beppe/cicdTest
1
0
Fork 0
mirror of https://github.com/bvanroll/cicdTest.git synced 2025-08-29 03:52:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a3aac61374db081b12d8af32bcae46e3680d683c
cicdTest/istioctl-config.yaml
Beppe Vanrolleghem ed479f3f04 terug naar start
2020-02-27 11:07:34 +01:00

10246 lines
357 KiB
YAML
Raw Blame History

# Resources for Base component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-reader-istio-system
labels:
app: istio-reader
release: istio
rules:
- apiGroups:
- "config.istio.io"
- "rbac.istio.io"
- "security.istio.io"
- "networking.istio.io"
- "authentication.istio.io"
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-reader-istio-system
labels:
app: istio-reader
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-reader-istio-system
subjects:
- kind: ServiceAccount
name: istio-reader-service-account
namespace: istio-system
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mixer
chart: istio
heritage: Tiller
istio: core
package: istio.io.mixer
release: istio
name: attributemanifests.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: attributemanifest
plural: attributemanifests
singular: attributemanifest
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes the rules used to configure Mixer''s policy and
telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html'
properties:
attributes:
additionalProperties:
properties:
description:
description: A human-readable description of the attribute's purpose.
format: string
type: string
valueType:
description: The type of data carried by this attribute.
enum:
- VALUE_TYPE_UNSPECIFIED
- STRING
- INT64
- DOUBLE
- BOOL
- TIMESTAMP
- IP_ADDRESS
- EMAIL_ADDRESS
- URI
- DNS_NAME
- DURATION
- STRING_MAP
type: string
type: object
description: The set of attributes this Istio component will be responsible
for producing at runtime.
type: object
name:
description: Name of the component producing these attributes.
format: string
type: string
revision:
description: The revision of this document.
format: string
type: string
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
heritage: Tiller
istio: rbac
release: istio
name: clusterrbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ClusterRbacConfig
plural: clusterrbacconfigs
singular: clusterrbacconfig
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
enforcementMode:
enum:
- ENFORCED
- PERMISSIVE
type: string
exclusion:
description: A list of services or namespaces that should not be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
inclusion:
description: A list of services or namespaces that should be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
mode:
description: Istio RBAC mode.
enum:
- "OFF"
- "ON"
- ON_WITH_INCLUSION
- ON_WITH_EXCLUSION
type: string
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: destinationrules.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.host
description: The name of a service from the service registry
name: Host
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: DestinationRule
listKind: DestinationRuleList
plural: destinationrules
shortNames:
- dr
singular: destinationrule
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting load balancing, outlier detection,
etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule.html'
properties:
exportTo:
description: A list of namespaces to which this destination rule is
exported.
items:
format: string
type: string
type: array
host:
description: The name of a service from the service registry.
format: string
type: string
subsets:
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: Name of the subset.
format: string
type: string
trafficPolicy:
description: Traffic policies that apply to this subset.
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP
requests to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a
backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per
connection to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP
upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on
the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer
algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep
analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to
the upstream service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server
during TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: array
trafficPolicy:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should be upgraded
to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests to
a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection pool
connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection to
a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections to
a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
portLevelSettings:
description: Traffic policies specific to individual ports.
items:
properties:
connectionPool:
properties:
http:
description: HTTP connection pool settings.
properties:
h2UpgradePolicy:
description: Specify if http1.1 connection should
be upgraded to http2 for the associated destination.
enum:
- DEFAULT
- DO_NOT_UPGRADE
- UPGRADE
type: string
http1MaxPendingRequests:
description: Maximum number of pending HTTP requests
to a destination.
format: int32
type: integer
http2MaxRequests:
description: Maximum number of requests to a backend.
format: int32
type: integer
idleTimeout:
description: The idle timeout for upstream connection
pool connections.
type: string
maxRequestsPerConnection:
description: Maximum number of requests per connection
to a backend.
format: int32
type: integer
maxRetries:
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream
connections.
properties:
connectTimeout:
description: TCP connection timeout.
type: string
maxConnections:
description: Maximum number of HTTP1 /TCP connections
to a destination host.
format: int32
type: integer
tcpKeepalive:
description: If set then set SO_KEEPALIVE on the socket
to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive
probes.
type: string
probes:
type: integer
time:
type: string
type: object
type: object
type: object
loadBalancer:
description: Settings controlling the load balancer algorithms.
oneOf:
- required:
- simple
- properties:
consistentHash:
oneOf:
- required:
- httpHeaderName
- required:
- httpCookie
- required:
- useSourceIp
required:
- consistentHash
properties:
consistentHash:
properties:
httpCookie:
description: Hash based on HTTP cookie.
properties:
name:
description: Name of the cookie.
format: string
type: string
path:
description: Path to set for the cookie.
format: string
type: string
ttl:
description: Lifetime of the cookie.
type: string
type: object
httpHeaderName:
description: Hash based on a specific HTTP header.
format: string
type: string
minimumRingSize:
type: integer
useSourceIp:
description: Hash based on the source IP address.
type: boolean
type: object
simple:
enum:
- ROUND_ROBIN
- LEAST_CONN
- RANDOM
- PASSTHROUGH
type: string
type: object
outlierDetection:
properties:
baseEjectionTime:
description: Minimum ejection duration.
type: string
consecutiveErrors:
format: int32
type: integer
interval:
description: Time interval between ejection sweep analysis.
type: string
maxEjectionPercent:
format: int32
type: integer
minHealthPercent:
format: int32
type: integer
type: object
port:
properties:
number:
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during
TLS handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream
service.
properties:
caCertificates:
format: string
type: string
clientCertificate:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
mode:
enum:
- DISABLE
- SIMPLE
- MUTUAL
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
sni:
description: SNI string to present to the server during TLS
handshake.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: EnvoyFilter
plural: envoyfilters
singular: envoyfilter
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Customizing Envoy configuration generated by Istio. See more
details at: https://istio.io/docs/reference/config/networking/v1alpha3/envoy-filter.html'
properties:
configPatches:
description: One or more patches with match conditions.
items:
properties:
applyTo:
enum:
- INVALID
- LISTENER
- FILTER_CHAIN
- NETWORK_FILTER
- HTTP_FILTER
- ROUTE_CONFIGURATION
- VIRTUAL_HOST
- HTTP_ROUTE
- CLUSTER
type: string
match:
description: Match on listener/route configuration/cluster.
oneOf:
- required:
- listener
- required:
- routeConfiguration
- required:
- cluster
properties:
cluster:
description: Match on envoy cluster attributes.
properties:
name:
description: The exact name of the cluster to match.
format: string
type: string
portNumber:
description: The service port for which this cluster was
generated.
type: integer
service:
description: The fully qualified service name for this
cluster.
format: string
type: string
subset:
description: The subset associated with the service.
format: string
type: string
type: object
context:
description: The specific config generation context to match
on.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
listener:
description: Match on envoy listener attributes.
properties:
filterChain:
description: Match a specific filter chain in a listener.
properties:
applicationProtocols:
description: Applies only to sidecars.
format: string
type: string
filter:
description: The name of a specific filter to apply
the patch to.
properties:
name:
description: The filter name to match on.
format: string
type: string
subFilter:
properties:
name:
description: The filter name to match on.
format: string
type: string
type: object
type: object
name:
description: The name assigned to the filter chain.
format: string
type: string
sni:
description: The SNI value used by a filter chain's
match condition.
format: string
type: string
transportProtocol:
description: Applies only to SIDECAR_INBOUND context.
format: string
type: string
type: object
name:
description: Match a specific listener by its name.
format: string
type: string
portName:
format: string
type: string
portNumber:
type: integer
type: object
proxy:
description: Match on properties associated with a proxy.
properties:
metadata:
additionalProperties:
format: string
type: string
type: object
proxyVersion:
format: string
type: string
type: object
routeConfiguration:
description: Match on envoy HTTP route configuration attributes.
properties:
gateway:
format: string
type: string
name:
description: Route configuration name to match on.
format: string
type: string
portName:
description: Applicable only for GATEWAY context.
format: string
type: string
portNumber:
type: integer
vhost:
properties:
name:
format: string
type: string
route:
description: Match a specific route within the virtual
host.
properties:
action:
description: Match a route with specific action
type.
enum:
- ANY
- ROUTE
- REDIRECT
- DIRECT_RESPONSE
type: string
name:
format: string
type: string
type: object
type: object
type: object
type: object
patch:
description: The patch to apply along with the operation.
properties:
operation:
description: Determines how the patch should be applied.
enum:
- INVALID
- MERGE
- ADD
- REMOVE
- INSERT_BEFORE
- INSERT_AFTER
type: string
value:
description: The JSON config of the object being patched.
type: object
type: object
type: object
type: array
filters:
items:
properties:
filterConfig:
type: object
filterName:
description: The name of the filter to instantiate.
format: string
type: string
filterType:
description: The type of filter to instantiate.
enum:
- INVALID
- HTTP
- NETWORK
type: string
insertPosition:
description: Insert position in the filter chain.
properties:
index:
description: Position of this filter in the filter chain.
enum:
- FIRST
- LAST
- BEFORE
- AFTER
type: string
relativeTo:
format: string
type: string
type: object
listenerMatch:
properties:
address:
description: One or more IP addresses to which the listener
is bound.
items:
format: string
type: string
type: array
listenerProtocol:
description: Selects a class of listeners for the same protocol.
enum:
- ALL
- HTTP
- TCP
type: string
listenerType:
description: Inbound vs outbound sidecar listener or gateway
listener.
enum:
- ANY
- SIDECAR_INBOUND
- SIDECAR_OUTBOUND
- GATEWAY
type: string
portNamePrefix:
format: string
type: string
portNumber:
type: integer
type: object
type: object
type: array
workloadLabels:
additionalProperties:
format: string
type: string
description: Deprecated.
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: gateways.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
plural: gateways
shortNames:
- gw
singular: gateway
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details
at: https://istio.io/docs/reference/config/networking/v1alpha3/gateway.html'
properties:
selector:
additionalProperties:
format: string
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
format: string
type: string
defaultEndpoint:
format: string
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
format: string
type: string
type: array
port:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
tls:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
type: object
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: httpapispecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpecBinding
plural: httpapispecbindings
singular: httpapispecbinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
api_specs:
items:
properties:
name:
description: The short name of the HTTPAPISpec.
format: string
type: string
namespace:
description: Optional namespace of the HTTPAPISpec.
format: string
type: string
type: object
type: array
apiSpecs:
items:
properties:
name:
description: The short name of the HTTPAPISpec.
format: string
type: string
namespace:
description: Optional namespace of the HTTPAPISpec.
format: string
type: string
type: object
type: array
services:
description: One or more services to map the listed HTTPAPISpec onto.
items:
properties:
domain:
description: Domain suffix used to construct the service FQDN
in implementations that support such specification.
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: Optional one or more labels that uniquely identify
the service version.
type: object
name:
description: The short name of the service such as "foo".
format: string
type: string
namespace:
description: Optional namespace of the service.
format: string
type: string
service:
description: The service FQDN.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: httpapispecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: HTTPAPISpec
plural: httpapispecs
singular: httpapispec
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
api_keys:
items:
oneOf:
- required:
- query
- required:
- header
- required:
- cookie
properties:
cookie:
format: string
type: string
header:
description: API key is sent in a request header.
format: string
type: string
query:
description: API Key is sent as a query parameter.
format: string
type: string
type: object
type: array
apiKeys:
items:
oneOf:
- required:
- query
- required:
- header
- required:
- cookie
properties:
cookie:
format: string
type: string
header:
description: API key is sent in a request header.
format: string
type: string
query:
description: API Key is sent as a query parameter.
format: string
type: string
type: object
type: array
attributes:
properties:
attributes:
additionalProperties:
oneOf:
- required:
- stringValue
- required:
- int64Value
- required:
- doubleValue
- required:
- boolValue
- required:
- bytesValue
- required:
- timestampValue
- required:
- durationValue
- required:
- stringMapValue
properties:
boolValue:
type: boolean
bytesValue:
format: binary
type: string
doubleValue:
format: double
type: number
durationValue:
type: string
int64Value:
format: int64
type: integer
stringMapValue:
properties:
entries:
additionalProperties:
format: string
type: string
description: Holds a set of name/value pairs.
type: object
type: object
stringValue:
format: string
type: string
timestampValue:
format: dateTime
type: string
type: object
description: A map of attribute name to its value.
type: object
type: object
patterns:
description: List of HTTP patterns to match.
items:
oneOf:
- required:
- uriTemplate
- required:
- regex
properties:
attributes:
properties:
attributes:
additionalProperties:
oneOf:
- required:
- stringValue
- required:
- int64Value
- required:
- doubleValue
- required:
- boolValue
- required:
- bytesValue
- required:
- timestampValue
- required:
- durationValue
- required:
- stringMapValue
properties:
boolValue:
type: boolean
bytesValue:
format: binary
type: string
doubleValue:
format: double
type: number
durationValue:
type: string
int64Value:
format: int64
type: integer
stringMapValue:
properties:
entries:
additionalProperties:
format: string
type: string
description: Holds a set of name/value pairs.
type: object
type: object
stringValue:
format: string
type: string
timestampValue:
format: dateTime
type: string
type: object
description: A map of attribute name to its value.
type: object
type: object
httpMethod:
format: string
type: string
regex:
format: string
type: string
uriTemplate:
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
name: meshpolicies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: MeshPolicy
listKind: MeshPolicyList
plural: meshpolicies
singular: meshpolicy
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Authentication policy for Istio services. See more details
at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html'
properties:
originIsOptional:
type: boolean
origins:
description: List of authentication methods that can be used for origin
authentication.
items:
properties:
jwt:
description: Jwt params for the method.
