github.com/looshlee/beatles@v0.0.0-20220727174639-742810ab631c/test/k8sT/manifests/istio-cilium.yaml (about) 1 --- 2 # Source: istio/charts/galley/templates/poddisruptionbudget.yaml 3 apiVersion: policy/v1beta1 4 kind: PodDisruptionBudget 5 metadata: 6 name: istio-galley 7 namespace: istio-system 8 labels: 9 app: galley 10 chart: galley 11 heritage: Helm 12 release: istio 13 istio: galley 14 spec: 15 16 minAvailable: 1 17 selector: 18 matchLabels: 19 app: galley 20 release: istio 21 istio: galley 22 --- 23 # Source: istio/charts/gateways/templates/poddisruptionbudget.yaml 24 apiVersion: policy/v1beta1 25 kind: PodDisruptionBudget 26 metadata: 27 name: istio-ingressgateway 28 namespace: istio-system 29 labels: 30 chart: gateways 31 heritage: Helm 32 release: istio 33 app: istio-ingressgateway 34 istio: ingressgateway 35 spec: 36 37 minAvailable: 1 38 selector: 39 matchLabels: 40 release: istio 41 app: istio-ingressgateway 42 istio: ingressgateway 43 --- 44 # Source: istio/charts/mixer/templates/poddisruptionbudget.yaml 45 apiVersion: policy/v1beta1 46 kind: PodDisruptionBudget 47 metadata: 48 name: istio-policy 49 namespace: istio-system 50 labels: 51 app: policy 52 chart: mixer 53 heritage: Helm 54 release: istio 55 version: 1.4.6 56 istio: mixer 57 istio-mixer-type: policy 58 spec: 59 60 minAvailable: 1 61 selector: 62 matchLabels: 63 app: policy 64 release: istio 65 istio: mixer 66 istio-mixer-type: policy 67 --- 68 # Source: istio/charts/mixer/templates/poddisruptionbudget.yaml 69 apiVersion: policy/v1beta1 70 kind: PodDisruptionBudget 71 metadata: 72 name: istio-telemetry 73 namespace: istio-system 74 labels: 75 app: telemetry 76 chart: mixer 77 heritage: Helm 78 release: istio 79 version: 1.4.6 80 istio: mixer 81 istio-mixer-type: telemetry 82 spec: 83 84 minAvailable: 1 85 selector: 86 matchLabels: 87 app: telemetry 88 release: istio 89 istio: mixer 90 istio-mixer-type: telemetry 91 --- 92 # Source: istio/charts/pilot/templates/poddisruptionbudget.yaml 93 apiVersion: policy/v1beta1 94 kind: PodDisruptionBudget 95 metadata: 96 name: istio-pilot 97 namespace: istio-system 98 labels: 99 app: pilot 100 chart: pilot 101 heritage: Helm 102 release: istio 103 istio: pilot 104 spec: 105 106 minAvailable: 1 107 selector: 108 matchLabels: 109 app: pilot 110 release: istio 111 istio: pilot 112 --- 113 # Source: istio/charts/security/templates/poddisruptionbudget.yaml 114 apiVersion: policy/v1beta1 115 kind: PodDisruptionBudget 116 metadata: 117 name: istio-citadel 118 namespace: istio-system 119 labels: 120 app: security 121 chart: security 122 heritage: Helm 123 release: istio 124 istio: citadel 125 spec: 126 127 minAvailable: 1 128 selector: 129 matchLabels: 130 app: security 131 release: istio 132 istio: citadel 133 --- 134 # Source: istio/charts/galley/templates/serviceaccount.yaml 135 apiVersion: v1 136 kind: ServiceAccount 137 metadata: 138 name: istio-galley-service-account 139 namespace: istio-system 140 labels: 141 app: galley 142 chart: galley 143 heritage: Helm 144 release: istio 145 --- 146 # Source: istio/charts/gateways/templates/serviceaccount.yaml 147 apiVersion: v1 148 kind: ServiceAccount 149 metadata: 150 name: istio-ingressgateway-service-account 151 namespace: istio-system 152 labels: 153 app: istio-ingressgateway 154 chart: gateways 155 heritage: Helm 156 release: istio 157 --- 158 # Source: istio/charts/mixer/templates/serviceaccount.yaml 159 apiVersion: v1 160 kind: ServiceAccount 161 metadata: 162 name: istio-mixer-service-account 163 namespace: istio-system 164 labels: 165 app: mixer 166 chart: mixer 167 heritage: Helm 168 release: istio 169 --- 170 # Source: istio/charts/pilot/templates/serviceaccount.yaml 171 apiVersion: v1 172 kind: ServiceAccount 173 metadata: 174 name: istio-pilot-service-account 175 namespace: istio-system 176 labels: 177 app: pilot 178 chart: pilot 179 heritage: Helm 180 release: istio 181 --- 182 # Source: istio/charts/prometheus/templates/serviceaccount.yaml 183 apiVersion: v1 184 kind: ServiceAccount 185 metadata: 186 name: prometheus 187 namespace: istio-system 188 labels: 189 app: prometheus 190 chart: prometheus 191 heritage: Helm 192 release: istio 193 --- 194 # Source: istio/charts/security/templates/create-custom-resources-job.yaml 195 apiVersion: v1 196 kind: ServiceAccount 197 metadata: 198 name: istio-security-post-install-account 199 namespace: istio-system 200 labels: 201 app: security 202 chart: security 203 heritage: Helm 204 release: istio 205 --- 206 # Source: istio/charts/security/templates/serviceaccount.yaml 207 apiVersion: v1 208 kind: ServiceAccount 209 metadata: 210 name: istio-citadel-service-account 211 namespace: istio-system 212 labels: 213 app: security 214 chart: security 215 heritage: Helm 216 release: istio 217 --- 218 # Source: istio/templates/serviceaccount.yaml 219 apiVersion: v1 220 kind: ServiceAccount 221 metadata: 222 name: istio-multi 223 namespace: istio-system 224 --- 225 # Source: istio/charts/galley/templates/configmap.yaml 