" {{ end -}} {{ if $cniRepairEnabled -}} - "--run-validation" - "--skip-rule-apply" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{- if .Values.global.proxy_init.resources }} resources: {{ toYaml .Values.global.proxy_init.resources | indent 4 }} {{- else }} resources: {} {{- end }} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: {{- if not $cniRepairEnabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL readOnlyRootFilesystem: false {{- if not $cniRepairEnabled }} runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{- else }} runAsGroup: 1337 runAsUser: 1337 runAsNonRoot: true {{- end }} restartPolicy: Always {{ end -}} {{- if eq .Values.global.proxy.enableCoreDump true }} - name: enable-core-dump args: - -c - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited command: - /bin/sh {{- if contains "/" .Values.global.proxy_init.image }} image: "{{ .Values.global.proxy_init.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" resources: {} securityContext: allowPrivilegeEscalation: true capabilities: add: - SYS_ADMIN drop: - ALL privileged: true readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 {{ end }} {{ end }} containers: - name: istio-proxy {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{- end }} ports: - containerPort: 15090 protocol: TCP name: http-envoy-prom args: - proxy - sidecar - --domain - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - --configPath - "/etc/istio/proxy" - --binaryPath - "/usr/local/bin/envoy" - --serviceCluster {{ if ne "" (index .ObjectMeta.Labels "app") -}} - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" {{ else -}} - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" {{ end -}} - --drainDuration - "{{ formatDuration .ProxyConfig.DrainDuration }}" - --parentShutdownDuration - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" - --discoveryAddress - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" {{- if eq .Values.global.proxy.tracer "lightstep" }} - --lightstepAddress - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" - --lightstepAccessToken - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} - --lightstepCacertPath - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" {{- else if eq .Values.global.proxy.tracer "zipkin" }} - --zipkinAddress - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" {{- else if eq .Values.global.proxy.tracer "datadog" }} - --datadogAgentAddress - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" {{- end }} - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}} - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}} - --connectTimeout - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" {{- if .Values.global.proxy.envoyStatsd.enabled }} - --statsdUdpAddress - "{{ .ProxyConfig.StatsdUdpAddress }}" {{- end }} {{- if .Values.global.proxy.envoyMetricsService.enabled }} - --envoyMetricsServiceAddress - "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}" {{- end }} {{- if .Values.global.proxy.envoyAccessLogService.enabled }} - --envoyAccessLogServiceAddress - "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}" {{- end }} - --proxyAdminPort - "{{ .ProxyConfig.ProxyAdminPort }}" {{ if gt .ProxyConfig.Concurrency 0 -}} - --concurrency - "{{ .ProxyConfig.Concurrency }}" {{ end -}} {{- if .Values.global.controlPlaneSecurityEnabled }} - --controlPlaneAuthPolicy - MUTUAL_TLS {{- else }} - --controlPlaneAuthPolicy - NONE {{- end }} - --dnsRefreshRate - {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }} {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }} - --statusPort - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" - --applicationPorts - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" {{- end }} {{- if .Values.global.trustDomain }} - --trust-domain={{ .Values.global.trustDomain }} {{- end }} {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json {{- end }} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} {{- end }} env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP {{- if eq .Values.global.proxy.tracer "datadog" }} {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} {{- end }} - name: ISTIO_META_POD_PORTS value: |- [ {{- $first := true }} {{- range $index1, $c := .Spec.Containers }} {{- range $index2, $p := $c.Ports }} {{- if (structToJSON $p) }} {{if not $first}},{{end}}{{ structToJSON $p }} {{- $first = false }} {{- end }} {{- end}} {{- end}} ] - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - name: ISTIO_META_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: ISTIO_META_CONFIG_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: SDS_ENABLED value: "{{ .Values.global.sds.enabled }}" - name: ISTIO_META_INTERCEPTION_MODE value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - name: ISTIO_META_INCLUDE_INBOUND_PORTS value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" {{- if .Values.global.network }} - name: ISTIO_META_NETWORK value: "{{ .Values.global.network }}" {{- end }} {{ if .ObjectMeta.Annotations }} - name: ISTIO_METAJSON_ANNOTATIONS value: | {{ toJSON .ObjectMeta.Annotations }} {{ end }} {{ if .ObjectMeta.Labels }} - name: ISTIO_METAJSON_LABELS value: | {{ toJSON .ObjectMeta.Labels }} {{ end }} {{- if .DeploymentMeta.Name }} - name: ISTIO_META_WORKLOAD_NAME value: {{ .DeploymentMeta.Name }} {{ end }} {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - name: ISTIO_META_OWNER value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} {{- end}} {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: ISTIO_BOOTSTRAP_OVERRIDE value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" {{- end }} {{- if .Values.global.sds.customTokenDirectory }} - name: ISTIO_META_SDS_TOKEN_PATH value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" {{- end }} {{- if .Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.meshID }}" {{- else if .Values.global.trustDomain }} - name: ISTIO_META_MESH_ID value: "{{ .Values.global.trustDomain }}" {{- end }} {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - name: {{ $key }} value: "{{ $value }}" {{- end }} {{- end }} imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: path: /healthz/ready port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} {{ end -}} securityContext: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} capabilities: {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} add: - NET_ADMIN {{- end }} drop: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} runAsGroup: 1337 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} runAsNonRoot: false runAsUser: 0 {{- else -}} runAsNonRoot: true runAsUser: 1337 {{- end }} resources: {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} requests: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" {{ end}} {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" {{ end }} {{ else -}} {{- if .Values.global.proxy.resources }} {{ toYaml .Values.global.proxy.resources | indent 4 }} {{- end }} {{ end -}} volumeMounts: {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - mountPath: /etc/istio/custom-bootstrap name: custom-bootstrap-volume {{- end }} - mountPath: /etc/istio/proxy name: istio-envoy {{- if .Values.global.sds.enabled }} - mountPath: /var/run/sds name: sds-uds-path readOnly: true - mountPath: /var/run/secrets/tokens name: istio-token {{- if .Values.global.sds.customTokenDirectory }} - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" name: custom-sds-token readOnly: true {{- end }} {{- else }} - mountPath: /etc/certs/ name: istio-certs readOnly: true {{- end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} name: lightstep-certs readOnly: true {{- end }} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - name: "{{ $index }}" {{ toYaml $value | indent 4 }} {{ end }} {{- end }} volumes: {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - name: custom-bootstrap-volume configMap: name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} {{- end }} - emptyDir: medium: Memory name: istio-envoy {{- if .Values.global.sds.enabled }} - name: sds-uds-path hostPath: path: /var/run/sds - name: istio-token projected: sources: - serviceAccountToken: path: istio-token expirationSeconds: 43200 audience: {{ .Values.global.sds.token.aud }} {{- if .Values.global.sds.customTokenDirectory }} - name: custom-sds-token secret: secretName: sdstokensecret {{- end }} {{- else }} - name: istio-certs secret: optional: true {{ if eq .Spec.ServiceAccountName "" }} secretName: istio.default {{ else -}} secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} {{ end -}} {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - name: "{{ $index }}" {{ toYaml $value | indent 2 }} {{ end }} {{ end }} {{- end }} {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} - name: lightstep-certs secret: optional: true secretName: lightstep.cacert {{- end }} {{- if .Values.global.podDNSSearchNamespaces }} dnsConfig: searches: {{- range .Values.global.podDNSSearchNamespaces }} - {{ render . }} {{- end }} {{- end }} injectedAnnotations: --- # Kiali component is disabled. # NodeAgent component is disabled. # Resources for Pilot component apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: labels: app: pilot release: istio name: istio-pilot namespace: istio-system spec: maxReplicas: 5 metrics: - resource: name: cpu targetAverageUtilization: 80 type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-pilot --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-pilot-istio-system labels: app: pilot release: istio rules: - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["get", "watch", "list"] - apiGroups: ["security.istio.io"] resources: ["*"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses", "ingresses/status"] verbs: ["*"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["create", "get", "watch", "list", "update", "delete"] - apiGroups: ["certificates.k8s.io"] resources: - "certificatesigningrequests" - "certificatesigningrequests/approval" - "certificatesigningrequests/status" verbs: ["update", "create", "get", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-pilot-istio-system labels: app: pilot release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-pilot-istio-system subjects: - kind: ServiceAccount name: istio-pilot-service-account namespace: istio-system --- apiVersion: v1 kind: ConfigMap metadata: namespace: istio-system name: pilot-envoy-config labels: release: istio data: envoy.yaml.tmpl: |- admin: access_log_path: /dev/null address: socket_address: address: 127.0.0.1 port_value: 15000 static_resources: clusters: - name: in.15010 http2_protocol_options: {} connect_timeout: 1.000s hosts: - socket_address: address: 127.0.0.1 port_value: 15010 circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 # TODO: telemetry using EDS # TODO: other pilots using EDS, load balancing # TODO: galley using EDS - name: out.galley.15019 http2_protocol_options: {} connect_timeout: 1.000s type: STRICT_DNS circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 hosts: - socket_address: address: istio-galley.istio-system port_value: 15019 tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account listeners: - name: "in.15011" address: socket_address: address: 0.0.0.0 port_value: 15011 filter_chains: - filters: - name: envoy.http_connection_manager #typed_config #"@type": "type.googleapis.com/", config: codec_type: HTTP2 stat_prefix: "15011" http2_protocol_options: max_concurrent_streams: 1073741824 access_log: - name: envoy.file_access_log config: path: /dev/stdout http_filters: - name: envoy.router route_config: name: "15011" virtual_hosts: - name: istio-pilot domains: - '*' routes: - match: prefix: / route: cluster: in.15010 timeout: 0.000s decorator: operation: xDS tls_context: common_tls_context: alpn_protocols: - h2 tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true # Manual 'whitebox' mode - name: "local.15019" address: socket_address: address: 127.0.0.1 port_value: 15019 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: HTTP2 stat_prefix: "15019" http2_protocol_options: max_concurrent_streams: 1073741824 access_log: - name: envoy.file_access_log config: path: /dev/stdout http_filters: - name: envoy.router route_config: name: "15019" virtual_hosts: - name: istio-galley domains: - '*' routes: - match: prefix: / route: cluster: out.galley.15019 timeout: 0.000s --- apiVersion: v1 kind: ConfigMap metadata: name: istio namespace: istio-system labels: release: istio data: meshNetworks: |- # Network config networks: {} values.yaml: |- appNamespaces: [] autoscaleEnabled: true autoscaleMax: 5 autoscaleMin: 1 configMap: true configNamespace: istio-config cpu: targetAverageUtilization: 80 enableProtocolSniffingForInbound: false enableProtocolSniffingForOutbound: true enabled: true env: {} image: pilot ingress: ingressClass: istio ingressControllerMode: "OFF" ingressService: istio-ingressgateway keepaliveMaxServerConnectionAge: 30m meshNetworks: networks: {} namespace: istio-system nodeSelector: {} plugins: [] podAnnotations: {} podAntiAffinityLabelSelector: [] podAntiAffinityTermLabelSelector: [] policy: enabled: false replicaCount: 1 resources: requests: cpu: 500m memory: 2048Mi rollingMaxSurge: 100% rollingMaxUnavailable: 25% tolerations: [] traceSampling: 1 useMCP: true mesh: |- # Set enableTracing to false to disable request tracing. enableTracing: true # Set accessLogFile to empty string to disable access log. accessLogFile: "" accessLogFormat: "" accessLogEncoding: 'TEXT' enableEnvoyAccessLogService: false mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. # Default is false which means the traffic is denied when the client is unable to connect to Mixer. policyCheckFailOpen: false # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server reportBatchMaxEntries: 100 # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server reportBatchMaxTime: 1s disableMixerHttpReports: false disablePolicyChecks: true # Automatic protocol detection uses a set of heuristics to # determine whether the connection is using TLS or not (on the # server side), as well as the application protocol being used # (e.g., http vs tcp). These heuristics rely on the client sending # the first bits of data. For server first protocols like MySQL, # MongoDB, etc., Envoy will timeout on the protocol detection after # the specified period, defaulting to non mTLS plain TCP # traffic. Set this field to tweak the period that Envoy will wait # for the client to send the first bits of data. (MUST BE >=1ms) protocolDetectionTimeout: 100ms # This is the k8s ingress service name, update if you used a different name ingressService: "istio-ingressgateway" ingressControllerMode: "OFF" ingressClass: "istio" # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: "cluster.local" # The trust domain aliases represent the aliases of trust_domain. # For example, if we have # trustDomain: td1 # trustDomainAliases: [“td2”, "td3"] # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. trustDomainAliases: # Set expected values when SDS is disabled # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. sdsUdsPath: "" # This flag is used by secret discovery service(SDS). # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which # will be used to generate key/cert eventually. This isn't supported for non-k8s case. enableSdsTokenMount: false # This flag is used by secret discovery service(SDS). # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) # and pass to sds server, which will be used to request key/cert eventually. # this flag is ignored if enableSdsTokenMount is set. # This isn't supported for non-k8s case. sdsUseK8sSaJwt: false # If true, automatically configure client side mTLS settings to match the corresponding service's # server side mTLS authentication policy, when destination rule for that service does not specify # TLS settings. enableAutoMtls: false config_sources: - address: localhost:15019 outboundTrafficPolicy: mode: ALLOW_ANY localityLbSetting: enabled: true # Configures DNS certificates provisioned through Chiron linked into Pilot. # The DNS certificate provisioning is enabled by default now so it get tested. # TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release. certificates: [] defaultConfig: # # TCP connection timeout between Envoy & the application, and between Envoys. connectTimeout: 10s # ### ADVANCED SETTINGS ############# # Where should envoy's configuration be stored in the istio-proxy container configPath: "/etc/istio/proxy" # The pseudo service name used for Envoy. serviceCluster: istio-proxy # These settings that determine how long an old Envoy # process should be kept alive after an occasional reload. drainDuration: 45s parentShutdownDuration: 1m0s # # Port where Envoy listens (on local host) for admin commands # You can exec into the istio-proxy container in a pod and # curl the admin port (curl http://localhost:15000/) to obtain # diagnostic information from Envoy. See # https://lyft.github.io/envoy/docs/operations/admin.html # for more details proxyAdminPort: 15000 # # Set concurrency to a specific number to control the number of Proxy worker threads. # If set to 0 (default), then start worker thread for each CPU thread/core. concurrency: 2 # tracing: zipkin: # Address of the Zipkin collector address: zipkin.istio-system:9411 # # Mutual TLS authentication between sidecars and istio control plane. controlPlaneAuthPolicy: MUTUAL_TLS # # Address where istio Pilot service is running discoveryAddress: istio-pilot.istio-system:15011 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: pilot istio: pilot release: istio name: istio-pilot namespace: istio-system spec: selector: matchLabels: istio: pilot strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: pilot chart: pilot heritage: Tiller istio: pilot release: istio spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - discovery - --monitoringAddr=:15014 - --log_output_level=default:info - --domain - cluster.local - --secureGrpcAddr - "" - --trust-domain=cluster.local - --keepaliveMaxServerConnectionAge - 30m env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: PILOT_TRACE_SAMPLING value: "1" - name: CONFIG_NAMESPACE value: istio-config - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND value: "true" - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND value: "false" image: docker.io/istio/pilot:1.4.5 imagePullPolicy: IfNotPresent name: discovery ports: - containerPort: 8080 - containerPort: 15010 readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 resources: requests: cpu: 500m memory: 2048Mi volumeMounts: - mountPath: /etc/istio/config name: config-volume - args: - proxy - --domain - $(POD_NAMESPACE).svc.cluster.local - --serviceCluster - istio-pilot - --templateFile - /var/lib/envoy/envoy.yaml.tmpl - --controlPlaneAuthPolicy - MUTUAL_TLS - --trust-domain=cluster.local env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SDS_ENABLED value: "false" image: docker.io/istio/proxyv2:1.4.5 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15011 resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /var/lib/envoy name: pilot-envoy-config - mountPath: /etc/certs name: istio-certs readOnly: true serviceAccountName: istio-pilot-service-account volumes: - name: istio-certs secret: optional: true secretName: istio.istio-pilot-service-account - configMap: name: istio name: config-volume - configMap: name: pilot-envoy-config name: pilot-envoy-config --- apiVersion: "authentication.istio.io/v1alpha1" kind: "MeshPolicy" metadata: name: "default" labels: release: istio spec: peers: - mtls: mode: PERMISSIVE --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-pilot namespace: istio-system labels: app: pilot release: istio istio: pilot spec: minAvailable: 1 selector: matchLabels: app: pilot release: istio istio: pilot --- apiVersion: v1 kind: Service metadata: name: istio-pilot namespace: istio-system labels: app: pilot release: istio istio: pilot spec: ports: - port: 15010 name: grpc-xds # direct - port: 15011 name: https-xds # mTLS - port: 8080 name: http-legacy-discovery # direct - port: 15014 name: http-monitoring selector: istio: pilot --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-pilot-service-account namespace: istio-system labels: app: pilot release: istio --- # Resources for Policy component apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: labels: app: mixer release: istio name: istio-policy namespace: istio-system spec: maxReplicas: 5 metrics: - resource: name: cpu targetAverageUtilization: 80 type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-policy --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-policy labels: release: istio app: istio-policy rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-policy-admin-role-binding-istio-system labels: app: istio-policy release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-policy subjects: - kind: ServiceAccount name: istio-policy-service-account namespace: istio-system --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-policy namespace: istio-system labels: app: istio-policy release: istio spec: host: istio-policy.istio-system.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 15004 # grpc-mixer-mtls tls: mode: ISTIO_MUTUAL - port: number: 9091 # grpc-mixer tls: mode: DISABLE connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 --- apiVersion: v1 kind: ConfigMap metadata: namespace: istio-system name: policy-envoy-config labels: release: istio data: # Explicitly defined - moved from istio/istio/pilot/docker. envoy.yaml.tmpl: |- admin: access_log_path: /dev/null address: socket_address: address: 127.0.0.1 port_value: 15000 stats_config: use_all_default_tags: false stats_tags: - tag_name: cluster_name regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - tag_name: tcp_prefix regex: '^tcp\.((.*?)\.)\w+?