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
type: array
peerIsOptional:
type: boolean
peers:
description: List of authentication methods that can be used for peer
authentication.
items:
oneOf:
- required:
- mtls
- required:
- jwt
properties:
jwt:
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
mtls:
description: Set if mTLS is used.
properties:
allowTls:
description: WILL BE DEPRECATED, if set, will translates to
`TLS_PERMISSIVE` mode.
type: boolean
mode:
description: Defines the mode of mTLS authentication.
enum:
- STRICT
- PERMISSIVE
type: string
type: object
type: object
type: array
principalBinding:
description: Define whether peer or origin identity should be use for
principal.
enum:
- USE_PEER
- USE_ORIGIN
type: string
targets:
description: List rules to select workloads that the policy should be
applied on.
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: The name must be a short name from the service registry.
format: string
type: string
ports:
description: Specifies the ports.
items:
oneOf:
- required:
- number
- required:
- name
properties:
name:
format: string
type: string
number:
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-citadel
chart: istio
heritage: Tiller
release: istio
name: policies.authentication.istio.io
spec:
group: authentication.istio.io
names:
categories:
- istio-io
- authentication-istio-io
kind: Policy
plural: policies
singular: policy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Authentication policy for Istio services. See more details
at: https://istio.io/docs/reference/config/istio.authentication.v1alpha1.html'
properties:
originIsOptional:
type: boolean
origins:
description: List of authentication methods that can be used for origin
authentication.
items:
properties:
jwt:
description: Jwt params for the method.
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
type: array
peerIsOptional:
type: boolean
peers:
description: List of authentication methods that can be used for peer
authentication.
items:
oneOf:
- required:
- mtls
- required:
- jwt
properties:
jwt:
properties:
audiences:
items:
format: string
type: string
type: array
issuer:
description: Identifies the issuer that issued the JWT.
format: string
type: string
jwks:
description: JSON Web Key Set of public keys to validate signature
of the JWT.
format: string
type: string
jwks_uri:
format: string
type: string
jwksUri:
format: string
type: string
jwt_headers:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtHeaders:
description: JWT is sent in a request header.
items:
format: string
type: string
type: array
jwtParams:
description: JWT is sent in a query parameter.
items:
format: string
type: string
type: array
trigger_rules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
triggerRules:
items:
properties:
excluded_paths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
excludedPaths:
description: List of paths to be excluded from the request.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
included_paths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
includedPaths:
description: List of paths that the request must include.
items:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- suffix
- required:
- regex
properties:
exact:
description: exact string match.
format: string
type: string
prefix:
description: prefix-based match.
format: string
type: string
regex:
description: ECMAscript style regex-based match
as defined by [EDCA-262](http://en.cppreference.com/w/cpp/regex/ecmascript).
format: string
type: string
suffix:
description: suffix-based match.
format: string
type: string
type: object
type: array
type: object
type: array
type: object
mtls:
description: Set if mTLS is used.
properties:
allowTls:
description: WILL BE DEPRECATED, if set, will translates to
`TLS_PERMISSIVE` mode.
type: boolean
mode:
description: Defines the mode of mTLS authentication.
enum:
- STRICT
- PERMISSIVE
type: string
type: object
type: object
type: array
principalBinding:
description: Define whether peer or origin identity should be use for
principal.
enum:
- USE_PEER
- USE_ORIGIN
type: string
targets:
description: List rules to select workloads that the policy should be
applied on.
items:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
name:
description: The name must be a short name from the service registry.
format: string
type: string
ports:
description: Specifies the ports.
items:
oneOf:
- required:
- number
- required:
- name
properties:
name:
format: string
type: string
number:
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: quotaspecbindings.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpecBinding
plural: quotaspecbindings
singular: quotaspecbinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
quotaSpecs:
items:
properties:
name:
description: The short name of the QuotaSpec.
format: string
type: string
namespace:
description: Optional namespace of the QuotaSpec.
format: string
type: string
type: object
type: array
services:
description: One or more services to map the listed QuotaSpec onto.
items:
properties:
domain:
description: Domain suffix used to construct the service FQDN
in implementations that support such specification.
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: Optional one or more labels that uniquely identify
the service version.
type: object
name:
description: The short name of the service such as "foo".
format: string
type: string
namespace:
description: Optional namespace of the service.
format: string
type: string
service:
description: The service FQDN.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-mixer
chart: istio
heritage: Tiller
release: istio
name: quotaspecs.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- apim-istio-io
kind: QuotaSpec
plural: quotaspecs
singular: quotaspec
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: Determines the quotas used for individual requests.
properties:
rules:
description: A list of Quota rules.
items:
properties:
match:
description: If empty, match all request.
items:
properties:
clause:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
description: Map of attribute names to StringMatch type.
type: object
type: object
type: array
quotas:
description: The list of quotas to charge.
items:
properties:
charge:
format: int32
type: integer
quota:
format: string
type: string
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: rbacconfigs.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: RbacConfig
plural: rbacconfigs
singular: rbacconfig
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
enforcementMode:
enum:
- ENFORCED
- PERMISSIVE
type: string
exclusion:
description: A list of services or namespaces that should not be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
inclusion:
description: A list of services or namespaces that should be enforced
by Istio RBAC policies.
properties:
namespaces:
description: A list of namespaces.
items:
format: string
type: string
type: array
services:
description: A list of services.
items:
format: string
type: string
type: array
type: object
mode:
description: Istio RBAC mode.
enum:
- "OFF"
- "ON"
- ON_WITH_INCLUSION
- ON_WITH_EXCLUSION
type: string
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mixer
chart: istio
heritage: Tiller
istio: core
package: istio.io.mixer
release: istio
name: rules.config.istio.io
spec:
group: config.istio.io
names:
categories:
- istio-io
- policy-istio-io
kind: rule
plural: rules
singular: rule
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Describes the rules used to configure Mixer''s policy and
telemetry features. See more details at: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html'
properties:
actions:
description: The actions that will be executed when match evaluates
to `true`.
items:
properties:
handler:
description: Fully qualified name of the handler to invoke.
format: string
type: string
instances:
items:
format: string
type: string
type: array
name:
description: A handle to refer to the results of the action.
format: string
type: string
type: object
type: array
match:
description: Match is an attribute based predicate.
format: string
type: string
requestHeaderOperations:
items:
properties:
name:
description: Header name literal value.
format: string
type: string
operation:
description: Header operation type.
enum:
- REPLACE
- REMOVE
- APPEND
type: string
values:
description: Header value expressions.
items:
format: string
type: string
type: array
type: object
type: array
responseHeaderOperations:
items:
properties:
name:
description: Header name literal value.
format: string
type: string
operation:
description: Header operation type.
enum:
- REPLACE
- REMOVE
- APPEND
type: string
values:
description: Header value expressions.
items:
format: string
type: string
type: array
type: object
type: array
sampling:
properties:
random:
description: Provides filtering of actions based on random selection
per request.
properties:
attributeExpression:
description: Specifies an attribute expression to use to override
the numerator in the `percent_sampled` field.
format: string
type: string
percentSampled:
description: The default sampling rate, expressed as a percentage.
properties:
denominator:
description: Specifies the denominator.
enum:
- HUNDRED
- TEN_THOUSAND
type: string
numerator:
description: Specifies the numerator.
type: integer
type: object
useIndependentRandomness:
description: By default sampling will be based on the value
of the request header `x-request-id`.
type: boolean
type: object
rateLimit:
properties:
maxUnsampledEntries:
description: Number of entries to allow during the `sampling_duration`
before sampling is enforced.
format: int64
type: integer
samplingDuration:
description: Window in which to enforce the sampling rate.
type: string
samplingRate:
description: The rate at which to sample entries once the unsampled
limit has been reached.
format: int64
type: integer
type: object
type: object
type: object
type: object
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: serviceentries.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.hosts
description: The hosts associated with the ServiceEntry
name: Hosts
type: string
- JSONPath: .spec.location
description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL
or MESH_INTERNAL)
name: Location
type: string
- JSONPath: .spec.resolution
description: Service discovery mode for the hosts (NONE, STATIC, or DNS)
name: Resolution
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: ServiceEntry
listKind: ServiceEntryList
plural: serviceentries
shortNames:
- se
singular: serviceentry
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting service registry. See more details
at: https://istio.io/docs/reference/config/networking/v1alpha3/service-entry.html'
properties:
addresses:
description: The virtual IP addresses associated with the service.
items:
format: string
type: string
type: array
endpoints:
description: One or more endpoints associated with the service.
items:
properties:
address:
format: string
type: string
labels:
additionalProperties:
format: string
type: string
description: One or more labels associated with the endpoint.
type: object
locality:
description: The locality associated with the endpoint.
format: string
type: string
network:
format: string
type: string
ports:
additionalProperties:
type: integer
description: Set of ports associated with the endpoint.
type: object
weight:
description: The load balancing weight associated with the endpoint.
type: integer
type: object
type: array
exportTo:
description: A list of namespaces to which this service is exported.
items:
format: string
type: string
type: array
hosts:
description: The hosts associated with the ServiceEntry.
items:
format: string
type: string
type: array
location:
enum:
- MESH_EXTERNAL
- MESH_INTERNAL
type: string
ports:
description: The ports associated with the external service.
items:
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: array
resolution:
description: Service discovery mode for the hosts.
enum:
- NONE
- STATIC
- DNS
type: string
subjectAltNames:
items:
format: string
type: string
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: servicerolebindings.rbac.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.roleRef.name
description: The name of the ServiceRole object being referenced
name: Reference
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRoleBinding
plural: servicerolebindings
singular: servicerolebinding
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
actions:
items:
properties:
constraints:
description: Optional.
items:
properties:
key:
description: Key of the constraint.
format: string
type: string
values:
description: List of valid values for the constraint.
items:
format: string
type: string
type: array
type: object
type: array
hosts:
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
items:
format: string
type: string
type: array
notMethods:
items:
format: string
type: string
type: array
notPaths:
items:
format: string
type: string
type: array
notPorts:
items:
format: int32
type: integer
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
items:
format: int32
type: integer
type: array
services:
description: A list of service names.
items:
format: string
type: string
type: array
type: object
type: array
mode:
enum:
- ENFORCED
- PERMISSIVE
type: string
role:
format: string
type: string
roleRef:
description: Reference to the ServiceRole object.
properties:
kind:
description: The type of the role being referenced.
format: string
type: string
name:
description: The name of the ServiceRole object being referenced.
format: string
type: string
type: object
subjects:
description: List of subjects that are assigned the ServiceRole object.
items:
properties:
group:
format: string
type: string
groups:
items:
format: string
type: string
type: array
ips:
items:
format: string
type: string
type: array
names:
items:
format: string
type: string
type: array
namespaces:
items:
format: string
type: string
type: array
notGroups:
items:
format: string
type: string
type: array
notIps:
items:
format: string
type: string
type: array
notNames:
items:
format: string
type: string
type: array
notNamespaces:
items:
format: string
type: string
type: array
properties:
additionalProperties:
format: string
type: string
description: Optional.
type: object
user:
description: Optional.
format: string
type: string
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: mixer
chart: istio
heritage: Tiller
istio: rbac
package: istio.io.mixer
release: istio
name: serviceroles.rbac.istio.io
spec:
group: rbac.istio.io
names:
categories:
- istio-io
- rbac-istio-io
kind: ServiceRole
plural: serviceroles
singular: servicerole
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for Role Based Access Control. See more details
at: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html'
properties:
rules:
description: The set of access rules (permissions) that the role has.
items:
properties:
constraints:
description: Optional.
items:
properties:
key:
description: Key of the constraint.
format: string
type: string
values:
description: List of valid values for the constraint.
items:
format: string
type: string
type: array
type: object
type: array
hosts:
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
notHosts:
items:
format: string
type: string
type: array
notMethods:
items:
format: string
type: string
type: array
notPaths:
items:
format: string
type: string
type: array
notPorts:
items:
format: int32
type: integer
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
items:
format: int32
type: integer
type: array
services:
description: A list of service names.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha1
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: virtualservices.networking.istio.io
spec:
additionalPrinterColumns:
- JSONPath: .spec.gateways
description: The names of gateways and sidecars that should apply these routes
name: Gateways
type: string
- JSONPath: .spec.hosts
description: The destination hosts to which traffic is being sent
name: Hosts
type: string
- JSONPath: .metadata.creationTimestamp
description: |-
CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.
Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
name: Age
type: date
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: VirtualService
listKind: VirtualServiceList
plural: virtualservices
shortNames:
- vs
singular: virtualservice
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting label/content routing, sni routing,
etc. See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service.html'
properties:
exportTo:
description: A list of namespaces to which this virtual service is exported.
items:
format: string
type: string
type: array
gateways:
description: The names of gateways and sidecars that should apply these
routes.
items:
format: string
type: string
type: array
hosts:
description: The destination hosts to which traffic is being sent.
items:
format: string
type: string
type: array
http:
description: An ordered list of route rules for HTTP traffic.
items:
properties:
appendHeaders:
additionalProperties:
format: string
type: string
type: object
appendRequestHeaders:
additionalProperties:
format: string
type: string
type: object
appendResponseHeaders:
additionalProperties:
format: string
type: string
type: object
corsPolicy:
description: Cross-Origin Resource Sharing policy (CORS).
properties:
allowCredentials:
nullable: true
type: boolean
allowHeaders:
items:
format: string
type: string
type: array
allowMethods:
description: List of HTTP methods allowed to access the resource.
items:
format: string
type: string
type: array
allowOrigin:
description: The list of origins that are allowed to perform
CORS requests.
items:
format: string
type: string
type: array
exposeHeaders:
items:
format: string
type: string
type: array
maxAge:
type: string
type: object
fault:
description: Fault injection policy to apply on HTTP traffic at
the client side.
properties:
abort:
oneOf:
- properties:
percent: {}
required:
- httpStatus
- properties:
percent: {}
required:
- grpcStatus
- properties:
percent: {}
required:
- http2Error
properties:
grpcStatus:
format: string
type: string
http2Error:
format: string
type: string
httpStatus:
description: HTTP status code to use to abort the Http
request.
format: int32
type: integer
percent:
description: Percentage of requests to be aborted with
the error code provided (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests to be aborted with
the error code provided.
properties:
value:
format: double
type: number
type: object
type: object
delay:
oneOf:
- properties:
percent: {}
required:
- fixedDelay
- properties:
percent: {}
required:
- exponentialDelay
properties:
exponentialDelay:
type: string
fixedDelay:
description: Add a fixed delay before forwarding the request.
type: string
percent:
description: Percentage of requests on which the delay
will be injected (0-100).
format: int32
type: integer
percentage:
description: Percentage of requests on which the delay
will be injected.
properties:
value:
format: double
type: number
type: object
type: object
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
match:
items:
properties:
authority:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
gateways:
items:
format: string
type: string
type: array
headers:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
type: object
ignoreUriCase:
description: Flag to specify whether the URI matching should
be case-insensitive.
type: boolean
method:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
name:
description: The name assigned to a match.
format: string
type: string
port:
description: Specifies the ports on the host that is being
addressed.
type: integer
queryParams:
additionalProperties:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
description: Query parameters for matching.
type: object
scheme:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
sourceLabels:
additionalProperties:
format: string
type: string
type: object
uri:
oneOf:
- required:
- exact
- required:
- prefix
- required:
- regex
properties:
exact:
format: string
type: string
prefix:
format: string
type: string
regex:
format: string
type: string
type: object
type: object
type: array
mirror:
properties:
host:
description: The name of a service from the service registry.
format: string
type: string
port:
description: Specifies the port on the host that is being
addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
mirror_percent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
mirrorPercent:
description: Percentage of the traffic to be mirrored by the `mirror`
field.
nullable: true
type: integer
name:
description: The name assigned to the route for debugging purposes.
format: string
type: string
redirect:
description: A http rule can either redirect or forward (default)
traffic.
properties:
authority:
format: string
type: string
redirectCode:
type: integer
uri:
format: string
type: string
type: object
removeRequestHeaders:
items:
format: string
type: string
type: array
removeResponseHeaders:
items:
format: string
type: string
type: array
retries:
description: Retry policy for HTTP requests.
properties:
attempts:
description: Number of retries for a given request.
format: int32
type: integer
perTryTimeout:
description: Timeout per retry attempt for a given request.
type: string
retryOn:
description: Specifies the conditions under which retry takes
place.
format: string
type: string
type: object
rewrite:
description: Rewrite HTTP URIs and Authority headers.
properties:
authority:
description: rewrite the Authority/Host header with this value.
format: string
type: string
uri:
format: string
type: string
type: object
route:
description: A http rule can either redirect or forward (default)
traffic.
items:
properties:
appendRequestHeaders:
additionalProperties:
format: string
type: string
description: Use of `append_request_headers` is deprecated.
type: object
appendResponseHeaders:
additionalProperties:
format: string
type: string
description: Use of `append_response_headers` is deprecated.
type: object
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
headers:
properties:
request:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
response:
properties:
add:
additionalProperties:
format: string
type: string
type: object
remove:
items:
format: string
type: string
type: array
set:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
removeRequestHeaders:
description: Use of `remove_request_headers` is deprecated.
items:
format: string
type: string
type: array
removeResponseHeaders:
description: Use of `remove_response_header` is deprecated.
items:
format: string
type: string
type: array
weight:
format: int32
type: integer
type: object
type: array
timeout:
description: Timeout for HTTP requests.
type: string
websocketUpgrade:
description: Deprecated.
type: boolean
type: object
type: array
tcp:
description: An ordered list of route rules for opaque TCP traffic.
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied to.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional
subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
tls:
items:
properties:
match:
items:
properties:
destinationSubnets:
description: IPv4 or IPv6 ip addresses of destination with
optional subnet.
items:
format: string
type: string
type: array
gateways:
description: Names of gateways where the rule should be
applied to.
items:
format: string
type: string
type: array
port:
description: Specifies the port on the host that is being
addressed.
type: integer
sniHosts:
description: SNI (server name indicator) to match on.
items:
format: string
type: string
type: array
sourceLabels:
additionalProperties:
format: string
type: string
type: object
sourceSubnet:
description: IPv4 or IPv6 ip address of source with optional
subnet.
format: string
type: string
type: object
type: array
route:
description: The destination to which the connection should be
forwarded to.
items:
properties:
destination:
properties:
host:
description: The name of a service from the service
registry.
format: string
type: string
port:
description: Specifies the port on the host that is
being addressed.
properties:
number:
type: integer
type: object
subset:
description: The name of a subset within the service.
format: string
type: string
type: object
weight:
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: adapters.config.istio.io
labels:
app: mixer
package: adapter
istio: mixer-adapter
chart: istio
heritage: Tiller
release: istio
spec:
group: config.istio.io
names:
kind: adapter
plural: adapters
singular: adapter
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: instances.config.istio.io
labels:
app: mixer
package: instance
istio: mixer-instance
chart: istio
heritage: Tiller
release: istio
spec:
group: config.istio.io
names:
kind: instance
plural: instances
singular: instance
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: templates.config.istio.io
labels:
app: mixer
package: template
istio: mixer-template
chart: istio
heritage: Tiller
release: istio
spec:
group: config.istio.io
names:
kind: template
plural: templates
singular: template
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1beta1
metadata:
name: handlers.config.istio.io
labels:
app: mixer
package: handler
istio: mixer-handler
chart: istio
heritage: Tiller
release: istio
spec:
group: config.istio.io
names:
kind: handler
plural: handlers
singular: handler
categories:
- istio-io
- policy-istio-io
scope: Namespaced
subresources:
status: {}
versions:
- name: v1alpha2
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
release: istio
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Sidecar
plural: sidecars
singular: sidecar
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting network reachability of a sidecar.
See more details at: https://istio.io/docs/reference/config/networking/v1alpha3/sidecar.html'
properties:
egress:
items:
properties:
bind:
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
hosts:
items:
format: string
type: string
type: array
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
ingress:
items:
properties:
bind:
description: The ip to which the listener should be bound.
format: string
type: string
captureMode:
enum:
- DEFAULT
- IPTABLES
- NONE
type: string
defaultEndpoint:
format: string
type: string
port:
description: The port associated with the listener.
properties:
name:
description: Label assigned to the port.
format: string
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
format: string
type: string
type: object
type: object
type: array
outboundTrafficPolicy:
description: This allows to configure the outbound traffic policy.
properties:
mode:
enum:
- REGISTRY_ONLY
- ALLOW_ANY
type: string
type: object
workloadSelector:
properties:
labels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1alpha3
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
heritage: Tiller
istio: security
release: istio
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
names:
categories:
- istio-io
- security-istio-io
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
description: 'Configuration for access control on workloads. See more details
at: https://istio.io/docs/reference/config/security/v1beta1/authorization-policy.html'
properties:
rules:
description: Optional.
items:
properties:
from:
description: Optional.
items:
properties:
source:
description: Source specifies the source of a request.
properties:
ipBlocks:
description: Optional.
items:
format: string
type: string
type: array
namespaces:
description: Optional.
items:
format: string
type: string
type: array
principals:
description: Optional.
items:
format: string
type: string
type: array
requestPrincipals:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
to:
description: Optional.
items:
properties:
operation:
description: Operation specifies the operation of a request.
properties:
hosts:
description: Optional.
items:
format: string
type: string
type: array
methods:
description: Optional.
items:
format: string
type: string
type: array
paths:
description: Optional.
items:
format: string
type: string
type: array
ports:
description: Optional.
items:
format: string
type: string
type: array
type: object
type: object
type: array
when:
description: Optional.
items:
properties:
key:
description: The name of an Istio attribute.
format: string
type: string
values:
description: The allowed values for the attribute.
items:
format: string
type: string
type: array
type: object
type: array
type: object
type: array
selector:
description: Optional.
properties:
matchLabels:
additionalProperties:
format: string
type: string
type: object
type: object
type: object
type: object
versions:
- name: v1beta1
served: true
storage: true
---
apiVersion: v1
kind: Namespace
metadata:
name: istio-system
labels:
istio-operator-managed: Reconcile
istio-injection: disabled
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-reader-service-account
namespace: istio-system
labels:
app: istio-reader
release: istio
---
# CertManager component is disabled.
# Resources for Citadel component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-citadel-istio-system
labels:
app: citadel
release: istio
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: [""]
resources: ["serviceaccounts", "services", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-citadel-istio-system
labels:
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-citadel-istio-system
subjects:
- kind: ServiceAccount
name: istio-citadel-service-account
namespace: istio-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: security
istio: citadel
release: istio
name: istio-citadel
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
istio: citadel
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: citadel
istio: citadel
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --append-dns-names=true
- --grpc-port=8060
- --citadel-storage-namespace=istio-system
- --custom-dns-names=istio-galley-service-account.istio-config:istio-galley.istio-config.svc,istio-galley-service-account.istio-control:istio-galley.istio-control.svc,istio-galley-service-account.istio-control-master:istio-galley.istio-control-master.svc,istio-galley-service-account.istio-master:istio-galley.istio-master.svc,istio-galley-service-account.istio-pilot11:istio-galley.istio-pilot11.svc,istio-pilot-service-account.istio-control:istio-pilot.istio-control,istio-pilot-service-account.istio-pilot11:istio-pilot.istio-system,istio-sidecar-injector-service-account.istio-control:istio-sidecar-injector.istio-control.svc,istio-sidecar-injector-service-account.istio-control-master:istio-sidecar-injector.istio-control-master.svc,istio-sidecar-injector-service-account.istio-master:istio-sidecar-injector.istio-master.svc,istio-sidecar-injector-service-account.istio-pilot11:istio-sidecar-injector.istio-pilot11.svc,istio-sidecar-injector-service-account.istio-remote:istio-sidecar-injector.istio-remote.svc,
- --self-signed-ca=true
- --trust-domain=cluster.local
- --workload-cert-ttl=2160h
env:
- name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT
value: "true"
image: docker.io/istio/citadel:1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /version
port: 15014
initialDelaySeconds: 5
periodSeconds: 5
name: citadel
resources:
requests:
cpu: 10m
serviceAccountName: istio-citadel-service-account
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-citadel
namespace: istio-system
labels:
app: security
istio: citadel
release: istio
spec:
minAvailable: 1
selector:
matchLabels:
app: citadel
istio: citadel
---
apiVersion: v1
kind: Service
metadata:
# Must match the certificate, this is used in the node agent in same namespace.
name: istio-citadel
namespace: istio-system
labels:
app: security
istio: citadel
release: istio
spec:
ports:
- name: grpc-citadel
port: 8060
targetPort: 8060
protocol: TCP
- name: http-monitoring
port: 15014
selector:
app: citadel
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-citadel-service-account
namespace: istio-system
labels:
app: security
release: istio
---
# Cni component is disabled.
# CoreDNS component is disabled.
# EgressGateway component is disabled.
# Resources for Galley component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-galley-istio-system
labels:
release: istio
rules:
# For reading Istio resources
- apiGroups: [
"authentication.istio.io",
"config.istio.io",
"networking.istio.io",
"rbac.istio.io",
"security.istio.io"]
resources: ["*"]
verbs: ["get", "list", "watch"]
# For updating Istio resource statuses
- apiGroups: [
"authentication.istio.io",
"config.istio.io",
"networking.istio.io",
"rbac.istio.io",
"security.istio.io"]
resources: ["*/status"]
verbs: ["update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["extensions","apps"]
resources: ["deployments"]
resourceNames: ["istio-galley"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods", "nodes", "services", "endpoints", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces/finalizers"]
verbs: ["update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-galley-admin-role-binding-istio-system
labels:
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-galley-istio-system
subjects:
- kind: ServiceAccount
name: istio-galley-service-account
namespace: istio-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: istio-system
name: galley-envoy-config
labels:
app: galley
istio: galley
release: istio
data:
envoy.yaml.tmpl: |-
admin:
access_log_path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 15000
static_resources:
clusters:
- name: in.9901
http2_protocol_options: {}
connect_timeout: 1.000s
hosts:
- socket_address:
address: 127.0.0.1
port_value: 9901
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
listeners:
- name: "15019"
address:
socket_address:
address: 0.0.0.0
port_value: 15019
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: HTTP2
stat_prefix: "15010"
http2_protocol_options:
max_concurrent_streams: 1073741824
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
http_filters:
- name: envoy.router
route_config:
name: "15019"
virtual_hosts:
- name: istio-galley
domains:
- '*'
routes:
- match:
prefix: /
route:
cluster: in.9901
timeout: 0.000s
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-mesh-galley
namespace: istio-system
labels:
release: istio
data:
mesh: |-
{}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-galley-configuration
namespace: istio-system
labels:
release: istio
data:
validatingwebhookconfiguration.yaml: |-
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: istio-galley-istio-system
namespace: istio-system
labels:
app: galley
release: istio
istio: galley
webhooks:
- name: pilot.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: istio-system
path: "/admitpilot"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- httpapispecs
- httpapispecbindings
- quotaspecs
- quotaspecbindings
- operations:
- CREATE
- UPDATE
apiGroups:
- rbac.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- security.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- authentication.istio.io
apiVersions:
- "*"
resources:
- "*"
- operations:
- CREATE
- UPDATE
apiGroups:
- networking.istio.io
apiVersions:
- "*"
resources:
- destinationrules
- envoyfilters
- gateways
- serviceentries
- sidecars
- virtualservices
failurePolicy: Fail
sideEffects: None
- name: mixer.validation.istio.io
clientConfig:
service:
name: istio-galley
namespace: istio-system
path: "/admitmixer"
caBundle: ""
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- config.istio.io
apiVersions:
- v1alpha2
resources:
- rules
- attributemanifests
- circonuses
- deniers
- fluentds
- kubernetesenvs
- listcheckers
- memquotas
- noops
- opas
- prometheuses
- rbacs
- solarwindses
- stackdrivers
- cloudwatches
- dogstatsds
- statsds
- stdios
- apikeys
- authorizations
- checknothings
# - kuberneteses
- listentries
- logentries
- metrics
- quotas
- reportnothings
- tracespans
- adapters
- handlers
- instances
- templates
- zipkins
failurePolicy: Fail
sideEffects: None
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: galley
istio: galley
release: istio
name: istio-galley
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
istio: galley
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: galley
chart: galley
heritage: Tiller
istio: galley
release: istio
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- command:
- /usr/local/bin/galley
- server
- --meshConfigFile=/etc/mesh-config/mesh
- --livenessProbeInterval=1s
- --livenessProbePath=/tmp/healthliveness
- --readinessProbePath=/tmp/healthready
- --readinessProbeInterval=1s
- --insecure=true
- --enable-validation=true
- --enable-reconcileWebhookConfiguration=true
- --enable-server=true
- --deployment-namespace=istio-system
- --validation-webhook-config-file
- /etc/config/validatingwebhookconfiguration.yaml
- --monitoringPort=15014
- --validation-port=9443
- --log_output_level=default:info
image: docker.io/istio/galley:1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/tmp/healthliveness
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
name: galley
ports:
- containerPort: 9443
- containerPort: 15014
- containerPort: 15019
- containerPort: 9901
readinessProbe:
exec:
command:
- /usr/local/bin/galley
- probe
- --probe-path=/tmp/healthready
- --interval=10s
initialDelaySeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 100m
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /etc/config
name: config
readOnly: true
- mountPath: /etc/mesh-config
name: mesh-config
readOnly: true
- args:
- proxy
- --serviceCluster
- istio-galley
- --templateFile
- /var/lib/istio/galley/envoy/envoy.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "false"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 9902
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/istio/galley/envoy
name: envoy-config
- mountPath: /etc/certs
name: istio-certs
readOnly: true
serviceAccountName: istio-galley-service-account
volumes:
- name: istio-certs
secret:
secretName: istio.istio-galley-service-account
- configMap:
name: galley-envoy-config
name: envoy-config
- configMap:
name: istio-galley-configuration
name: config
- configMap:
name: istio-mesh-galley
name: mesh-config
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-galley
namespace: istio-system
labels:
app: galley
release: istio
istio: galley
spec:
minAvailable: 1
selector:
matchLabels:
app: galley
release: istio
istio: galley
---
apiVersion: v1
kind: Service
metadata:
name: istio-galley
namespace: istio-system
labels:
app: galley
istio: galley
release: istio
spec:
ports:
- port: 443
name: https-validation
targetPort: 9443
- port: 15014
name: http-monitoring
- port: 9901
name: grpc-mcp
- port: 15019
name: grpc-tls-mcp
selector:
istio: galley
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-galley-service-account
namespace: istio-system
labels:
app: galley
release: istio
---
# Grafana component is disabled.
# Resources for IngressGateway component
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-ingressgateway
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-ingressgateway
istio: ingressgateway
release: istio
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: istio-ingressgateway
chart: gateways
heritage: Tiller
istio: ingressgateway
release: istio
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- proxy
- router
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --proxyLogLevel=warning
- --proxyComponentLogLevel=misc:error
- --log_output_level=default:info
- --drainDuration
- 45s
- --parentShutdownDuration
- 1m0s
- --connectTimeout
- 10s
- --serviceCluster
- istio-ingressgateway
- --zipkinAddress
- zipkin.istio-system:9411
- --proxyAdminPort
- "15000"
- --statusPort
- "15020"
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --discoveryAddress
- istio-pilot.istio-system:15011
- --trust-domain=cluster.local
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ISTIO_META_WORKLOAD_NAME
value: istio-ingressgateway
- name: ISTIO_META_OWNER
value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ISTIO_META_ROUTER_MODE
value: sni-dnat
- name: ISTIO_METAJSON_LABELS
value: |
{"app":"istio-ingressgateway","istio":"ingressgateway"}
- name: ISTIO_META_CLUSTER_ID
value: Kubernetes
- name: SDS_ENABLED
value: "false"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15020
- containerPort: 80
- containerPort: 443
- containerPort: 15029
- containerPort: 15030
- containerPort: 15031
- containerPort: 15032
- containerPort: 15443
- containerPort: 15011
- containerPort: 8060
- containerPort: 853
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
readinessProbe:
failureThreshold: 30
httpGet:
path: /healthz/ready
port: 15020
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-certs
name: ingressgateway-certs
readOnly: true
- mountPath: /etc/istio/ingressgateway-ca-certs
name: ingressgateway-ca-certs
readOnly: true
serviceAccountName: istio-ingressgateway-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-ingressgateway-service-account
- name: ingressgateway-certs
secret:
optional: true
secretName: istio-ingressgateway-certs
- name: ingressgateway-ca-certs
secret:
optional: true
secretName: istio-ingressgateway-ca-certs
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
labels:
release: istio
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
# Additional ports in gateaway for the ingressPorts - apps using dedicated port instead of hostname
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: ingressgateway
namespace: istio-system
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
minAvailable: 1
selector:
matchLabels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
---
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
app: istio-ingressgateway
release: istio
istio: ingressgateway
spec:
type: LoadBalancer
selector:
app: istio-ingressgateway
ports:
-
name: status-port
port: 15020
targetPort: 15020
-
name: http2
port: 80
targetPort: 80
-
name: https
port: 443
-
name: kiali
port: 15029
targetPort: 15029
-
name: prometheus
port: 15030
targetPort: 15030
-
name: grafana
port: 15031
targetPort: 15031
-
name: tracing
port: 15032
targetPort: 15032
-
name: tls
port: 15443
targetPort: 15443
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-ingressgateway-service-account
namespace: istio-system
labels:
app: istio-ingressgateway
release: istio
---
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: default
namespace: istio-system
labels:
release: istio
spec:
egress:
- hosts:
- "*/*"
---
# Resources for Injector component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-sidecar-injector-istio-system
labels:
app: sidecar-injector
release: istio
istio: sidecar-injector
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["istio-sidecar-injector"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
resourceNames: ["istio-sidecar-injector", "istio-sidecar-injector-istio-system"]
verbs: ["get", "list", "watch", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-sidecar-injector-admin-role-binding-istio-system
labels:
app: sidecar-injector
release: istio
istio: sidecar-injector
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-sidecar-injector-istio-system
subjects:
- kind: ServiceAccount
name: istio-sidecar-injector-service-account
namespace: istio-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: injector-mesh
namespace: istio-system
labels:
release: istio
data:
# This is the 'mesh' config, loaded by the sidecar injector.
# It is a different configmap from pilot to allow a-la-carte install of the injector and follow the model
# of reducing blast-radius of config changes and avoiding globals.
# Note that injector uses a subset of the mesh config only - for clarity this is only generating the
# required config, i.e. the defaultConfig section. See injection-template .ProxyConfig settings.
mesh: |-
# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
sdsUdsPath: ""
defaultConfig:
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Set concurrency to a specific number to control the number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: 2
#
tracing:
zipkin:
# Address of the Zipkin collector
address: zipkin.istio-system:9411
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: MUTUAL_TLS
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.istio-system:15011
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: sidecarInjectorWebhook
istio: sidecar-injector
release: istio
name: istio-sidecar-injector
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
istio: sidecar-injector
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: sidecarInjectorWebhook
chart: sidecarInjectorWebhook
heritage: Tiller
istio: sidecar-injector
release: istio
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --caCertFile=/etc/istio/certs/root-cert.pem
- --tlsCertFile=/etc/istio/certs/cert-chain.pem
- --tlsKeyFile=/etc/istio/certs/key.pem
- --injectConfig=/etc/istio/inject/config
- --meshConfig=/etc/istio/config/mesh
- --port=9443
- --healthCheckInterval=2s
- --healthCheckFile=/tmp/health
- --reconcileWebhookConfig=true
- --webhookConfigName=istio-sidecar-injector
- --log_output_level=debug
image: docker.io/istio/sidecar_injector:1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/tmp/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
name: sidecar-injector-webhook
readinessProbe:
exec:
command:
- /usr/local/bin/sidecar-injector
- probe
- --probe-path=/tmp/health
- --interval=4s
initialDelaySeconds: 4
periodSeconds: 4
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
readOnly: true
- mountPath: /etc/istio/certs
name: certs
readOnly: true
- mountPath: /etc/istio/inject
name: inject-config
readOnly: true
serviceAccountName: istio-sidecar-injector-service-account
volumes:
- configMap:
name: injector-mesh
name: config-volume
- name: certs
secret:
secretName: istio.istio-sidecar-injector-service-account
- configMap:
items:
- key: config
path: config
- key: values
path: values
name: istio-sidecar-injector
name: inject-config
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: istio-sidecar-injector
labels:
app: sidecar-injector
release: istio
webhooks:
- name: sidecar-injector.istio.io
clientConfig:
service:
name: istio-sidecar-injector
namespace: istio-system
path: "/inject"
caBundle: ""
rules:
- operations: [ "CREATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
namespaceSelector:
matchLabels:
istio-injection: enabled
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
app: sidecar-injector
release: istio
istio: sidecar-injector
spec:
minAvailable: 1
selector:
matchLabels:
app: sidecar-injector
release: istio
istio: sidecar-injector
---
apiVersion: v1
kind: Service
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
app: sidecarInjectorWebhook
release: istio
istio: sidecar-injector
spec:
ports:
- port: 443
targetPort: 9443
selector:
istio: sidecar-injector
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-sidecar-injector-service-account
namespace: istio-system
labels:
app: sidecarInjectorWebhook
release: istio
istio: sidecar-injector
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio-sidecar-injector
namespace: istio-system
labels:
release: istio
app: sidecar-injector
istio: sidecar-injector
data:
values: |-