226 apiVersion: v1 227 kind: ConfigMap 228 metadata: 229 name: istio-galley-configuration 230 namespace: istio-system 231 labels: 232 app: galley 233 chart: galley 234 heritage: Helm 235 release: istio 236 istio: galley 237 data: 238 validatingwebhookconfiguration.yaml: |- 239 apiVersion: admissionregistration.k8s.io/v1beta1 240 kind: ValidatingWebhookConfiguration 241 metadata: 242 name: istio-galley 243 labels: 244 app: galley 245 chart: galley 246 heritage: Helm 247 release: istio 248 istio: galley 249 webhooks: 250 - name: pilot.validation.istio.io 251 clientConfig: 252 service: 253 name: istio-galley 254 namespace: istio-system 255 path: "/admitpilot" 256 caBundle: "" 257 rules: 258 - operations: 259 - CREATE 260 - UPDATE 261 apiGroups: 262 - config.istio.io 263 apiVersions: 264 - v1alpha2 265 resources: 266 - httpapispecs 267 - httpapispecbindings 268 - quotaspecs 269 - quotaspecbindings 270 - operations: 271 - CREATE 272 - UPDATE 273 apiGroups: 274 - rbac.istio.io 275 apiVersions: 276 - "*" 277 resources: 278 - "*" 279 - operations: 280 - CREATE 281 - UPDATE 282 apiGroups: 283 - security.istio.io 284 apiVersions: 285 - "*" 286 resources: 287 - "*" 288 - operations: 289 - CREATE 290 - UPDATE 291 apiGroups: 292 - authentication.istio.io 293 apiVersions: 294 - "*" 295 resources: 296 - "*" 297 - operations: 298 - CREATE 299 - UPDATE 300 apiGroups: 301 - networking.istio.io 302 apiVersions: 303 - "*" 304 resources: 305 - destinationrules 306 - envoyfilters 307 - gateways 308 - serviceentries 309 - sidecars 310 - virtualservices 311 failurePolicy: Fail 312 sideEffects: None 313 - name: mixer.validation.istio.io 314 clientConfig: 315 service: 316 name: istio-galley 317 namespace: istio-system 318 path: "/admitmixer" 319 caBundle: "" 320 rules: 321 - operations: 322 - CREATE 323 - UPDATE 324 apiGroups: 325 - config.istio.io 326 apiVersions: 327 - v1alpha2 328 resources: 329 - rules 330 - attributemanifests 331 - circonuses 332 - deniers 333 - fluentds 334 - kubernetesenvs 335 - listcheckers 336 - memquotas 337 - noops 338 - opas 339 - prometheuses 340 - rbacs 341 - solarwindses 342 - stackdrivers 343 - cloudwatches 344 - dogstatsds 345 - statsds 346 - stdios 347 - apikeys 348 - authorizations 349 - checknothings 350 # - kuberneteses 351 - listentries 352 - logentries 353 - metrics 354 - quotas 355 - reportnothings 356 - tracespans 357 - adapters 358 - handlers 359 - instances 360 - templates 361 - zipkins 362 failurePolicy: Fail 363 sideEffects: None 364 --- 365 # Source: istio/charts/prometheus/templates/configmap.yaml 366 apiVersion: v1 367 kind: ConfigMap 368 metadata: 369 name: prometheus 370 namespace: istio-system 371 labels: 372 app: prometheus 373 chart: prometheus 374 heritage: Helm 375 release: istio 376 data: 377 prometheus.yml: |- 378 global: 379 scrape_interval: 15s 380 scrape_configs: 381 382 - job_name: 'istio-mesh' 383 kubernetes_sd_configs: 384 - role: endpoints 385 namespaces: 386 names: 387 - istio-system 388 389 relabel_configs: 390 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 391 action: keep 392 regex: istio-telemetry;prometheus 393 394 # Scrape config for envoy stats 395 - job_name: 'envoy-stats' 396 metrics_path: /stats/prometheus 397 kubernetes_sd_configs: 398 - role: pod 399 400 relabel_configs: 401 - source_labels: [__meta_kubernetes_pod_container_port_name] 402 action: keep 403 regex: '.*-envoy-prom' 404 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 405 action: replace 406 regex: ([^:]+)(?::\d+)?;(\d+) 407 replacement: $1:15090 408 target_label: __address__ 409 - action: labelmap 410 regex: __meta_kubernetes_pod_label_(.+) 411 - source_labels: [__meta_kubernetes_namespace] 412 action: replace 413 target_label: namespace 414 - source_labels: [__meta_kubernetes_pod_name] 415 action: replace 416 target_label: pod_name 417 418 - job_name: 'istio-policy' 419 kubernetes_sd_configs: 420 - role: endpoints 421 namespaces: 422 names: 423 - istio-system 424 425 426 relabel_configs: 427 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 428 action: keep 429 regex: istio-policy;http-monitoring 430 431 - job_name: 'istio-telemetry' 432 kubernetes_sd_configs: 433 - role: endpoints 434 namespaces: 435 names: 436 - istio-system 437 438 relabel_configs: 439 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 440 action: keep 441 regex: istio-telemetry;http-monitoring 442 443 - job_name: 'pilot' 444 kubernetes_sd_configs: 445 - role: endpoints 446 namespaces: 447 names: 448 - istio-system 449 450 relabel_configs: 451 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 452 action: keep 453 regex: istio-pilot;http-monitoring 454 455 - job_name: 'galley' 456 kubernetes_sd_configs: 457 - role: endpoints 458 namespaces: 459 names: 460 - istio-system 461 462 relabel_configs: 463 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 464 action: keep 465 regex: istio-galley;http-monitoring 466 467 - job_name: 'citadel' 468 kubernetes_sd_configs: 469 - role: endpoints 