$' - tag_name: response_code regex: '_rq(_(\d{3}))$' - tag_name: response_code_class regex: '_rq(_(\dxx))$' - tag_name: http_conn_manager_listener_prefix regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - tag_name: http_conn_manager_prefix regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - tag_name: listener_address regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' static_resources: clusters: - name: prometheus_stats type: STATIC connect_timeout: 0.250s lb_policy: ROUND_ROBIN hosts: - socket_address: protocol: TCP address: 127.0.0.1 port_value: 15000 - circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 connect_timeout: 1.000s hosts: - pipe: path: /sock/mixer.socket http2_protocol_options: {} name: inbound_9092 - circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 connect_timeout: 1.000s hosts: - socket_address: address: istio-telemetry port_value: 15004 http2_protocol_options: {} name: mixer_report_server tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account type: STRICT_DNS dns_lookup_family: V4_ONLY - name: out.galley.15019 http2_protocol_options: {} connect_timeout: 1.000s type: STRICT_DNS circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 hosts: - socket_address: address: istio-galley.istio-system port_value: 15019 tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account listeners: - name: "15090" address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 15090 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: AUTO stat_prefix: stats route_config: virtual_hosts: - name: backend domains: - '*' routes: - match: prefix: /stats/prometheus route: cluster: prometheus_stats http_filters: - name: envoy.router - name: "15004" address: socket_address: address: 0.0.0.0 port_value: 15004 filter_chains: - filters: - config: codec_type: HTTP2 http2_protocol_options: max_concurrent_streams: 1073741824 generate_request_id: true http_filters: - config: default_destination_service: istio-policy.istio-system.svc.cluster.local service_configs: istio-policy.istio-system.svc.cluster.local: disable_check_calls: true {{- if .DisableReportCalls }} disable_report_calls: true {{- end }} mixer_attributes: attributes: destination.service.host: string_value: istio-policy.istio-system.svc.cluster.local destination.service.uid: string_value: istio://istio-system/services/istio-policy destination.service.name: string_value: istio-policy destination.service.namespace: string_value: istio-system destination.uid: string_value: kubernetes://{{ .PodName }}.istio-system destination.namespace: string_value: istio-system destination.ip: bytes_value: {{ .PodIP }} destination.port: int64_value: 15004 context.reporter.kind: string_value: inbound context.reporter.uid: string_value: kubernetes://{{ .PodName }}.istio-system transport: check_cluster: mixer_check_server report_cluster: mixer_report_server attributes_for_mixer_proxy: attributes: source.uid: string_value: kubernetes://{{ .PodName }}.istio-system name: mixer - name: envoy.router route_config: name: "15004" virtual_hosts: - domains: - '*' name: istio-policy.istio-system.svc.cluster.local routes: - decorator: operation: Check match: prefix: / route: cluster: inbound_9092 timeout: 0.000s stat_prefix: "15004" name: envoy.http_connection_manager tls_context: common_tls_context: alpn_protocols: - h2 tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true - name: "9091" address: socket_address: address: 0.0.0.0 port_value: 9091 filter_chains: - filters: - config: codec_type: HTTP2 http2_protocol_options: max_concurrent_streams: 1073741824 generate_request_id: true http_filters: - config: default_destination_service: istio-policy.istio-system.svc.cluster.local service_configs: istio-policy.istio-system.svc.cluster.local: disable_check_calls: true {{- if .DisableReportCalls }} disable_report_calls: true {{- end }} mixer_attributes: attributes: destination.service.host: string_value: istio-policy.istio-system.svc.cluster.local destination.service.uid: string_value: istio://istio-system/services/istio-policy destination.service.name: string_value: istio-policy destination.service.namespace: string_value: istio-system destination.uid: string_value: kubernetes://{{ .PodName }}.istio-system destination.namespace: string_value: istio-system destination.ip: bytes_value: {{ .PodIP }} destination.port: int64_value: 9091 context.reporter.kind: string_value: inbound context.reporter.uid: string_value: kubernetes://{{ .PodName }}.istio-system transport: check_cluster: mixer_check_server report_cluster: mixer_report_server attributes_for_mixer_proxy: attributes: source.uid: string_value: kubernetes://{{ .PodName }}.istio-system name: mixer - name: envoy.router route_config: name: "9091" virtual_hosts: - domains: - '*' name: istio-policy.istio-system.svc.cluster.local routes: - decorator: operation: Check match: prefix: / route: cluster: inbound_9092 timeout: 0.000s stat_prefix: "9091" name: envoy.http_connection_manager name: "9091" - name: "local.15019" address: socket_address: address: 127.0.0.1 port_value: 15019 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: HTTP2 stat_prefix: "15019" http2_protocol_options: max_concurrent_streams: 1073741824 access_log: - name: envoy.file_access_log config: path: /dev/stdout http_filters: - name: envoy.router route_config: name: "15019" virtual_hosts: - name: istio-galley domains: - '*' routes: - match: prefix: / route: cluster: out.galley.15019 timeout: 0.000s --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istio-policy istio: mixer release: istio name: istio-policy namespace: istio-system spec: selector: matchLabels: istio: mixer istio-mixer-type: policy strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: policy istio: mixer istio-mixer-type: policy spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - --monitoringPort=15014 - --address - unix:///sock/mixer.socket - --log_output_level=default:info - --configStoreURL=mcp://localhost:15019 - --configDefaultNamespace=istio-system - --useAdapterCRDs=false - --useTemplateCRDs=false - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace image: docker.io/istio/mixer:1.4.5 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /version port: 15014 initialDelaySeconds: 5 periodSeconds: 5 name: mixer ports: - containerPort: 9091 - containerPort: 15014 - containerPort: 42422 resources: requests: cpu: 10m volumeMounts: - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /sock name: uds-socket - mountPath: /var/run/secrets/istio.io/policy/adapter name: policy-adapter-secret readOnly: true - args: - proxy - --domain - $(POD_NAMESPACE).svc.cluster.local - --serviceCluster - istio-policy - --templateFile - /var/lib/envoy/envoy.yaml.tmpl - --controlPlaneAuthPolicy - MUTUAL_TLS - --trust-domain=cluster.local env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SDS_ENABLED value: "false" image: docker.io/istio/proxyv2:1.4.5 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15004 - containerPort: 15090 name: http-envoy-prom protocol: TCP resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /var/lib/envoy name: policy-envoy-config - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /sock name: uds-socket serviceAccountName: istio-policy-service-account volumes: - name: istio-certs secret: optional: true secretName: istio.istio-policy-service-account - emptyDir: {} name: uds-socket - name: policy-adapter-secret secret: optional: true secretName: policy-adapter-secret - configMap: name: policy-envoy-config name: policy-envoy-config --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-policy namespace: istio-system labels: app: policy release: istio istio: mixer istio-mixer-type: policy spec: minAvailable: 1 selector: matchLabels: app: policy istio: mixer istio-mixer-type: policy --- apiVersion: v1 kind: Service metadata: name: istio-policy namespace: istio-system labels: app: mixer istio: mixer release: istio spec: ports: - name: grpc-mixer port: 9091 - name: grpc-mixer-mtls port: 15004 - name: http-policy-monitoring port: 15014 selector: istio: mixer istio-mixer-type: policy --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-policy-service-account namespace: istio-system labels: app: istio-policy release: istio --- # Resources for Prometheus component apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-istio-system labels: app: prometheus release: istio rules: - apiGroups: [""] resources: - nodes - services - endpoints - pods - nodes/proxy verbs: ["get", "list", "watch"] - apiGroups: [""] resources: - configmaps verbs: ["get"] - nonResourceURLs: ["/metrics"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: prometheus-istio-system labels: app: prometheus release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: prometheus-istio-system subjects: - kind: ServiceAccount name: prometheus namespace: istio-system --- apiVersion: v1 kind: ConfigMap metadata: name: prometheus namespace: istio-system labels: app: prometheus release: istio data: prometheus.yml: |- global: scrape_interval: 15s scrape_configs: # Mixer scrapping. Defaults to Prometheus and mixer on same namespace. # - job_name: 'istio-mesh' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-telemetry;prometheus # Scrape config for envoy stats - job_name: 'envoy-stats' metrics_path: /stats/prometheus kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_container_port_name] action: keep regex: '.*-envoy-prom' - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:15090 target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod_name - job_name: 'istio-policy' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-policy;http-policy-monitoring - job_name: 'istio-telemetry' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-telemetry;http-monitoring - job_name: 'pilot' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-pilot;http-monitoring - job_name: 'galley' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-galley;http-monitoring - job_name: 'citadel' kubernetes_sd_configs: - role: endpoints namespaces: names: - istio-system relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: istio-citadel;http-monitoring # scrape config for API servers - job_name: 'kubernetes-apiservers' kubernetes_sd_configs: - role: endpoints namespaces: names: - default scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token relabel_configs: - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: kubernetes;https # scrape config for nodes (kubelet) - job_name: 'kubernetes-nodes' scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: [__meta_kubernetes_node_name] regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/${1}/proxy/metrics # Scrape config for Kubelet cAdvisor. # # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics # (those whose names begin with 'container_') have been removed from the # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to # retrieve those metrics. # # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with # the --cadvisor-port=0 Kubelet flag). # # This job is not necessary and should be removed in Kubernetes 1.6 and # earlier versions, or it will cause the metrics to be scraped twice. - job_name: 'kubernetes-cadvisor' scheme: https tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token kubernetes_sd_configs: - role: node relabel_configs: - action: labelmap regex: __meta_kubernetes_node_label_(.+) - target_label: __address__ replacement: kubernetes.default.svc:443 - source_labels: [__meta_kubernetes_node_name] regex: (.+) target_label: __metrics_path__ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor # scrape config for service endpoints. - job_name: 'kubernetes-service-endpoints' kubernetes_sd_configs: - role: endpoints relabel_configs: - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] action: keep regex: true - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ regex: (https?) - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] action: replace target_label: __address__ regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 - action: labelmap regex: __meta_kubernetes_service_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: kubernetes_namespace - source_labels: [__meta_kubernetes_service_name] action: replace target_label: kubernetes_name - job_name: 'kubernetes-pods' kubernetes_sd_configs: - role: pod relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: true - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] action: drop regex: (.+) - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] action: drop regex: (true) - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod_name - job_name: 'kubernetes-pods-istio-secure' scheme: https tls_config: ca_file: /etc/istio-certs/root-cert.pem cert_file: /etc/istio-certs/cert-chain.pem key_file: /etc/istio-certs/key.pem insecure_skip_verify: true # prometheus does not support secure naming. kubernetes_sd_configs: - role: pod relabel_configs: - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: true # sidecar status annotation is added by sidecar injector and # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] action: keep regex: (([^;]+);([^;]*))|(([^;]*);(true)) - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ regex: (.+) - source_labels: [__address__] # Only keep address that is host:port action: keep # otherwise an extra target with ':443' is added for https scheme regex: ([^:]+):(\d+) - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] action: replace regex: ([^:]+)(?::\d+)?;(\d+) replacement: $1:$2 target_label: __address__ - action: labelmap regex: __meta_kubernetes_pod_label_(.+) - source_labels: [__meta_kubernetes_namespace] action: replace target_label: namespace - source_labels: [__meta_kubernetes_pod_name] action: replace target_label: pod_name --- apiVersion: apps/v1 kind: Deployment metadata: name: prometheus namespace: istio-system labels: app: prometheus release: istio spec: replicas: 1 selector: matchLabels: app: prometheus template: metadata: labels: app: prometheus release: istio annotations: sidecar.istio.io/inject: "false" spec: serviceAccountName: prometheus containers: - name: prometheus image: "docker.io/prom/prometheus:v2.12.0" imagePullPolicy: IfNotPresent args: - '--storage.tsdb.retention=6h' - '--config.file=/etc/prometheus/prometheus.yml' ports: - containerPort: 9090 name: http livenessProbe: httpGet: path: /-/healthy port: 9090 readinessProbe: httpGet: path: /-/ready port: 9090 resources: requests: cpu: 10m volumeMounts: - name: config-volume mountPath: /etc/prometheus - mountPath: /etc/istio-certs name: istio-certs volumes: - name: config-volume configMap: name: prometheus - name: istio-certs secret: defaultMode: 420 secretName: istio.default affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x preferredDuringSchedulingIgnoredDuringExecution: - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le - weight: 2 preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x --- apiVersion: v1 kind: Service metadata: name: prometheus namespace: istio-system annotations: prometheus.io/scrape: 'true' labels: app: prometheus release: istio spec: selector: app: prometheus ports: - name: http-prometheus protocol: TCP port: 9090 --- apiVersion: v1 kind: ServiceAccount metadata: name: prometheus namespace: istio-system labels: app: prometheus release: istio --- # PrometheusOperator component is disabled. # Resources for Telemetry component apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: labels: app: mixer release: istio name: istio-telemetry namespace: istio-system spec: maxReplicas: 5 metrics: - resource: name: cpu targetAverageUtilization: 80 type: Resource minReplicas: 1 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: istio-telemetry --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: istio-mixer-istio-system labels: app: istio-telemetry release: istio rules: - apiGroups: ["config.istio.io"] # istio CRD watcher resources: ["*"] verbs: ["create", "get", "list", "watch", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions", "apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: istio-mixer-admin-role-binding-istio-system labels: app: istio-telemetry release: istio roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: istio-mixer-istio-system subjects: - kind: ServiceAccount name: istio-mixer-service-account namespace: istio-system --- apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: istioproxy namespace: istio-system labels: app: istio-telemetry release: istio spec: attributes: origin.ip: valueType: IP_ADDRESS origin.uid: valueType: STRING origin.user: valueType: STRING request.headers: valueType: STRING_MAP request.id: valueType: STRING request.host: valueType: STRING request.method: valueType: STRING request.path: valueType: STRING request.url_path: valueType: STRING request.query_params: valueType: STRING_MAP request.reason: valueType: STRING request.referer: valueType: STRING request.scheme: valueType: STRING request.total_size: valueType: INT64 request.size: valueType: INT64 request.time: valueType: TIMESTAMP request.useragent: valueType: STRING response.code: valueType: INT64 response.duration: valueType: DURATION response.headers: valueType: STRING_MAP response.total_size: valueType: INT64 response.size: valueType: INT64 response.time: valueType: TIMESTAMP response.grpc_status: valueType: STRING response.grpc_message: valueType: STRING source.uid: valueType: STRING source.user: # DEPRECATED valueType: STRING source.principal: valueType: STRING destination.uid: valueType: STRING destination.principal: valueType: STRING destination.port: valueType: INT64 connection.event: valueType: STRING connection.id: valueType: STRING connection.received.bytes: valueType: INT64 connection.received.bytes_total: valueType: INT64 connection.sent.bytes: valueType: INT64 connection.sent.bytes_total: valueType: INT64 connection.duration: valueType: DURATION connection.mtls: valueType: BOOL connection.requested_server_name: valueType: STRING context.protocol: valueType: STRING context.proxy_error_code: valueType: STRING context.timestamp: valueType: TIMESTAMP context.time: valueType: TIMESTAMP # Deprecated, kept for compatibility context.reporter.local: valueType: BOOL context.reporter.kind: valueType: STRING context.reporter.uid: valueType: STRING context.proxy_version: valueType: STRING api.service: valueType: STRING api.version: valueType: STRING api.operation: valueType: STRING api.protocol: valueType: STRING request.auth.principal: valueType: STRING request.auth.audiences: valueType: STRING request.auth.presenter: valueType: STRING request.auth.claims: valueType: STRING_MAP request.auth.raw_claims: valueType: STRING request.api_key: valueType: STRING rbac.permissive.response_code: valueType: STRING rbac.permissive.effective_policy_id: valueType: STRING check.error_code: valueType: INT64 check.error_message: valueType: STRING check.cache_hit: valueType: BOOL quota.cache_hit: valueType: BOOL --- apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: kubernetes namespace: istio-system labels: app: istio-telemetry release: istio spec: attributes: source.ip: valueType: IP_ADDRESS source.labels: valueType: STRING_MAP source.metadata: valueType: STRING_MAP source.name: valueType: STRING source.namespace: valueType: STRING source.owner: valueType: STRING source.serviceAccount: valueType: STRING source.services: valueType: STRING source.workload.uid: valueType: STRING source.workload.name: valueType: STRING source.workload.namespace: valueType: STRING destination.ip: valueType: IP_ADDRESS destination.labels: valueType: STRING_MAP destination.metadata: valueType: STRING_MAP destination.owner: valueType: STRING destination.name: valueType: STRING destination.container.name: valueType: STRING destination.namespace: valueType: STRING destination.service.uid: valueType: STRING destination.service.name: valueType: STRING destination.service.namespace: valueType: STRING destination.service.host: valueType: STRING destination.serviceAccount: valueType: STRING destination.workload.uid: valueType: STRING destination.workload.name: valueType: STRING destination.workload.namespace: valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: requestcount namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: "1" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: requestduration namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: response.duration | "0ms" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: requestsize namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: request.size | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: responsesize namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: response.size | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 response_flags: context.proxy_error_code | "-" permissive_response_code: rbac.permissive.response_code | "none" permissive_response_policyid: rbac.permissive.effective_policy_id | "none" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: tcpbytesent namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: connection.sent.bytes | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) response_flags: context.proxy_error_code | "-" monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: tcpbytereceived namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: connection.received.bytes | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) response_flags: context.proxy_error_code | "-" monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: tcpconnectionsopened namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: "1" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) response_flags: context.proxy_error_code | "-" monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: tcpconnectionsclosed namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: metric params: value: "1" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) response_flags: context.proxy_error_code | "-" monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: handler metadata: name: prometheus namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledAdapter: prometheus params: metricsExpirationPolicy: metricsExpiryDuration: "10m" metrics: - name: requests_total instance_name: requestcount.instance.istio-system kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - response_flags - permissive_response_code - permissive_response_policyid - connection_security_policy - name: request_duration_seconds instance_name: requestduration.instance.istio-system kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - response_flags - permissive_response_code - permissive_response_policyid - connection_security_policy buckets: explicit_buckets: bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - name: request_bytes instance_name: requestsize.instance.istio-system kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - response_flags - permissive_response_code - permissive_response_policyid - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: response_bytes instance_name: responsesize.instance.istio-system kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - response_flags - permissive_response_code - permissive_response_policyid - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: tcp_sent_bytes_total instance_name: tcpbytesent.instance.istio-system kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy - response_flags - name: tcp_received_bytes_total instance_name: tcpbytereceived.instance.istio-system kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy - response_flags - name: tcp_connections_opened_total instance_name: tcpconnectionsopened.instance.istio-system kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy - response_flags - name: tcp_connections_closed_total instance_name: tcpconnectionsclosed.instance.istio-system kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy - response_flags --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: istio-system labels: app: istio-telemetry release: istio spec: match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) actions: - handler: prometheus instances: - requestcount - requestduration - requestsize - responsesize --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcp namespace: istio-system labels: app: istio-telemetry release: istio spec: match: context.protocol == "tcp" actions: - handler: prometheus instances: - tcpbytesent - tcpbytereceived --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcpconnectionopen namespace: istio-system labels: app: istio-telemetry release: istio spec: match: context.protocol == "tcp" && ((connection.event | "na") == "open") actions: - handler: prometheus instances: - tcpconnectionsopened --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcpconnectionclosed namespace: istio-system labels: app: istio-telemetry release: istio spec: match: context.protocol == "tcp" && ((connection.event | "na") == "close") actions: - handler: prometheus instances: - tcpconnectionsclosed --- apiVersion: "config.istio.io/v1alpha2" kind: handler metadata: name: kubernetesenv namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledAdapter: kubernetesenv params: # when running from mixer root, use the following config after adding a # symbolic link to a kubernetes config file via: # # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig # # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: kubeattrgenrulerule namespace: istio-system labels: app: istio-telemetry release: istio spec: actions: - handler: kubernetesenv instances: - attributes --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: tcpkubeattrgenrulerule namespace: istio-system labels: app: istio-telemetry release: istio spec: match: context.protocol == "tcp" actions: - handler: kubernetesenv instances: - attributes --- apiVersion: "config.istio.io/v1alpha2" kind: instance metadata: name: attributes namespace: istio-system labels: app: istio-telemetry release: istio spec: compiledTemplate: kubernetes params: # Pass the required attribute data to the adapter source_uid: source.uid | "" source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr destination_uid: destination.uid | "" destination_port: destination.port | 0 attributeBindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") source.uid: $out.source_pod_uid | "unknown" source.labels: $out.source_labels | emptyStringMap() source.name: $out.source_pod_name | "unknown" source.namespace: $out.source_namespace | "default" source.owner: $out.source_owner | "unknown" source.serviceAccount: $out.source_service_account_name | "unknown" source.workload.uid: $out.source_workload_uid | "unknown" source.workload.name: $out.source_workload_name | "unknown" source.workload.namespace: $out.source_workload_namespace | "unknown" destination.ip: $out.destination_pod_ip | ip("0.0.0.0") destination.uid: $out.destination_pod_uid | "unknown" destination.labels: $out.destination_labels | emptyStringMap() destination.name: $out.destination_pod_name | "unknown" destination.container.name: $out.destination_container_name | "unknown" destination.namespace: $out.destination_namespace | "default" destination.owner: $out.destination_owner | "unknown" destination.serviceAccount: $out.destination_service_account_name | "unknown" destination.workload.uid: $out.destination_workload_uid | "unknown" destination.workload.name: $out.destination_workload_name | "unknown" destination.workload.namespace: $out.destination_workload_namespace | "unknown" --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-telemetry namespace: istio-system labels: app: istio-telemetry release: istio spec: host: istio-telemetry.istio-system.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 15004 # grpc-mixer-mtls tls: mode: ISTIO_MUTUAL - port: number: 9091 # grpc-mixer tls: mode: DISABLE connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 --- apiVersion: v1 kind: ConfigMap metadata: namespace: istio-system name: telemetry-envoy-config labels: release: istio data: # Explicitly defined - moved from istio/istio/pilot/docker. envoy.yaml.tmpl: |- admin: access_log_path: /dev/null address: socket_address: address: 127.0.0.1 port_value: 15000 stats_config: use_all_default_tags: false stats_tags: - tag_name: cluster_name regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)' - tag_name: tcp_prefix regex: '^tcp\.((.*?)\.)\w+?$' - tag_name: response_code regex: '_rq(_(\d{3}))$' - tag_name: response_code_class regex: '_rq(_(\dxx))$' - tag_name: http_conn_manager_listener_prefix regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - tag_name: http_conn_manager_prefix regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' - tag_name: listener_address regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)' static_resources: clusters: - name: prometheus_stats type: STATIC connect_timeout: 0.250s lb_policy: ROUND_ROBIN hosts: - socket_address: protocol: TCP address: 127.0.0.1 port_value: 15000 - name: inbound_9092 circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 connect_timeout: 1.000s hosts: - pipe: path: /sock/mixer.socket http2_protocol_options: {} - name: out.galley.15019 http2_protocol_options: {} connect_timeout: 1.000s type: STRICT_DNS circuit_breakers: thresholds: - max_connections: 100000 max_pending_requests: 100000 max_requests: 100000 max_retries: 3 hosts: - socket_address: address: istio-galley.istio-system port_value: 15019 tls_context: common_tls_context: tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem verify_subject_alt_name: - spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account listeners: - name: "15090" address: socket_address: protocol: TCP address: 0.0.0.0 port_value: 15090 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: AUTO stat_prefix: stats route_config: virtual_hosts: - name: backend domains: - '*' routes: - match: prefix: /stats/prometheus route: cluster: prometheus_stats http_filters: - name: envoy.router - name: "15004" address: socket_address: address: 0.0.0.0 port_value: 15004 filter_chains: - filters: - config: codec_type: HTTP2 http2_protocol_options: max_concurrent_streams: 1073741824 generate_request_id: true http_filters: - config: default_destination_service: istio-telemetry.istio-system.svc.cluster.local service_configs: istio-telemetry.istio-system.svc.cluster.local: disable_check_calls: true {{- if .DisableReportCalls }} disable_report_calls: true {{- end }} mixer_attributes: attributes: destination.service.host: string_value: istio-telemetry.istio-system.svc.cluster.local destination.service.uid: string_value: istio://istio-system/services/istio-telemetry destination.service.name: string_value: istio-telemetry destination.service.namespace: string_value: istio-system destination.uid: string_value: kubernetes://{{ .PodName }}.istio-system destination.namespace: string_value: istio-system destination.ip: bytes_value: {{ .PodIP }} destination.port: int64_value: 15004 context.reporter.kind: string_value: inbound context.reporter.uid: string_value: kubernetes://{{ .PodName }}.istio-system transport: check_cluster: mixer_check_server report_cluster: inbound_9092 name: mixer - name: envoy.router route_config: name: "15004" virtual_hosts: - domains: - '*' name: istio-telemetry.istio-system.svc.cluster.local routes: - decorator: operation: Report match: prefix: / route: cluster: inbound_9092 timeout: 0.000s stat_prefix: "15004" name: envoy.http_connection_manager tls_context: common_tls_context: alpn_protocols: - h2 tls_certificates: - certificate_chain: filename: /etc/certs/cert-chain.pem private_key: filename: /etc/certs/key.pem validation_context: trusted_ca: filename: /etc/certs/root-cert.pem require_client_certificate: true - name: "9091" address: socket_address: address: 0.0.0.0 port_value: 9091 filter_chains: - filters: - config: codec_type: HTTP2 http2_protocol_options: max_concurrent_streams: 1073741824 generate_request_id: true http_filters: - config: default_destination_service: istio-telemetry.istio-system.svc.cluster.local service_configs: istio-telemetry.istio-system.svc.cluster.local: disable_check_calls: true {{- if .DisableReportCalls }} disable_report_calls: true {{- end }} mixer_attributes: attributes: destination.service.host: string_value: istio-telemetry.istio-system.svc.cluster.local destination.service.uid: string_value: istio://istio-system/services/istio-telemetry destination.service.name: string_value: istio-telemetry destination.service.namespace: string_value: istio-system destination.uid: string_value: kubernetes://{{ .PodName }}.istio-system destination.namespace: string_value: istio-system destination.ip: bytes_value: {{ .PodIP }} destination.port: int64_value: 9091 context.reporter.kind: string_value: inbound context.reporter.uid: string_value: kubernetes://{{ .PodName }}.istio-system transport: check_cluster: mixer_check_server report_cluster: inbound_9092 name: mixer - name: envoy.router route_config: name: "9091" virtual_hosts: - domains: - '*' name: istio-telemetry.istio-system.svc.cluster.local routes: - decorator: operation: Report match: prefix: / route: cluster: inbound_9092 timeout: 0.000s stat_prefix: "9091" name: envoy.http_connection_manager - name: "local.15019" address: socket_address: address: 127.0.0.1 port_value: 15019 filter_chains: - filters: - name: envoy.http_connection_manager config: codec_type: HTTP2 stat_prefix: "15019" http2_protocol_options: max_concurrent_streams: 1073741824 access_log: - name: envoy.file_access_log config: path: /dev/stdout http_filters: - name: envoy.router route_config: name: "15019" virtual_hosts: - name: istio-galley domains: - '*' routes: - match: prefix: / route: cluster: out.galley.15019 timeout: 0.000s --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: istio-mixer istio: mixer release: istio name: istio-telemetry namespace: istio-system spec: replicas: 1 selector: matchLabels: istio: mixer istio-mixer-type: telemetry strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 25% template: metadata: annotations: sidecar.istio.io/inject: "false" labels: app: telemetry istio: mixer istio-mixer-type: telemetry spec: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - ppc64le weight: 2 - preference: matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - s390x weight: 2 requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: beta.kubernetes.io/arch operator: In values: - amd64 - ppc64le - s390x containers: - args: - --monitoringPort=15014 - --address - unix:///sock/mixer.socket - --log_output_level=default:info - --configStoreURL=mcp://localhost:15019 - --configDefaultNamespace=istio-system - --useAdapterCRDs=false - --useTemplateCRDs=false - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: GOMAXPROCS value: "6" image: docker.io/istio/mixer:1.4.5 imagePullPolicy: IfNotPresent livenessProbe: httpGet: path: /version port: 15014 initialDelaySeconds: 5 periodSeconds: 5 name: mixer ports: - containerPort: 9091 - containerPort: 15014 - containerPort: 42422 resources: limits: cpu: 4800m memory: 4G requests: cpu: 1000m memory: 1G volumeMounts: - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /sock name: uds-socket - mountPath: /var/run/secrets/istio.io/telemetry/adapter name: telemetry-adapter-secret readOnly: true - args: - proxy - --domain - $(POD_NAMESPACE).svc.cluster.local - --serviceCluster - istio-telemetry - --templateFile - /var/lib/envoy/envoy.yaml.tmpl - --controlPlaneAuthPolicy - MUTUAL_TLS - --trust-domain=cluster.local env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP - name: SDS_ENABLED value: "false" image: docker.io/istio/proxyv2:1.4.5 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15004 - containerPort: 15090 name: http-envoy-prom protocol: TCP resources: limits: cpu: 2000m memory: 1024Mi requests: cpu: 100m memory: 128Mi volumeMounts: - mountPath: /var/lib/envoy name: telemetry-envoy-config - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /sock name: uds-socket serviceAccountName: istio-mixer-service-account volumes: - name: istio-certs secret: optional: true secretName: istio.istio-mixer-service-account - emptyDir: {} name: uds-socket - name: telemetry-adapter-secret secret: optional: true secretName: telemetry-adapter-secret - configMap: name: telemetry-envoy-config name: telemetry-envoy-config --- apiVersion: policy/v1beta1 kind: PodDisruptionBudget metadata: name: istio-telemetry namespace: istio-system labels: app: telemetry release: istio istio: mixer istio-mixer-type: telemetry spec: minAvailable: 1 selector: matchLabels: app: telemetry istio: mixer istio-mixer-type: telemetry --- apiVersion: v1 kind: Service metadata: name: istio-telemetry namespace: istio-system labels: app: mixer istio: mixer release: istio spec: ports: - name: grpc-mixer port: 9091 - name: grpc-mixer-mtls port: 15004 - name: http-monitoring port: 15014 - name: prometheus port: 42422 selector: istio: mixer istio-mixer-type: telemetry --- apiVersion: v1 kind: ServiceAccount metadata: name: istio-mixer-service-account namespace: istio-system labels: app: istio-telemetry release: istio --- # Tracing component is disabled.