{"certmanager":{"enabled":false,"hub":"quay.io/jetstack","image":"cert-manager-controller","namespace":"istio-system","tag":"v0.6.2"},"clusterResources":true,"cni":{"namespace":"istio-system"},"galley":{"enableAnalysis":false,"enabled":true,"image":"galley","namespace":"istio-system"},"gateways":{"istio-egressgateway":{"autoscaleEnabled":true,"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"namespace":"istio-system","ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"type":"ClusterIP","zvpn":{"enabled":true,"suffix":"global"}},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"debug":"info","domain":"","enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"namespace":"istio-system","ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","port":80,"targetPort":80},{"name":"https","port":443},{"name":"kiali","port":15029,"targetPort":15029},{"name":"prometheus","port":15030,"targetPort":15030},{"name":"grafana","port":15031,"targetPort":15031},{"name":"tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"type":"LoadBalancer","zvpn":{"enabled":true,"suffix":"global"}}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configNamespace":"istio-system","configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"enabled":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"istioNamespace":"istio-system","k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logAsJson":false,"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshNetworks":{},"mtls":{"auto":false,"enabled":false},"multiCluster":{"clusterName":"","enabled":false},"namespace":"istio-system","network":"","omitSidecarInjectorConfigMap":false,"oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"policyNamespace":"istio-system","priorityClassName":"","prometheusNamespace":"istio-system","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"misc:error","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"envoyAccessLogService":{"enabled":false},"envoyMetricsService":{"enabled":false,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"mode":"DISABLE","subjectAltNames":[]}},"envoyStatsd":{"enabled":false},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"proxyv2","includeIPRanges":"*","includeInboundPorts":"*","kubevirtInterfaces":"","logLevel":"warning","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"proxyv2","resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"securityNamespace":"istio-system","tag":"1.4.5","telemetryNamespace":"istio-system","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"zipkin":{"address":""}},"trustDomain":"cluster.local","useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1}},"enabled":false,"env":{},"envSecrets":{},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"enabled":false,"hosts":["grafana.local"]},"namespace":"istio-system","nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"namespace":"istio-system"},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"passphraseKey":"passphrase","secretName":"kiali","usernameKey":"username","viewOnlyMode":false},"enabled":false,"hub":"quay.io/kiali","ingress":{"enabled":false,"hosts":["kiali.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.9"},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stackdriver":{"auth":{"apiKey":"","appCredentials":false,"serviceAccountPath":""},"enabled":false,"tracer":{"enabled":false,"sampleProbability":1}},"stdio":{"enabled":false,"outputAsJson":false},"useAdapterCRDs":false},"policy":{"adapters":{"kubernetesenv":{"enabled":true},"useAdapterCRDs":false},"autoscaleEnabled":true,"enabled":true,"image":"mixer","namespace":"istio-system","sessionAffinityEnabled":false},"telemetry":{"autoscaleEnabled":true,"enabled":true,"env":{"GOMAXPROCS":"6"},"image":"mixer","loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","sessionAffinityEnabled":false,"tolerations":[],"useMCP":true}},"nodeagent":{"enabled":false,"image":"node-agent-k8s","namespace":"istio-system"},"pilot":{"appNamespaces":[],"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configMap":true,"configNamespace":"istio-config","cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{},"image":"pilot","ingress":{"ingressClass":"istio","ingressControllerMode":"OFF","ingressService":"istio-ingressgateway"},"keepaliveMaxServerConnectionAge":"30m","meshNetworks":{"networks":{}},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"enabled":false},"replicaCount":1,"tolerations":[],"traceSampling":1,"useMCP":true},"prometheus":{"contextPath":"/prometheus","enabled":true,"hub":"docker.io/prom","ingress":{"enabled":false,"hosts":["prometheus.local"]},"namespace":"istio-system","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"tag":"v2.12.0","tolerations":[]},"security":{"dnsCerts":{"istio-pilot-service-account.istio-control":"istio-pilot.istio-control"},"enableNamespacesByDefault":true,"enabled":true,"image":"citadel","namespace":"istio-system","selfSigned":true,"trustDomain":"cluster.local"},"sidecarInjectorWebhook":{"alwaysInjectSelector":[],"enableNamespacesByDefault":false,"enabled":true,"image":"sidecar_injector","injectLabel":"istio-injection","injectedAnnotations":{},"lifecycle":{},"namespace":"istio-system","neverInjectSelector":[],"nodeSelector":{},"objectSelector":{"autoInject":true,"enabled":false},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"rewriteAppHTTPProbe":false,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":false,"tolerations":[]},"telemetry":{"enabled":true,"v1":{"enabled":true},"v2":{"enabled":false,"prometheus":{"enabled":true},"stackdriver":{"configOverride":{},"enabled":false,"logging":false,"monitoring":false,"topology":false}}},"tracing":{"enabled":false,"ingress":{"enabled":false},"jaeger":{"accessMode":"ReadWriteMany","enabled":false,"hub":"docker.io/jaegertracing","memory":{"max_traces":50000},"namespace":"istio-system","persist":false,"spanStorageType":"badger","storageClassName":"","tag":"1.14"},"nodeSelector":{},"opencensus":{"exporters":{"stackdriver":{"enable_tracing":true}},"hub":"docker.io/omnition","resources":{"limits":{"cpu":"1","memory":"2Gi"},"requests":{"cpu":"200m","memory":"400Mi"}},"tag":"0.1.9"},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":9411,"name":"http-query","type":"ClusterIP"},"zipkin":{"hub":"docker.io/openzipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}},"version":""}
config: |-
policy: enabled
alwaysInjectSelector:
[]
neverInjectSelector:
[]
template: |
{{- $cniDisabled := (not .Values.istio_cni.enabled) }}
{{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }}
{{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }}
rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }}
{{- if $enableInitContainer }}
initContainers:
{{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
{{ if $cniRepairEnabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
{{ end -}}
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
command:
{{- if $cniRepairEnabled }}
- istio-iptables-go
{{- else }}
- istio-iptables
{{- end }}
- "-p"
- "15001"
- "-z"
- "15006"
- "-u"
- 1337
- "-m"
- "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
- "-i"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
- "-x"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
- "-b"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}"
- "-d"
- "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
{{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
- "-o"
- "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
{{ end -}}
{{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
- "-k"
- "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
{{ end -}}
{{ if $cniRepairEnabled -}}
- "--run-validation"
- "--skip-rule-apply"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{- if .Values.global.proxy_init.resources }}
resources:
{{ toYaml .Values.global.proxy_init.resources | indent 4 }}
{{- else }}
resources: {}
{{- end }}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
{{- if not $cniRepairEnabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
readOnlyRootFilesystem: false
{{- if not $cniRepairEnabled }}
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{- else }}
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
{{- end }}
restartPolicy: Always
{{ end -}}
{{- if eq .Values.global.proxy.enableCoreDump true }}
- name: enable-core-dump
args:
- -c
- sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited
command:
- /bin/sh
{{- if contains "/" .Values.global.proxy_init.image }}
image: "{{ .Values.global.proxy_init.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}"
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
drop:
- ALL
privileged: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
{{ end }}
{{ end }}
containers:
- name: istio-proxy
{{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
{{- else }}
image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}"
{{- end }}
ports:
- containerPort: 15090
protocol: TCP
name: http-envoy-prom
args:
- proxy
- sidecar
- --domain
- $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
- --configPath
- "/etc/istio/proxy"
- --binaryPath
- "/usr/local/bin/envoy"
- --serviceCluster
{{ if ne "" (index .ObjectMeta.Labels "app") -}}
- "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)"
{{ else -}}
- "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}"
{{ end -}}
- --drainDuration
- "{{ formatDuration .ProxyConfig.DrainDuration }}"
- --parentShutdownDuration
- "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}"
- --discoveryAddress
- "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}"
{{- if eq .Values.global.proxy.tracer "lightstep" }}
- --lightstepAddress
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}"
- --lightstepAccessToken
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}"
- --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }}
- --lightstepCacertPath
- "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}"
{{- else if eq .Values.global.proxy.tracer "zipkin" }}
- --zipkinAddress
- "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}"
{{- else if eq .Values.global.proxy.tracer "datadog" }}
- --datadogAgentAddress
- "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}"
{{- end }}
- --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel}}
- --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel}}
- --connectTimeout
- "{{ formatDuration .ProxyConfig.ConnectTimeout }}"
{{- if .Values.global.proxy.envoyStatsd.enabled }}
- --statsdUdpAddress
- "{{ .ProxyConfig.StatsdUdpAddress }}"
{{- end }}
{{- if .Values.global.proxy.envoyMetricsService.enabled }}
- --envoyMetricsServiceAddress
- "{{ .ProxyConfig.GetEnvoyMetricsService.GetAddress }}"
{{- end }}
{{- if .Values.global.proxy.envoyAccessLogService.enabled }}
- --envoyAccessLogServiceAddress
- "{{ .ProxyConfig.GetEnvoyAccessLogService.GetAddress }}"
{{- end }}
- --proxyAdminPort
- "{{ .ProxyConfig.ProxyAdminPort }}"
{{ if gt .ProxyConfig.Concurrency 0 -}}
- --concurrency
- "{{ .ProxyConfig.Concurrency }}"
{{ end -}}
{{- if .Values.global.controlPlaneSecurityEnabled }}
- --controlPlaneAuthPolicy
- MUTUAL_TLS
{{- else }}
- --controlPlaneAuthPolicy
- NONE
{{- end }}
- --dnsRefreshRate
- {{ valueOrDefault .Values.global.proxy.dnsRefreshRate "300s" }}
{{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" .Values.global.proxy.statusPort) "0") }}
- --statusPort
- "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}"
- --applicationPorts
- "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}"
{{- end }}
{{- if .Values.global.trustDomain }}
- --trust-domain={{ .Values.global.trustDomain }}
{{- end }}
{{- if .Values.global.logAsJson }}
- --log_as_json
{{- end }}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- --templateFile=/etc/istio/custom-bootstrap/envoy_bootstrap.json
{{- end }}
{{- if .Values.global.proxy.lifecycle }}
lifecycle:
{{ toYaml .Values.global.proxy.lifecycle | indent 4 }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if eq .Values.global.proxy.tracer "datadog" }}
{{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
{{- end }}
- name: ISTIO_META_POD_PORTS
value: |-
[
{{- $first := true }}
{{- range $index1, $c := .Spec.Containers }}
{{- range $index2, $p := $c.Ports }}
{{- if (structToJSON $p) }}
{{if not $first}},{{end}}{{ structToJSON $p }}
{{- $first = false }}
{{- end }}
{{- end}}
{{- end}}
]
- name: ISTIO_META_CLUSTER_ID
value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
- name: ISTIO_META_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: ISTIO_META_CONFIG_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SDS_ENABLED
value: "{{ .Values.global.sds.enabled }}"
- name: ISTIO_META_INTERCEPTION_MODE
value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
- name: ISTIO_META_INCLUDE_INBOUND_PORTS
value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}"
{{- if .Values.global.network }}
- name: ISTIO_META_NETWORK
value: "{{ .Values.global.network }}"
{{- end }}
{{ if .ObjectMeta.Annotations }}
- name: ISTIO_METAJSON_ANNOTATIONS
value: |
{{ toJSON .ObjectMeta.Annotations }}
{{ end }}
{{ if .ObjectMeta.Labels }}
- name: ISTIO_METAJSON_LABELS
value: |
{{ toJSON .ObjectMeta.Labels }}
{{ end }}
{{- if .DeploymentMeta.Name }}
- name: ISTIO_META_WORKLOAD_NAME
value: {{ .DeploymentMeta.Name }}
{{ end }}
{{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
- name: ISTIO_META_OWNER
value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
{{- end}}
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: ISTIO_BOOTSTRAP_OVERRIDE
value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
{{- end }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: ISTIO_META_SDS_TOKEN_PATH
value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken"
{{- end }}
{{- if .Values.global.meshID }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.meshID }}"
{{- else if .Values.global.trustDomain }}
- name: ISTIO_META_MESH_ID
value: "{{ .Values.global.trustDomain }}"
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
{{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
{{- end }}
imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}"
{{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
readinessProbe:
httpGet:
path: /healthz/ready
port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}
initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
{{ end -}}
securityContext:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
capabilities:
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
add:
- NET_ADMIN
{{- end }}
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }}
runAsGroup: 1337
{{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
runAsNonRoot: false
runAsUser: 0
{{- else -}}
runAsNonRoot: true
runAsUser: 1337
{{- end }}
resources:
{{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
requests:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
{{ end}}
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
{{ end }}
{{ else -}}
{{- if .Values.global.proxy.resources }}
{{ toYaml .Values.global.proxy.resources | indent 4 }}
{{- end }}
{{ end -}}
volumeMounts:
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- mountPath: /etc/istio/custom-bootstrap
name: custom-bootstrap-volume
{{- end }}
- mountPath: /etc/istio/proxy
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- mountPath: /var/run/sds
name: sds-uds-path
readOnly: true
- mountPath: /var/run/secrets/tokens
name: istio-token
{{- if .Values.global.sds.customTokenDirectory }}
- mountPath: "{{ .Values.global.sds.customTokenDirectory -}}"
name: custom-sds-token
readOnly: true
{{- end }}
{{- else }}
- mountPath: /etc/certs/
name: istio-certs
readOnly: true
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}
name: lightstep-certs
readOnly: true
{{- end }}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
{{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 4 }}
{{ end }}
{{- end }}
volumes:
{{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
- name: custom-bootstrap-volume
configMap:
name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
{{- end }}
- emptyDir:
medium: Memory
name: istio-envoy
{{- if .Values.global.sds.enabled }}
- name: sds-uds-path
hostPath:
path: /var/run/sds
- name: istio-token
projected:
sources:
- serviceAccountToken:
path: istio-token
expirationSeconds: 43200
audience: {{ .Values.global.sds.token.aud }}
{{- if .Values.global.sds.customTokenDirectory }}
- name: custom-sds-token
secret:
secretName: sdstokensecret
{{- end }}
{{- else }}
- name: istio-certs
secret:
optional: true
{{ if eq .Spec.ServiceAccountName "" }}
secretName: istio.default
{{ else -}}
secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
{{ end -}}
{{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
{{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
- name: "{{ $index }}"
{{ toYaml $value | indent 2 }}
{{ end }}
{{ end }}
{{- end }}
{{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }}
- name: lightstep-certs
secret:
optional: true
secretName: lightstep.cacert
{{- end }}
{{- if .Values.global.podDNSSearchNamespaces }}
dnsConfig:
searches:
{{- range .Values.global.podDNSSearchNamespaces }}
- {{ render . }}
{{- end }}
{{- end }}
injectedAnnotations:
---
# Kiali component is disabled.
# NodeAgent component is disabled.
# Resources for Pilot component
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: pilot
release: istio
name: istio-pilot
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-pilot
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-pilot-istio-system
labels:
app: pilot
release: istio
rules:
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["security.istio.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update", "delete"]
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
- "certificatesigningrequests/status"
verbs: ["update", "create", "get", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-pilot-istio-system
labels:
app: pilot
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-pilot-istio-system
subjects:
- kind: ServiceAccount
name: istio-pilot-service-account
namespace: istio-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: istio-system
name: pilot-envoy-config
labels:
release: istio
data:
envoy.yaml.tmpl: |-
admin:
access_log_path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 15000
static_resources:
clusters:
- name: in.15010
http2_protocol_options: {}
connect_timeout: 1.000s
hosts:
- socket_address:
address: 127.0.0.1
port_value: 15010
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
# TODO: telemetry using EDS
# TODO: other pilots using EDS, load balancing
# TODO: galley using EDS
- name: out.galley.15019
http2_protocol_options: {}
connect_timeout: 1.000s
type: STRICT_DNS
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
hosts:
- socket_address:
address: istio-galley.istio-system
port_value: 15019
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account
listeners:
- name: "in.15011"
address:
socket_address:
address: 0.0.0.0
port_value: 15011
filter_chains:
- filters:
- name: envoy.http_connection_manager
#typed_config
#"@type": "type.googleapis.com/",
config:
codec_type: HTTP2
stat_prefix: "15011"
http2_protocol_options:
max_concurrent_streams: 1073741824
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
http_filters:
- name: envoy.router
route_config:
name: "15011"
virtual_hosts:
- name: istio-pilot
domains:
- '*'
routes:
- match:
prefix: /
route:
cluster: in.15010
timeout: 0.000s
decorator:
operation: xDS
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
# Manual 'whitebox' mode
- name: "local.15019"
address:
socket_address:
address: 127.0.0.1
port_value: 15019
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: HTTP2
stat_prefix: "15019"
http2_protocol_options:
max_concurrent_streams: 1073741824
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
http_filters:
- name: envoy.router
route_config:
name: "15019"
virtual_hosts:
- name: istio-galley
domains:
- '*'
routes:
- match:
prefix: /
route:
cluster: out.galley.15019
timeout: 0.000s
---
apiVersion: v1
kind: ConfigMap
metadata:
name: istio
namespace: istio-system
labels:
release: istio
data:
meshNetworks: |-
# Network config
networks: {}
values.yaml: |-
appNamespaces: []
autoscaleEnabled: true
autoscaleMax: 5
autoscaleMin: 1
configMap: true
configNamespace: istio-config
cpu:
targetAverageUtilization: 80
enableProtocolSniffingForInbound: false
enableProtocolSniffingForOutbound: true
enabled: true
env: {}
image: pilot
ingress:
ingressClass: istio
ingressControllerMode: "OFF"
ingressService: istio-ingressgateway
keepaliveMaxServerConnectionAge: 30m
meshNetworks:
networks: {}
namespace: istio-system
nodeSelector: {}
plugins: []
podAnnotations: {}
podAntiAffinityLabelSelector: []
podAntiAffinityTermLabelSelector: []
policy:
enabled: false
replicaCount: 1
resources:
requests:
cpu: 500m
memory: 2048Mi
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
tolerations: []
traceSampling: 1
useMCP: true
mesh: |-
# Set enableTracing to false to disable request tracing.
enableTracing: true
# Set accessLogFile to empty string to disable access log.
accessLogFile: ""
accessLogFormat: ""
accessLogEncoding: 'TEXT'
enableEnvoyAccessLogService: false
mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004
mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004
# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.
# Default is false which means the traffic is denied when the client is unable to connect to Mixer.
policyCheckFailOpen: false
# reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server
reportBatchMaxEntries: 100
# reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server
reportBatchMaxTime: 1s
disableMixerHttpReports: false
disablePolicyChecks: true
# Automatic protocol detection uses a set of heuristics to
# determine whether the connection is using TLS or not (on the
# server side), as well as the application protocol being used
# (e.g., http vs tcp). These heuristics rely on the client sending
# the first bits of data. For server first protocols like MySQL,
# MongoDB, etc., Envoy will timeout on the protocol detection after
# the specified period, defaulting to non mTLS plain TCP
# traffic. Set this field to tweak the period that Envoy will wait
# for the client to send the first bits of data. (MUST BE >=1ms)
protocolDetectionTimeout: 100ms
# This is the k8s ingress service name, update if you used a different name
ingressService: "istio-ingressgateway"
ingressControllerMode: "OFF"
ingressClass: "istio"
# The trust domain corresponds to the trust root of a system.
# Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
trustDomain: "cluster.local"
# The trust domain aliases represent the aliases of trust_domain.
# For example, if we have
# trustDomain: td1
# trustDomainAliases: [“td2”, "td3"]
# Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account",
# or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh.
trustDomainAliases:
# Set expected values when SDS is disabled
# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get
# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty.
sdsUdsPath: ""
# This flag is used by secret discovery service(SDS).
# If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount
# for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which
# will be used to generate key/cert eventually. This isn't supported for non-k8s case.
enableSdsTokenMount: false
# This flag is used by secret discovery service(SDS).
# If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token'
# (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod)
# and pass to sds server, which will be used to request key/cert eventually.
# this flag is ignored if enableSdsTokenMount is set.
# This isn't supported for non-k8s case.
sdsUseK8sSaJwt: false
# If true, automatically configure client side mTLS settings to match the corresponding service's
# server side mTLS authentication policy, when destination rule for that service does not specify
# TLS settings.
enableAutoMtls: false
config_sources:
- address: localhost:15019
outboundTrafficPolicy:
mode: ALLOW_ANY
localityLbSetting:
enabled: true
# Configures DNS certificates provisioned through Chiron linked into Pilot.
# The DNS certificate provisioning is enabled by default now so it get tested.
# TODO (lei-tang): we'll decide whether enable it by default or not before Istio 1.4 Release.
certificates:
[]
defaultConfig:
#
# TCP connection timeout between Envoy & the application, and between Envoys.
connectTimeout: 10s
#
### ADVANCED SETTINGS #############
# Where should envoy's configuration be stored in the istio-proxy container
configPath: "/etc/istio/proxy"
# The pseudo service name used for Envoy.
serviceCluster: istio-proxy
# These settings that determine how long an old Envoy
# process should be kept alive after an occasional reload.
drainDuration: 45s
parentShutdownDuration: 1m0s
#
# Port where Envoy listens (on local host) for admin commands
# You can exec into the istio-proxy container in a pod and
# curl the admin port (curl http://localhost:15000/) to obtain
# diagnostic information from Envoy. See
# https://lyft.github.io/envoy/docs/operations/admin.html
# for more details
proxyAdminPort: 15000
#
# Set concurrency to a specific number to control the number of Proxy worker threads.
# If set to 0 (default), then start worker thread for each CPU thread/core.
concurrency: 2
#
tracing:
zipkin:
# Address of the Zipkin collector
address: zipkin.istio-system:9411
#
# Mutual TLS authentication between sidecars and istio control plane.
controlPlaneAuthPolicy: MUTUAL_TLS
#
# Address where istio Pilot service is running
discoveryAddress: istio-pilot.istio-system:15011
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: pilot
istio: pilot
release: istio
name: istio-pilot
namespace: istio-system
spec:
selector:
matchLabels:
istio: pilot
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: pilot
chart: pilot
heritage: Tiller
istio: pilot
release: istio
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- discovery
- --monitoringAddr=:15014
- --log_output_level=default:info
- --domain
- cluster.local
- --secureGrpcAddr
- ""
- --trust-domain=cluster.local
- --keepaliveMaxServerConnectionAge
- 30m
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: PILOT_TRACE_SAMPLING
value: "1"
- name: CONFIG_NAMESPACE
value: istio-config
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
value: "true"
- name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
value: "false"
image: docker.io/istio/pilot:1.4.5
imagePullPolicy: IfNotPresent
name: discovery
ports:
- containerPort: 8080
- containerPort: 15010
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 500m
memory: 2048Mi
volumeMounts:
- mountPath: /etc/istio/config
name: config-volume
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-pilot
- --templateFile
- /var/lib/envoy/envoy.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "false"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15011
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/envoy
name: pilot-envoy-config
- mountPath: /etc/certs
name: istio-certs
readOnly: true
serviceAccountName: istio-pilot-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-pilot-service-account
- configMap:
name: istio
name: config-volume
- configMap:
name: pilot-envoy-config
name: pilot-envoy-config
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
labels:
release: istio
spec:
peers:
- mtls:
mode: PERMISSIVE
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-pilot
namespace: istio-system
labels:
app: pilot
release: istio
istio: pilot
spec:
minAvailable: 1
selector:
matchLabels:
app: pilot
release: istio
istio: pilot
---
apiVersion: v1
kind: Service
metadata:
name: istio-pilot
namespace: istio-system
labels:
app: pilot
release: istio
istio: pilot
spec:
ports:
- port: 15010
name: grpc-xds # direct
- port: 15011
name: https-xds # mTLS
- port: 8080
name: http-legacy-discovery # direct
- port: 15014
name: http-monitoring
selector:
istio: pilot
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-pilot-service-account
namespace: istio-system
labels:
app: pilot
release: istio
---
# Resources for Policy component
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: mixer
release: istio
name: istio-policy
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-policy
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-policy
labels:
release: istio
app: istio-policy
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-policy-admin-role-binding-istio-system
labels:
app: istio-policy
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-policy
subjects:
- kind: ServiceAccount
name: istio-policy-service-account
namespace: istio-system
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-policy
namespace: istio-system
labels:
app: istio-policy
release: istio
spec:
host: istio-policy.istio-system.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 15004 # grpc-mixer-mtls
tls:
mode: ISTIO_MUTUAL
- port:
number: 9091 # grpc-mixer
tls:
mode: DISABLE
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: istio-system
name: policy-envoy-config
labels:
release: istio
data:
# Explicitly defined - moved from istio/istio/pilot/docker.
envoy.yaml.tmpl: |-
admin:
access_log_path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 15000
stats_config:
use_all_default_tags: false
stats_tags:
- tag_name: cluster_name
regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)'
- tag_name: tcp_prefix
regex: '^tcp\.((.*?)\.)\w+?$'
- tag_name: response_code
regex: '_rq(_(\d{3}))$'
- tag_name: response_code_class
regex: '_rq(_(\dxx))$'
- tag_name: http_conn_manager_listener_prefix
regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
- tag_name: http_conn_manager_prefix
regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
- tag_name: listener_address
regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
static_resources:
clusters:
- name: prometheus_stats
type: STATIC
connect_timeout: 0.250s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 15000
- circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
connect_timeout: 1.000s
hosts:
- pipe:
path: /sock/mixer.socket
http2_protocol_options: {}
name: inbound_9092
- circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
connect_timeout: 1.000s
hosts:
- socket_address:
address: istio-telemetry
port_value: 15004
http2_protocol_options: {}
name: mixer_report_server
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- spiffe://cluster.local/ns/istio-system/sa/istio-mixer-service-account
type: STRICT_DNS
dns_lookup_family: V4_ONLY
- name: out.galley.15019
http2_protocol_options: {}
connect_timeout: 1.000s
type: STRICT_DNS
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
hosts:
- socket_address:
address: istio-galley.istio-system
port_value: 15019
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account
listeners:
- name: "15090"
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 15090
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: AUTO
stat_prefix: stats
route_config:
virtual_hosts:
- name: backend
domains:
- '*'
routes:
- match:
prefix: /stats/prometheus
route:
cluster: prometheus_stats
http_filters:
- name: envoy.router
- name: "15004"
address:
socket_address:
address: 0.0.0.0
port_value: 15004
filter_chains:
- filters:
- config:
codec_type: HTTP2
http2_protocol_options:
max_concurrent_streams: 1073741824
generate_request_id: true
http_filters:
- config:
default_destination_service: istio-policy.istio-system.svc.cluster.local
service_configs:
istio-policy.istio-system.svc.cluster.local:
disable_check_calls: true
{{- if .DisableReportCalls }}
disable_report_calls: true
{{- end }}
mixer_attributes:
attributes:
destination.service.host:
string_value: istio-policy.istio-system.svc.cluster.local
destination.service.uid:
string_value: istio://istio-system/services/istio-policy
destination.service.name:
string_value: istio-policy
destination.service.namespace:
string_value: istio-system
destination.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
destination.namespace:
string_value: istio-system
destination.ip:
bytes_value: {{ .PodIP }}
destination.port:
int64_value: 15004
context.reporter.kind:
string_value: inbound
context.reporter.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
transport:
check_cluster: mixer_check_server
report_cluster: mixer_report_server
attributes_for_mixer_proxy:
attributes:
source.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
name: mixer
- name: envoy.router
route_config:
name: "15004"
virtual_hosts:
- domains:
- '*'
name: istio-policy.istio-system.svc.cluster.local
routes:
- decorator:
operation: Check
match:
prefix: /
route:
cluster: inbound_9092
timeout: 0.000s
stat_prefix: "15004"
name: envoy.http_connection_manager
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
- name: "9091"
address:
socket_address:
address: 0.0.0.0
port_value: 9091
filter_chains:
- filters:
- config:
codec_type: HTTP2
http2_protocol_options:
max_concurrent_streams: 1073741824
generate_request_id: true
http_filters:
- config:
default_destination_service: istio-policy.istio-system.svc.cluster.local
service_configs:
istio-policy.istio-system.svc.cluster.local:
disable_check_calls: true
{{- if .DisableReportCalls }}
disable_report_calls: true
{{- end }}
mixer_attributes:
attributes:
destination.service.host:
string_value: istio-policy.istio-system.svc.cluster.local
destination.service.uid:
string_value: istio://istio-system/services/istio-policy
destination.service.name:
string_value: istio-policy
destination.service.namespace:
string_value: istio-system
destination.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
destination.namespace:
string_value: istio-system
destination.ip:
bytes_value: {{ .PodIP }}
destination.port:
int64_value: 9091
context.reporter.kind:
string_value: inbound
context.reporter.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
transport:
check_cluster: mixer_check_server
report_cluster: mixer_report_server
attributes_for_mixer_proxy:
attributes:
source.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
name: mixer
- name: envoy.router
route_config:
name: "9091"
virtual_hosts:
- domains:
- '*'
name: istio-policy.istio-system.svc.cluster.local
routes:
- decorator:
operation: Check
match:
prefix: /
route:
cluster: inbound_9092
timeout: 0.000s
stat_prefix: "9091"
name: envoy.http_connection_manager
name: "9091"
- name: "local.15019"
address:
socket_address:
address: 127.0.0.1
port_value: 15019
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: HTTP2
stat_prefix: "15019"
http2_protocol_options:
max_concurrent_streams: 1073741824
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
http_filters:
- name: envoy.router
route_config:
name: "15019"
virtual_hosts:
- name: istio-galley
domains:
- '*'
routes:
- match:
prefix: /
route:
cluster: out.galley.15019
timeout: 0.000s
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-policy
istio: mixer
release: istio
name: istio-policy
namespace: istio-system
spec:
selector:
matchLabels:
istio: mixer
istio-mixer-type: policy
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: policy
istio: mixer
istio-mixer-type: policy
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --monitoringPort=15014
- --address
- unix:///sock/mixer.socket
- --log_output_level=default:info
- --configStoreURL=mcp://localhost:15019
- --configDefaultNamespace=istio-system
- --useAdapterCRDs=false
- --useTemplateCRDs=false
- --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: docker.io/istio/mixer:1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /version
port: 15014
initialDelaySeconds: 5
periodSeconds: 5
name: mixer
ports:
- containerPort: 9091
- containerPort: 15014
- containerPort: 42422
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
- mountPath: /var/run/secrets/istio.io/policy/adapter
name: policy-adapter-secret
readOnly: true
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-policy
- --templateFile
- /var/lib/envoy/envoy.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "false"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15004
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/envoy
name: policy-envoy-config
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
serviceAccountName: istio-policy-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-policy-service-account
- emptyDir: {}
name: uds-socket
- name: policy-adapter-secret
secret:
optional: true
secretName: policy-adapter-secret
- configMap:
name: policy-envoy-config
name: policy-envoy-config
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-policy
namespace: istio-system
labels:
app: policy
release: istio
istio: mixer
istio-mixer-type: policy
spec:
minAvailable: 1
selector:
matchLabels:
app: policy
istio: mixer
istio-mixer-type: policy
---
apiVersion: v1
kind: Service
metadata:
name: istio-policy
namespace: istio-system
labels:
app: mixer
istio: mixer
release: istio
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-policy-monitoring
port: 15014
selector:
istio: mixer
istio-mixer-type: policy
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-policy-service-account
namespace: istio-system
labels:
app: istio-policy
release: istio
---
# Resources for Prometheus component
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-istio-system
labels:
app: prometheus
release: istio
rules:
- apiGroups: [""]
resources:
- nodes
- services
- endpoints
- pods
- nodes/proxy
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- configmaps
verbs: ["get"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus-istio-system
labels:
app: prometheus
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-istio-system
subjects:
- kind: ServiceAccount
name: prometheus
namespace: istio-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
release: istio
data:
prometheus.yml: |-
global:
scrape_interval: 15s
scrape_configs:
# Mixer scrapping. Defaults to Prometheus and mixer on same namespace.
#
- job_name: 'istio-mesh'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;prometheus
# Scrape config for envoy stats
- job_name: 'envoy-stats'
metrics_path: /stats/prometheus
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_container_port_name]
action: keep
regex: '.*-envoy-prom'
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:15090
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'istio-policy'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-policy;http-policy-monitoring
- job_name: 'istio-telemetry'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-telemetry;http-monitoring
- job_name: 'pilot'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-pilot;http-monitoring
- job_name: 'galley'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-galley;http-monitoring
- job_name: 'citadel'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- istio-system
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: istio-citadel;http-monitoring
# scrape config for API servers
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
namespaces:
names:
- default
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: kubernetes;https
# scrape config for nodes (kubelet)
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
# Scrape config for Kubelet cAdvisor.
#
# This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics
# (those whose names begin with 'container_') have been removed from the
# Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to
# retrieve those metrics.
#
# In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor
# HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics"
# in that case (and ensure cAdvisor's HTTP server hasn't been disabled with
# the --cadvisor-port=0 Kubelet flag).
#
# This job is not necessary and should be removed in Kubernetes 1.6 and
# earlier versions, or it will cause the metrics to be scraped twice.
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
# scrape config for service endpoints.
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job.
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status]
action: drop
regex: (.+)
- source_labels: [__meta_kubernetes_pod_annotation_istio_mtls]
action: drop
regex: (true)
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
- job_name: 'kubernetes-pods-istio-secure'
scheme: https
tls_config:
ca_file: /etc/istio-certs/root-cert.pem
cert_file: /etc/istio-certs/cert-chain.pem
key_file: /etc/istio-certs/key.pem
insecure_skip_verify: true # prometheus does not support secure naming.
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
# sidecar status annotation is added by sidecar injector and
# istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic.
- source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls]
action: keep
regex: (([^;]+);([^;]*))|(([^;]*);(true))
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__] # Only keep address that is host:port
action: keep # otherwise an extra target with ':443' is added for https scheme
regex: ([^:]+):(\d+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: pod_name
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
release: istio
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
labels:
app: prometheus
release: istio
annotations:
sidecar.istio.io/inject: "false"
spec:
serviceAccountName: prometheus
containers:
- name: prometheus
image: "docker.io/prom/prometheus:v2.12.0"
imagePullPolicy: IfNotPresent
args:
- '--storage.tsdb.retention=6h'
- '--config.file=/etc/prometheus/prometheus.yml'
ports:
- containerPort: 9090
name: http
livenessProbe:
httpGet:
path: /-/healthy
port: 9090
readinessProbe:
httpGet:
path: /-/ready
port: 9090
resources:
requests:
cpu: 10m
volumeMounts:
- name: config-volume
mountPath: /etc/prometheus
- mountPath: /etc/istio-certs
name: istio-certs
volumes:
- name: config-volume
configMap:
name: prometheus
- name: istio-certs
secret:
defaultMode: 420
secretName: istio.default
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
- weight: 2
preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
---
apiVersion: v1
kind: Service
metadata:
name: prometheus
namespace: istio-system
annotations:
prometheus.io/scrape: 'true'
labels:
app: prometheus
release: istio
spec:
selector:
app: prometheus
ports:
- name: http-prometheus
protocol: TCP
port: 9090
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus
namespace: istio-system
labels:
app: prometheus
release: istio
---
# PrometheusOperator component is disabled.
# Resources for Telemetry component
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
app: mixer
release: istio
name: istio-telemetry
namespace: istio-system
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
targetAverageUtilization: 80
type: Resource
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: istio-telemetry
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-mixer-istio-system
labels:
app: istio-telemetry
release: istio
rules:
- apiGroups: ["config.istio.io"] # istio CRD watcher
resources: ["*"]
verbs: ["create", "get", "list", "watch", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: istio-mixer-admin-role-binding-istio-system
labels:
app: istio-telemetry
release: istio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: istio-mixer-istio-system
subjects:
- kind: ServiceAccount
name: istio-mixer-service-account
namespace: istio-system
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: istioproxy
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
attributes:
origin.ip:
valueType: IP_ADDRESS
origin.uid:
valueType: STRING
origin.user:
valueType: STRING
request.headers:
valueType: STRING_MAP
request.id:
valueType: STRING
request.host:
valueType: STRING
request.method:
valueType: STRING
request.path:
valueType: STRING
request.url_path:
valueType: STRING
request.query_params:
valueType: STRING_MAP
request.reason:
valueType: STRING
request.referer:
valueType: STRING
request.scheme:
valueType: STRING
request.total_size:
valueType: INT64
request.size:
valueType: INT64
request.time:
valueType: TIMESTAMP
request.useragent:
valueType: STRING
response.code:
valueType: INT64
response.duration:
valueType: DURATION
response.headers:
valueType: STRING_MAP
response.total_size:
valueType: INT64
response.size:
valueType: INT64
response.time:
valueType: TIMESTAMP
response.grpc_status:
valueType: STRING
response.grpc_message:
valueType: STRING
source.uid:
valueType: STRING
source.user: # DEPRECATED
valueType: STRING
source.principal:
valueType: STRING
destination.uid:
valueType: STRING
destination.principal:
valueType: STRING
destination.port:
valueType: INT64
connection.event:
valueType: STRING
connection.id:
valueType: STRING
connection.received.bytes:
valueType: INT64
connection.received.bytes_total:
valueType: INT64
connection.sent.bytes:
valueType: INT64
connection.sent.bytes_total:
valueType: INT64
connection.duration:
valueType: DURATION
connection.mtls:
valueType: BOOL
connection.requested_server_name:
valueType: STRING
context.protocol:
valueType: STRING
context.proxy_error_code:
valueType: STRING
context.timestamp:
valueType: TIMESTAMP
context.time:
valueType: TIMESTAMP
# Deprecated, kept for compatibility
context.reporter.local:
valueType: BOOL
context.reporter.kind:
valueType: STRING
context.reporter.uid:
valueType: STRING
context.proxy_version:
valueType: STRING
api.service:
valueType: STRING
api.version:
valueType: STRING
api.operation:
valueType: STRING
api.protocol:
valueType: STRING
request.auth.principal:
valueType: STRING
request.auth.audiences:
valueType: STRING
request.auth.presenter:
valueType: STRING
request.auth.claims:
valueType: STRING_MAP
request.auth.raw_claims:
valueType: STRING
request.api_key:
valueType: STRING
rbac.permissive.response_code:
valueType: STRING
rbac.permissive.effective_policy_id:
valueType: STRING
check.error_code:
valueType: INT64
check.error_message:
valueType: STRING
check.cache_hit:
valueType: BOOL
quota.cache_hit:
valueType: BOOL
---
apiVersion: "config.istio.io/v1alpha2"
kind: attributemanifest
metadata:
name: kubernetes
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
attributes:
source.ip:
valueType: IP_ADDRESS
source.labels:
valueType: STRING_MAP
source.metadata:
valueType: STRING_MAP
source.name:
valueType: STRING
source.namespace:
valueType: STRING
source.owner:
valueType: STRING
source.serviceAccount:
valueType: STRING
source.services:
valueType: STRING
source.workload.uid:
valueType: STRING
source.workload.name:
valueType: STRING
source.workload.namespace:
valueType: STRING
destination.ip:
valueType: IP_ADDRESS
destination.labels:
valueType: STRING_MAP
destination.metadata:
valueType: STRING_MAP
destination.owner:
valueType: STRING
destination.name:
valueType: STRING
destination.container.name:
valueType: STRING
destination.namespace:
valueType: STRING
destination.service.uid:
valueType: STRING
destination.service.name:
valueType: STRING
destination.service.namespace:
valueType: STRING
destination.service.host:
valueType: STRING
destination.serviceAccount:
valueType: STRING
destination.workload.uid:
valueType: STRING
destination.workload.name:
valueType: STRING
destination.workload.namespace:
valueType: STRING
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestcount
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestduration
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: response.duration | "0ms"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: requestsize
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: request.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: responsesize
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: response.size | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host)
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
request_protocol: api.protocol | context.protocol | "unknown"
response_code: response.code | 200
response_flags: context.proxy_error_code | "-"
permissive_response_code: rbac.permissive.response_code | "none"
permissive_response_policyid: rbac.permissive.effective_policy_id | "none"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpbytesent
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: connection.sent.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpbytereceived
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: connection.received.bytes | 0
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpconnectionsopened
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: tcpconnectionsclosed
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: metric
params:
value: "1"
dimensions:
reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination")
source_workload: source.workload.name | "unknown"
source_workload_namespace: source.workload.namespace | "unknown"
source_principal: source.principal | "unknown"
source_app: source.labels["app"] | "unknown"
source_version: source.labels["version"] | "unknown"
destination_workload: destination.workload.name | "unknown"
destination_workload_namespace: destination.workload.namespace | "unknown"
destination_principal: destination.principal | "unknown"
destination_app: destination.labels["app"] | "unknown"
destination_version: destination.labels["version"] | "unknown"
destination_service: destination.service.host | "unknown"
destination_service_name: destination.service.name | "unknown"
destination_service_namespace: destination.service.namespace | "unknown"
connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none"))
response_flags: context.proxy_error_code | "-"
monitored_resource_type: '"UNSPECIFIED"'
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: prometheus
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledAdapter: prometheus
params:
metricsExpirationPolicy:
metricsExpiryDuration: "10m"
metrics:
- name: requests_total
instance_name: requestcount.instance.istio-system
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
- name: request_duration_seconds
instance_name: requestduration.instance.istio-system
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
explicit_buckets:
bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]
- name: request_bytes
instance_name: requestsize.instance.istio-system
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: response_bytes
instance_name: responsesize.instance.istio-system
kind: DISTRIBUTION
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- request_protocol
- response_code
- response_flags
- permissive_response_code
- permissive_response_policyid
- connection_security_policy
buckets:
exponentialBuckets:
numFiniteBuckets: 8
scale: 1
growthFactor: 10
- name: tcp_sent_bytes_total
instance_name: tcpbytesent.instance.istio-system
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_received_bytes_total
instance_name: tcpbytereceived.instance.istio-system
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_connections_opened_total
instance_name: tcpconnectionsopened.instance.istio-system
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
- name: tcp_connections_closed_total
instance_name: tcpconnectionsclosed.instance.istio-system
kind: COUNTER
label_names:
- reporter
- source_app
- source_principal
- source_workload
- source_workload_namespace
- source_version
- destination_app
- destination_principal
- destination_workload
- destination_workload_namespace
- destination_version
- destination_service
- destination_service_name
- destination_service_namespace
- connection_security_policy
- response_flags
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promhttp
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false)
actions:
- handler: prometheus
instances:
- requestcount
- requestduration
- requestsize
- responsesize
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcp
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
match: context.protocol == "tcp"
actions:
- handler: prometheus
instances:
- tcpbytesent
- tcpbytereceived
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcpconnectionopen
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
match: context.protocol == "tcp" && ((connection.event | "na") == "open")
actions:
- handler: prometheus
instances:
- tcpconnectionsopened
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: promtcpconnectionclosed
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
match: context.protocol == "tcp" && ((connection.event | "na") == "close")
actions:
- handler: prometheus
instances:
- tcpconnectionsclosed
---
apiVersion: "config.istio.io/v1alpha2"
kind: handler
metadata:
name: kubernetesenv
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledAdapter: kubernetesenv
params:
# when running from mixer root, use the following config after adding a
# symbolic link to a kubernetes config file via:
#
# $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig
#
# kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig"
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: kubeattrgenrulerule
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
actions:
- handler: kubernetesenv
instances:
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: tcpkubeattrgenrulerule
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
match: context.protocol == "tcp"
actions:
- handler: kubernetesenv
instances:
- attributes
---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
name: attributes
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
compiledTemplate: kubernetes
params:
# Pass the required attribute data to the adapter
source_uid: source.uid | ""
source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr
destination_uid: destination.uid | ""
destination_port: destination.port | 0
attributeBindings:
# Fill the new attributes from the adapter produced output.
# $out refers to an instance of OutputTemplate message
source.ip: $out.source_pod_ip | ip("0.0.0.0")
source.uid: $out.source_pod_uid | "unknown"
source.labels: $out.source_labels | emptyStringMap()
source.name: $out.source_pod_name | "unknown"
source.namespace: $out.source_namespace | "default"
source.owner: $out.source_owner | "unknown"
source.serviceAccount: $out.source_service_account_name | "unknown"
source.workload.uid: $out.source_workload_uid | "unknown"
source.workload.name: $out.source_workload_name | "unknown"
source.workload.namespace: $out.source_workload_namespace | "unknown"
destination.ip: $out.destination_pod_ip | ip("0.0.0.0")
destination.uid: $out.destination_pod_uid | "unknown"
destination.labels: $out.destination_labels | emptyStringMap()
destination.name: $out.destination_pod_name | "unknown"
destination.container.name: $out.destination_container_name | "unknown"
destination.namespace: $out.destination_namespace | "default"
destination.owner: $out.destination_owner | "unknown"
destination.serviceAccount: $out.destination_service_account_name | "unknown"
destination.workload.uid: $out.destination_workload_uid | "unknown"
destination.workload.name: $out.destination_workload_name | "unknown"
destination.workload.namespace: $out.destination_workload_namespace | "unknown"
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: istio-telemetry
namespace: istio-system
labels:
app: istio-telemetry
release: istio
spec:
host: istio-telemetry.istio-system.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 15004 # grpc-mixer-mtls
tls:
mode: ISTIO_MUTUAL
- port:
number: 9091 # grpc-mixer
tls:
mode: DISABLE
connectionPool:
http:
http2MaxRequests: 10000
maxRequestsPerConnection: 10000
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: istio-system
name: telemetry-envoy-config
labels:
release: istio
data:
# Explicitly defined - moved from istio/istio/pilot/docker.
envoy.yaml.tmpl: |-
admin:
access_log_path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 15000
stats_config:
use_all_default_tags: false
stats_tags:
- tag_name: cluster_name
regex: '^cluster\.((.+?(\..+?\.svc\.cluster\.local)?)\.)'
- tag_name: tcp_prefix
regex: '^tcp\.((.*?)\.)\w+?$'
- tag_name: response_code
regex: '_rq(_(\d{3}))$'
- tag_name: response_code_class
regex: '_rq(_(\dxx))$'
- tag_name: http_conn_manager_listener_prefix
regex: '^listener(?=\.).*?\.http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
- tag_name: http_conn_manager_prefix
regex: '^http\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
- tag_name: listener_address
regex: '^listener\.(((?:[_.[:digit:]]*|[_\[\]aAbBcCdDeEfF[:digit:]]*))\.)'
static_resources:
clusters:
- name: prometheus_stats
type: STATIC
connect_timeout: 0.250s
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 15000
- name: inbound_9092
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
connect_timeout: 1.000s
hosts:
- pipe:
path: /sock/mixer.socket
http2_protocol_options: {}
- name: out.galley.15019
http2_protocol_options: {}
connect_timeout: 1.000s
type: STRICT_DNS
circuit_breakers:
thresholds:
- max_connections: 100000
max_pending_requests: 100000
max_requests: 100000
max_retries: 3
hosts:
- socket_address:
address: istio-galley.istio-system
port_value: 15019
tls_context:
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
verify_subject_alt_name:
- spiffe://cluster.local/ns/istio-system/sa/istio-galley-service-account
listeners:
- name: "15090"
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 15090
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: AUTO
stat_prefix: stats
route_config:
virtual_hosts:
- name: backend
domains:
- '*'
routes:
- match:
prefix: /stats/prometheus
route:
cluster: prometheus_stats
http_filters:
- name: envoy.router
- name: "15004"
address:
socket_address:
address: 0.0.0.0
port_value: 15004
filter_chains:
- filters:
- config:
codec_type: HTTP2
http2_protocol_options:
max_concurrent_streams: 1073741824
generate_request_id: true
http_filters:
- config:
default_destination_service: istio-telemetry.istio-system.svc.cluster.local
service_configs:
istio-telemetry.istio-system.svc.cluster.local:
disable_check_calls: true
{{- if .DisableReportCalls }}
disable_report_calls: true
{{- end }}
mixer_attributes:
attributes:
destination.service.host:
string_value: istio-telemetry.istio-system.svc.cluster.local
destination.service.uid:
string_value: istio://istio-system/services/istio-telemetry
destination.service.name:
string_value: istio-telemetry
destination.service.namespace:
string_value: istio-system
destination.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
destination.namespace:
string_value: istio-system
destination.ip:
bytes_value: {{ .PodIP }}
destination.port:
int64_value: 15004
context.reporter.kind:
string_value: inbound
context.reporter.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
transport:
check_cluster: mixer_check_server
report_cluster: inbound_9092
name: mixer
- name: envoy.router
route_config:
name: "15004"
virtual_hosts:
- domains:
- '*'
name: istio-telemetry.istio-system.svc.cluster.local
routes:
- decorator:
operation: Report
match:
prefix: /
route:
cluster: inbound_9092
timeout: 0.000s
stat_prefix: "15004"
name: envoy.http_connection_manager
tls_context:
common_tls_context:
alpn_protocols:
- h2
tls_certificates:
- certificate_chain:
filename: /etc/certs/cert-chain.pem
private_key:
filename: /etc/certs/key.pem
validation_context:
trusted_ca:
filename: /etc/certs/root-cert.pem
require_client_certificate: true
- name: "9091"
address:
socket_address:
address: 0.0.0.0
port_value: 9091
filter_chains:
- filters:
- config:
codec_type: HTTP2
http2_protocol_options:
max_concurrent_streams: 1073741824
generate_request_id: true
http_filters:
- config:
default_destination_service: istio-telemetry.istio-system.svc.cluster.local
service_configs:
istio-telemetry.istio-system.svc.cluster.local:
disable_check_calls: true
{{- if .DisableReportCalls }}
disable_report_calls: true
{{- end }}
mixer_attributes:
attributes:
destination.service.host:
string_value: istio-telemetry.istio-system.svc.cluster.local
destination.service.uid:
string_value: istio://istio-system/services/istio-telemetry
destination.service.name:
string_value: istio-telemetry
destination.service.namespace:
string_value: istio-system
destination.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
destination.namespace:
string_value: istio-system
destination.ip:
bytes_value: {{ .PodIP }}
destination.port:
int64_value: 9091
context.reporter.kind:
string_value: inbound
context.reporter.uid:
string_value: kubernetes://{{ .PodName }}.istio-system
transport:
check_cluster: mixer_check_server
report_cluster: inbound_9092
name: mixer
- name: envoy.router
route_config:
name: "9091"
virtual_hosts:
- domains:
- '*'
name: istio-telemetry.istio-system.svc.cluster.local
routes:
- decorator:
operation: Report
match:
prefix: /
route:
cluster: inbound_9092
timeout: 0.000s
stat_prefix: "9091"
name: envoy.http_connection_manager
- name: "local.15019"
address:
socket_address:
address: 127.0.0.1
port_value: 15019
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: HTTP2
stat_prefix: "15019"
http2_protocol_options:
max_concurrent_streams: 1073741824
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
http_filters:
- name: envoy.router
route_config:
name: "15019"
virtual_hosts:
- name: istio-galley
domains:
- '*'
routes:
- match:
prefix: /
route:
cluster: out.galley.15019
timeout: 0.000s
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: istio-mixer
istio: mixer
release: istio
name: istio-telemetry
namespace: istio-system
spec:
replicas: 1
selector:
matchLabels:
istio: mixer
istio-mixer-type: telemetry
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 25%
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
app: telemetry
istio: mixer
istio-mixer-type: telemetry
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- ppc64le
weight: 2
- preference:
matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- s390x
weight: 2
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/arch
operator: In
values:
- amd64
- ppc64le
- s390x
containers:
- args:
- --monitoringPort=15014
- --address
- unix:///sock/mixer.socket
- --log_output_level=default:info
- --configStoreURL=mcp://localhost:15019
- --configDefaultNamespace=istio-system
- --useAdapterCRDs=false
- --useTemplateCRDs=false
- --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: GOMAXPROCS
value: "6"
image: docker.io/istio/mixer:1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /version
port: 15014
initialDelaySeconds: 5
periodSeconds: 5
name: mixer
ports:
- containerPort: 9091
- containerPort: 15014
- containerPort: 42422
resources:
limits:
cpu: 4800m
memory: 4G
requests:
cpu: 1000m
memory: 1G
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
- mountPath: /var/run/secrets/istio.io/telemetry/adapter
name: telemetry-adapter-secret
readOnly: true
- args:
- proxy
- --domain
- $(POD_NAMESPACE).svc.cluster.local
- --serviceCluster
- istio-telemetry
- --templateFile
- /var/lib/envoy/envoy.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
- --trust-domain=cluster.local
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: SDS_ENABLED
value: "false"
image: docker.io/istio/proxyv2:1.4.5
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15004
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
resources:
limits:
cpu: 2000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- mountPath: /var/lib/envoy
name: telemetry-envoy-config
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
serviceAccountName: istio-mixer-service-account
volumes:
- name: istio-certs
secret:
optional: true
secretName: istio.istio-mixer-service-account
- emptyDir: {}
name: uds-socket
- name: telemetry-adapter-secret
secret:
optional: true
secretName: telemetry-adapter-secret
- configMap:
name: telemetry-envoy-config
name: telemetry-envoy-config
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: istio-telemetry
namespace: istio-system
labels:
app: telemetry
release: istio
istio: mixer
istio-mixer-type: telemetry
spec:
minAvailable: 1
selector:
matchLabels:
app: telemetry
istio: mixer
istio-mixer-type: telemetry
---
apiVersion: v1
kind: Service
metadata:
name: istio-telemetry
namespace: istio-system
labels:
app: mixer
istio: mixer
release: istio
spec:
ports:
- name: grpc-mixer
port: 9091
- name: grpc-mixer-mtls
port: 15004
- name: http-monitoring
port: 15014
- name: prometheus
port: 42422
selector:
istio: mixer
istio-mixer-type: telemetry
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: istio-mixer-service-account
namespace: istio-system
labels:
app: istio-telemetry
release: istio
---
# Tracing component is disabled.
Reference in New Issue View Git Blame Copy Permalink