470 namespaces: 471 names: 472 - istio-system 473 474 relabel_configs: 475 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 476 action: keep 477 regex: istio-citadel;http-monitoring 478 479 # scrape config for API servers 480 - job_name: 'kubernetes-apiservers' 481 kubernetes_sd_configs: 482 - role: endpoints 483 namespaces: 484 names: 485 - default 486 scheme: https 487 tls_config: 488 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 489 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 490 relabel_configs: 491 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 492 action: keep 493 regex: kubernetes;https 494 495 # scrape config for nodes (kubelet) 496 - job_name: 'kubernetes-nodes' 497 scheme: https 498 tls_config: 499 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 500 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 501 kubernetes_sd_configs: 502 - role: node 503 relabel_configs: 504 - action: labelmap 505 regex: __meta_kubernetes_node_label_(.+) 506 - target_label: __address__ 507 replacement: kubernetes.default.svc:443 508 - source_labels: [__meta_kubernetes_node_name] 509 regex: (.+) 510 target_label: __metrics_path__ 511 replacement: /api/v1/nodes/${1}/proxy/metrics 512 513 # Scrape config for Kubelet cAdvisor. 514 # 515 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics 516 # (those whose names begin with 'container_') have been removed from the 517 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to 518 # retrieve those metrics. 519 # 520 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor 521 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" 522 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with 523 # the --cadvisor-port=0 Kubelet flag). 524 # 525 # This job is not necessary and should be removed in Kubernetes 1.6 and 526 # earlier versions, or it will cause the metrics to be scraped twice. 527 - job_name: 'kubernetes-cadvisor' 528 scheme: https 529 tls_config: 530 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 531 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 532 kubernetes_sd_configs: 533 - role: node 534 relabel_configs: 535 - action: labelmap 536 regex: __meta_kubernetes_node_label_(.+) 537 - target_label: __address__ 538 replacement: kubernetes.default.svc:443 539 - source_labels: [__meta_kubernetes_node_name] 540 regex: (.+) 541 target_label: __metrics_path__ 542 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 543 544 # scrape config for service endpoints. 545 - job_name: 'kubernetes-service-endpoints' 546 kubernetes_sd_configs: 547 - role: endpoints 548 relabel_configs: 549 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] 550 action: keep 551 regex: true 552 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] 553 action: replace 554 target_label: __scheme__ 555 regex: (https?) 556 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] 557 action: replace 558 target_label: __metrics_path__ 559 regex: (.+) 560 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] 561 action: replace 562 target_label: __address__ 563 regex: ([^:]+)(?::\d+)?;(\d+) 564 replacement: $1:$2 565 - action: labelmap 566 regex: __meta_kubernetes_service_label_(.+) 567 - source_labels: [__meta_kubernetes_namespace] 568 action: replace 569 target_label: kubernetes_namespace 570 - source_labels: [__meta_kubernetes_service_name] 571 action: replace 572 target_label: kubernetes_name 573 574 - job_name: 'kubernetes-pods' 575 kubernetes_sd_configs: 576 - role: pod 577 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. 578 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 579 action: keep 580 regex: true 581 # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" 582 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] 583 action: keep 584 regex: ((;.*)|(.*;http)) 585 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] 586 action: drop 587 regex: (true) 588 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 589 action: replace 590 target_label: __metrics_path__ 591 regex: (.+) 592 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 593 action: replace 594 regex: ([^:]+)(?::\d+)?;(\d+) 595 replacement: $1:$2 596 target_label: __address__ 597 - action: labelmap 598 regex: __meta_kubernetes_pod_label_(.+) 599 - source_labels: [__meta_kubernetes_namespace] 600 action: replace 601 target_label: namespace 602 - source_labels: [__meta_kubernetes_pod_name] 603 action: replace 604 target_label: pod_name 605 606 - job_name: 'kubernetes-pods-istio-secure' 607 scheme: https 608 tls_config: 609 ca_file: /etc/istio-certs/root-cert.pem 610 cert_file: /etc/istio-certs/cert-chain.pem 611 key_file: /etc/istio-certs/key.pem 612 insecure_skip_verify: true # prometheus does not support secure naming. 613 kubernetes_sd_configs: 614 - role: pod 615 relabel_configs: 616 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 617 action: keep 618 regex: true 619 # sidecar status annotation is added by sidecar injector and 620 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. 621 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] 622 action: keep 623 regex: (([^;]+);([^;]*))|(([^;]*);(true)) 624 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] 625 action: drop 626 regex: (http) 627 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 628 action: replace 629 target_label: __metrics_path__ 630 regex: (.+) 631 - source_labels: [__address__] # Only keep address that is host:port 632 action: keep # otherwise an extra target with ':443' is added for https scheme 633 regex: ([^:]+):(\d+) 634 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 635 action: replace 636 regex: ([^:]+)(?::\d+)?;(\d+) 637 replacement: $1:$2 638 target_label: __address__ 639 - action: labelmap 640 regex: __meta_kubernetes_pod_label_(.+) 641 - source_labels: [__meta_kubernetes_namespace] 642 action: replace 643 target_label: namespace 644 - source_labels: [__meta_kubernetes_pod_name] 645 action: replace 646 target_label: pod_name 647 --- 648 # Source: istio/charts/security/templates/configmap.yaml 649 apiVersion: v1 650 kind: ConfigMap 651 metadata: 652 name: istio-security-custom-resources 653 namespace: istio-system 654 labels: 655 app: security 656 chart: security 657 heritage: Helm 658 release: istio 659 istio: citadel 660 data: 661 custom-resources.yaml: |- 662 # These policy and destination rules effectively enable mTLS for all services in the mesh. For now, 663 # they are added to Istio installation yaml for backward compatible. In future, they should be in 664 # a separated yaml file so that customer can enable mTLS independent from installation. 665 666 # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. 667 apiVersion: "authentication.istio.io/v1alpha1" 668 kind: "MeshPolicy" 669 metadata: 670 name: "default" 671 labels: 672 app: security 673 chart: security 674 heritage: Helm 675 release: istio 676 spec: 677 peers: 678 - mtls: {} 679 --- 680 # Corresponding destination rule to configure client side to use mutual TLS when talking to 681 # any service (host) in the mesh. 682 apiVersion: networking.istio.io/v1alpha3 683 kind: DestinationRule 684 metadata: 685 name: "default" 686 namespace: istio-system 687 labels: 688 app: security 689 chart: security 690 heritage: Helm 691 release: istio 692 spec: 693 host: "*.local" 694 trafficPolicy: 695 tls: 696 mode: ISTIO_MUTUAL 697 --- 698 # Destination rule to disable (m)TLS when talking to API server, as API server doesn't have sidecar. 699 # Customer should add similar destination rules for other services that don't have sidecar. 700 apiVersion: networking.istio.io/v1alpha3 701 kind: DestinationRule 702 metadata: 703 name: "api-server" 704 namespace: istio-system 705 labels: 706 app: security 707 chart: security 708 heritage: Helm 709 release: istio 710 spec: 711 host: "kubernetes.default.svc.cluster.local" 712 trafficPolicy: 713 tls: 714 mode: DISABLE 715 run.sh: |- 716 #!/bin/sh 717 718 set -x 719 720 if [ "$#" -ne "1" ]; then 721 echo "first argument should be path to custom resource yaml" 722 exit 1 723 fi 724 725 pathToResourceYAML=${1} 726 727 kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null 728 if [ "$?" -eq 0 ]; then 729 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" 730 while true; do 731 kubectl -n istio-system get deployment istio-galley 2>/dev/null 732 if [ "$?" -eq 0 ]; then 733 break 734 fi 735 sleep 1 736 done 737 kubectl -n istio-system rollout status deployment istio-galley 738 if [ "$?" -ne 0 ]; then 739 echo "istio-galley deployment rollout status check failed" 740 exit 1 741 fi 742 echo "istio-galley deployment ready for configuration validation" 743 fi 744 sleep 5 745 kubectl apply -f ${pathToResourceYAML} 746 --- 747 # Source: istio/templates/configmap.yaml 748 apiVersion: v1 749 kind: ConfigMap 750 metadata: 751 name: istio 752 namespace: istio-system 753 labels: 754 app: istio 755 chart: istio 756 heritage: Helm 757 release: istio 758 data: 759 mesh: |- 760 # Set the following variable to true to disable policy checks by Mixer. 761 # Note that metrics will still be reported to Mixer. 762 disablePolicyChecks: true 763 764 disableMixerHttpReports: false 765 # reportBatchMaxEntries is the number of requests that are batched before telemetry data is sent to the mixer server 766 reportBatchMaxEntries: 100 767 # reportBatchMaxTime is the max waiting time before the telemetry data of a request is sent to the mixer server 768 reportBatchMaxTime: 1s 769 770 # Set enableTracing to false to disable request tracing. 771 enableTracing: true 772 773 # Set accessLogFile to empty string to disable access log. 774 accessLogFile: "" 775 776 # If accessLogEncoding is TEXT, value will be used directly as the log format 777 # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" 778 # If AccessLogEncoding is JSON, value will be parsed as map[string]string 779 # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' 780 # Leave empty to use default log format 781 accessLogFormat: "" 782 783 # Set accessLogEncoding to JSON or TEXT to configure sidecar access log 784 accessLogEncoding: 'TEXT' 785 786 enableEnvoyAccessLogService: false 787 mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 788 mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 789 # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. 790 # Default is false which means the traffic is denied when the client is unable to connect to Mixer. 791 policyCheckFailOpen: false 792 # Let Pilot give ingresses the public IP of the Istio ingressgateway 793 ingressService: istio-ingressgateway 794 795 # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS 796 connectTimeout: 10s 797 798 # Automatic protocol detection uses a set of heuristics to 799 # determine whether the connection is using TLS or not (on the 800 # server side), as well as the application protocol being used 801 # (e.g., http vs tcp). These heuristics rely on the client sending 802 # the first bits of data. For server first protocols like MySQL, 803 # MongoDB, etc., Envoy will timeout on the protocol detection after 804 # the specified period, defaulting to non mTLS plain TCP 805 # traffic. Set this field to tweak the period that Envoy will wait 806 # for the client to send the first bits of data. (MUST BE >=1ms) 807 protocolDetectionTimeout: 100ms 808 809 # DNS refresh rate for Envoy clusters of type STRICT_DNS 810 dnsRefreshRate: 300s 811 812 # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get 813 # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. 814 sdsUdsPath: "" 815 816 # The trust domain corresponds to the trust root of a system. 817 # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain 818 trustDomain: "" 819 820 # The trust domain aliases represent the aliases of trust_domain. 821 # For example, if we have 822 # trustDomain: td1 823 # trustDomainAliases: [“td2”, "td3"] 824 # Any service with the identity "td1/ns/foo/sa/a-service-account", "td2/ns/foo/sa/a-service-account", 825 # or "td3/ns/foo/sa/a-service-account" will be treated the same in the Istio mesh. 826 trustDomainAliases: 827 828 # If true, automatically configure client side mTLS settings to match the corresponding service's 829 # server side mTLS authentication policy, when destination rule for that service does not specify 830 # TLS settings. 831 enableAutoMtls: false 832 833 # Set the default behavior of the sidecar for handling outbound traffic from the application: 834 # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no 835 # services or ServiceEntries for the destination port 836 # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well 837 # as those defined through ServiceEntries 838 outboundTrafficPolicy: 839 mode: ALLOW_ANY 840 localityLbSetting: 841 enabled: true 842 # The namespace to treat as the administrative root namespace for istio 843 # configuration. 844 rootNamespace: istio-system 845 846 # Configures DNS certificates provisioned through Chiron linked into Pilot. 847 certificates: 848 [] 849 configSources: 850 - address: istio-galley.istio-system.svc:9901 851 tlsSettings: 852 mode: ISTIO_MUTUAL 853 854 defaultConfig: 855 # 856 # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters 857 # defined in Envoy's configuration file 858 connectTimeout: 10s 859 # 860 ### ADVANCED SETTINGS ############# 861 # Where should envoy's configuration be stored in the istio-proxy container 862 configPath: "/etc/istio/proxy" 863 binaryPath: "/usr/local/bin/envoy" 864 # The pseudo service name used for Envoy. 865 serviceCluster: istio-proxy 866 # These settings that determine how long an old Envoy 867 # process should be kept alive after an occasional reload. 868 drainDuration: 45s 869 parentShutdownDuration: 1m0s 870 # 871 # The mode used to redirect inbound connections to Envoy. This setting 872 # has no effect on outbound traffic: iptables REDIRECT is always used for 873 # outbound connections. 874 # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. 875 # The "REDIRECT" mode loses source addresses during redirection. 876 # If "TPROXY", use iptables TPROXY to redirect to Envoy. 877 # The "TPROXY" mode preserves both the source and destination IP 878 # addresses and ports, so that they can be used for advanced filtering 879 # and manipulation. 880 # The "TPROXY" mode also configures the sidecar to run with the 881 # CAP_NET_ADMIN capability, which is required to use TPROXY. 882 interceptionMode: TPROXY 883 # 884 # Port where Envoy listens (on local host) for admin commands 885 # You can exec into the istio-proxy container in a pod and 886 # curl the admin port (curl http://localhost:15000/) to obtain 887 # diagnostic information from Envoy. See 888 # https://lyft.github.io/envoy/docs/operations/admin.html 889 # for more details 890 proxyAdminPort: 15000 891 # 892 # Set concurrency to a specific number to control the number of Proxy worker threads. 893 # If set to 0 (default), then start worker thread for each CPU thread/core. 894 concurrency: 2 895 # 896 tracing: 897 zipkin: 898 # Address of the Zipkin collector 899 address: zipkin.istio-system:9411 900 # 901 # Mutual TLS authentication between sidecars and istio control plane. 902 controlPlaneAuthPolicy: MUTUAL_TLS 903 # 904 # Address where istio Pilot service is running 905 discoveryAddress: istio-pilot.istio-system:15011 906 907 # Configuration file for the mesh networks to be used by the Split Horizon EDS. 908 meshNetworks: |- 909 networks: {} 910 --- 911 # Source: istio/templates/sidecar-injector-configmap.yaml 912 apiVersion: v1 913 kind: ConfigMap 914 metadata: 915 name: istio-sidecar-injector 916 namespace: istio-system 917 labels: 918 app: istio 919 chart: istio 920 heritage: Helm 921 release: istio 922 istio: sidecar-injector 923 data: 924 values: |- 925 {"certmanager":{"enabled":false,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"hub":"quay.io/jetstack","image":"cert-manager-controller","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"resources":{},"tag":"v0.8.1","tolerations":[]},"egressgateway":{"enabled":false},"galley":{"enableAnalysis":false,"enableServiceDiscovery":false,"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"galley","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"gateways":{"enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"istio-egressgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"labels":{"app":"istio-egressgateway","istio":"egressgateway"},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"http2","port":80},{"name":"https","port":443},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/egressgateway-certs","name":"egressgateway-certs","secretName":"istio-egressgateway-certs"},{"mountPath":"/etc/istio/egressgateway-ca-certs","name":"egressgateway-ca-certs","secretName":"istio-egressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"ClusterIP"},"istio-ilbgateway":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":false,"labels":{"app":"istio-ilbgateway","istio":"ilbgateway"},"loadBalancerIP":"","nodeSelector":{},"podAnnotations":{},"ports":[{"name":"grpc-pilot-mtls","port":15011},{"name":"grpc-pilot","port":15010},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns","port":5353}],"resources":{"requests":{"cpu":"800m","memory":"512Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","secretVolumes":[{"mountPath":"/etc/istio/ilbgateway-certs","name":"ilbgateway-certs","secretName":"istio-ilbgateway-certs"},{"mountPath":"/etc/istio/ilbgateway-ca-certs","name":"ilbgateway-ca-certs","secretName":"istio-ilbgateway-ca-certs"}],"serviceAnnotations":{"cloud.google.com/load-balancer-type":"internal"},"tolerations":[],"type":"LoadBalancer"},"istio-ingressgateway":{"applicationPorts":"","autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"env":{"ISTIO_META_ROUTER_MODE":"sni-dnat"},"externalIPs":[],"labels":{"app":"istio-ingressgateway","istio":"ingressgateway"},"loadBalancerIP":"","loadBalancerSourceRanges":[],"meshExpansionPorts":[{"name":"tcp-pilot-grpc-tls","port":15011,"targetPort":15011},{"name":"tcp-mixer-grpc-tls","port":15004,"targetPort":15004},{"name":"tcp-citadel-grpc-tls","port":8060,"targetPort":8060},{"name":"tcp-dns-tls","port":853,"targetPort":853}],"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"ports":[{"name":"status-port","port":15020,"targetPort":15020},{"name":"http2","nodePort":31380,"port":80,"targetPort":80},{"name":"https","nodePort":31390,"port":443},{"name":"tcp","nodePort":31400,"port":31400},{"name":"https-kiali","port":15029,"targetPort":15029},{"name":"https-prometheus","port":15030,"targetPort":15030},{"name":"https-grafana","port":15031,"targetPort":15031},{"name":"https-tracing","port":15032,"targetPort":15032},{"name":"tls","port":15443,"targetPort":15443}],"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sds":{"enabled":false,"image":"node-agent-k8s","resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}},"secretVolumes":[{"mountPath":"/etc/istio/ingressgateway-certs","name":"ingressgateway-certs","secretName":"istio-ingressgateway-certs"},{"mountPath":"/etc/istio/ingressgateway-ca-certs","name":"ingressgateway-ca-certs","secretName":"istio-ingressgateway-ca-certs"}],"serviceAnnotations":{},"tolerations":[],"type":"LoadBalancer"}},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"grafana":{"accessMode":"ReadWriteMany","contextPath":"/grafana","dashboardProviders":{"dashboardproviders.yaml":{"apiVersion":1,"providers":[{"disableDeletion":false,"folder":"istio","name":"istio","options":{"path":"/var/lib/grafana/dashboards/istio"},"orgId":1,"type":"file"}]}},"datasources":{"datasources.yaml":{"apiVersion":1,"datasources":[{"access":"proxy","editable":true,"isDefault":true,"jsonData":{"timeInterval":"5s"},"name":"Prometheus","orgId":1,"type":"prometheus","url":"http://prometheus:9090"}]}},"enabled":false,"env":{},"envSecrets":{},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":{"repository":"grafana/grafana","tag":"6.4.3"},"ingress":{"annotations":{},"enabled":false,"hosts":["grafana.local"],"tls":[]},"nodeSelector":{},"persist":false,"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"security":{"enabled":false,"passphraseKey":"passphrase","secretName":"grafana","usernameKey":"username"},"service":{"annotations":{},"externalPort":3000,"loadBalancerIP":null,"loadBalancerSourceRanges":[],"name":"http","type":"ClusterIP"},"storageClassName":"","tolerations":[]},"ingress":{"enabled":false},"istio_cni":{"enabled":false,"repair":{"enabled":true}},"istiocoredns":{"coreDNSImage":"coredns/coredns","coreDNSPluginImage":"istio/coredns-plugin:0.2-istio-1.1","coreDNSTag":"1.6.2","enabled":false,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","tolerations":[]},"kiali":{"contextPath":"/kiali","createDemoSecret":false,"dashboard":{"auth":{"strategy":"login"},"grafanaURL":null,"jaegerURL":null,"secretName":"kiali","viewOnlyMode":false},"enabled":false,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"hub":"quay.io/kiali","image":"kiali","ingress":{"annotations":{},"enabled":false,"hosts":["kiali.local"],"tls":null},"nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"prometheusAddr":"http://prometheus:9090","replicaCount":1,"security":{"cert_file":"/kiali-cert/cert-chain.pem","enabled":false,"private_key_file":"/kiali-cert/key.pem"},"tag":"v1.9","tolerations":[]},"mixer":{"adapters":{"kubernetesenv":{"enabled":true},"prometheus":{"enabled":true,"metricsExpiryDuration":"10m"},"stdio":{"enabled":false,"outputAsJson":true},"useAdapterCRDs":false},"env":{"GOMAXPROCS":"6"},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"mixer","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"policy":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%"},"telemetry":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"cpu":{"targetAverageUtilization":80},"enabled":true,"loadshedding":{"latencyThreshold":"100ms","mode":"enforce"},"replicaCount":1,"reportBatchMaxEntries":100,"reportBatchMaxTime":"1s","resources":{"limits":{"cpu":"4800m","memory":"4G"},"requests":{"cpu":"1000m","memory":"1G"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sessionAffinityEnabled":false},"tolerations":[]},"nodeagent":{"enabled":false,"env":{"CA_ADDR":"","CA_PROVIDER":"","PLUGINS":""},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"node-agent-k8s","nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"tolerations":[]},"pilot":{"autoscaleEnabled":true,"autoscaleMax":5,"autoscaleMin":1,"configSource":{"subscribedResources":null},"cpu":{"targetAverageUtilization":80},"enableProtocolSniffingForInbound":false,"enableProtocolSniffingForOutbound":true,"enabled":true,"env":{"PILOT_PUSH_THROTTLE":100},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"docker.io/cilium/istio_pilot:1.4.6","keepaliveMaxServerConnectionAge":"30m","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"resources":{"requests":{"cpu":"500m","memory":"2048Mi"}},"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","sidecar":true,"tolerations":[],"traceSampling":1},"prometheus":{"contextPath":"/prometheus","enabled":true,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"hub":"docker.io/prom","image":"prometheus","ingress":{"annotations":null,"enabled":false,"hosts":["prometheus.local"],"tls":null},"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"retention":"6h","scrapeInterval":"15s","security":{"enabled":true},"service":{"annotations":{},"nodePort":{"enabled":false,"port":32090}},"tag":"v2.12.0","tolerations":[]},"security":{"citadelHealthCheck":false,"createMeshPolicy":true,"enableNamespacesByDefault":true,"enabled":true,"env":{},"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"image":"citadel","nodeSelector":{},"podAnnotations":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"replicaCount":1,"rollingMaxSurge":"100%","rollingMaxUnavailable":"25%","selfSigned":true,"tolerations":[],"workloadCertTtl":"2160h"},"sidecarInjectorWebhook":{"enabled":false},"tracing":{"enabled":false,"global":{"arch":{"amd64":2,"ppc64le":2,"s390x":2},"certificates":[],"configValidation":true,"controlPlaneSecurityEnabled":true,"defaultNodeSelector":{},"defaultPodDisruptionBudget":{"enabled":true},"defaultResources":{"requests":{"cpu":"10m"}},"defaultTolerations":[],"disablePolicyChecks":true,"enableHelmTest":false,"enableTracing":true,"hub":"docker.io/istio","imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"k8sIngress":{"enableHttps":false,"enabled":false,"gatewayName":"ingressgateway"},"localityLbSetting":{"enabled":true},"logging":{"level":"default:info"},"meshExpansion":{"enabled":false,"useILB":false},"meshID":"","meshNetworks":{},"monitoringPort":15014,"mtls":{"auto":false,"enabled":true},"multiCluster":{"clusterName":"","enabled":false},"network":"","oneNamespace":false,"operatorManageWebhooks":false,"outboundTrafficPolicy":{"mode":"ALLOW_ANY"},"policyCheckFailOpen":false,"priorityClassName":"","proxy":{"accessLogEncoding":"TEXT","accessLogFile":"","accessLogFormat":"","autoInject":"enabled","clusterDomain":"cluster.local","componentLogLevel":"","concurrency":2,"dnsRefreshRate":"300s","enableCoreDump":false,"enableCoreDumpImage":"ubuntu:xenial","envoyAccessLogService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyMetricsService":{"enabled":false,"host":null,"port":null,"tcpKeepalive":{"interval":"10s","probes":3,"time":"10s"},"tlsSettings":{"caCertificates":null,"clientCertificate":null,"mode":"DISABLE","privateKey":null,"sni":null,"subjectAltNames":[]}},"envoyStatsd":{"enabled":false,"host":null,"port":null},"excludeIPRanges":"","excludeInboundPorts":"","excludeOutboundPorts":"","image":"docker.io/cilium/istio_proxy:1.4.6","includeIPRanges":"*","includeInboundPorts":"*","init":{"resources":{"limits":{"cpu":"100m","memory":"50Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}},"kubevirtInterfaces":"","logLevel":"","privileged":false,"protocolDetectionTimeout":"100ms","readinessFailureThreshold":30,"readinessInitialDelaySeconds":1,"readinessPeriodSeconds":2,"resources":{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"statusPort":15020,"tracer":"zipkin"},"proxy_init":{"image":"docker.io/cilium/istio_proxy:1.4.6"},"sds":{"enabled":false,"token":{"aud":"istio-ca"},"udsPath":""},"tag":"1.4.6","tracer":{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":"","cacertPath":"","secure":true},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200},"zipkin":{"address":""}},"trustDomain":"","trustDomainAliases":[],"useMCP":true},"ingress":{"annotations":null,"enabled":false,"hosts":null,"tls":null},"jaeger":{"accessMode":"ReadWriteMany","hub":"docker.io/jaegertracing","image":"all-in-one","memory":{"max_traces":50000},"persist":false,"podAnnotations":{},"spanStorageType":"badger","storageClassName":"","tag":1.14},"nodeSelector":{},"podAntiAffinityLabelSelector":[],"podAntiAffinityTermLabelSelector":[],"provider":"jaeger","service":{"annotations":{},"externalPort":80,"name":"http","type":"ClusterIP"},"tolerations":[],"zipkin":{"hub":"docker.io/openzipkin","image":"zipkin","javaOptsHeap":700,"maxSpans":500000,"node":{"cpus":2},"podAnnotations":{},"probeStartupDelay":200,"queryPort":9411,"resources":{"limits":{"cpu":"300m","memory":"900Mi"},"requests":{"cpu":"150m","memory":"900Mi"}},"tag":"2.14.2"}}} 926 927 config: |- 928 policy: enabled 929 alwaysInjectSelector: 930 null 931 neverInjectSelector: 932 null 933 template: |- 934 {{- $cniDisabled := (not .Values.istio_cni.enabled) }} 935 {{- $cniRepairEnabled := (and .Values.istio_cni.enabled .Values.istio_cni.repair.enabled) }} 936 {{- $enableInitContainer := (or $cniDisabled $cniRepairEnabled .Values.global.proxy.enableCoreDump) }} 937 rewriteAppHTTPProbe: {{ valueOrDefault .Values.sidecarInjectorWebhook.rewriteAppHTTPProbe false }} 938 {{- if $enableInitContainer }} 939 initContainers: 940 - name: sleep 941 image: busybox:1.28.4 942 imagePullPolicy: IfNotPresent 943 command: ['sh', '-c', 'max=120; i=0; until nslookup kube-dns.kube-system.svc.cluster.local; do i=$((i + 1)); if [ $i -eq $max ]; then echo timed-out; exit 1; else sleep 1; fi done '] 944 {{- if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} 945 {{ if $cniRepairEnabled -}} 946 - name: istio-validation 947 {{ else -}} 948 - name: istio-init 949 {{ end -}} 950 {{- if contains "/" .Values.global.proxy_init.image }} 951 image: "{{ .Values.global.proxy_init.image }}" 952 {{- else }} 953 image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" 954 {{- end }} 955 command: 956 {{- if $cniRepairEnabled }} 957 - istio-iptables-go 958 {{- else }} 959 - istio-iptables 960 {{- end }} 961 - "-p" 962 - "15001" 963 - "-z" 964 - "15006" 965 - "-u" 966 - 1337 967 - "-m" 968 - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 969 - "-i" 970 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 971 - "-x" 972 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 973 - "-b" 974 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" 975 - "-d" 976 - "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 977 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} 978 - "-o" 979 - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 980 {{ end -}} 981 {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} 982 - "-k" 983 - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 984 {{ end -}} 985 {{ if $cniRepairEnabled -}} 986 - "--run-validation" 987 - "--skip-rule-apply" 988 {{- end }} 989 imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" 990 {{- if .Values.global.proxy.init.resources }} 991 resources: 992 {{ toYaml .Values.global.proxy.init.resources | indent 4 }} 993 {{- else }} 994 resources: {} 995 {{- end }} 996 securityContext: 997 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 998 privileged: {{ .Values.global.proxy.privileged }} 999 capabilities: 1000 {{- if not $cniRepairEnabled }} 1001 add: 1002 - NET_ADMIN 1003 - NET_RAW 1004 {{- end }} 1005 drop: 1006 - ALL 1007 readOnlyRootFilesystem: false 1008 {{- if not $cniRepairEnabled }} 1009 runAsGroup: 0 1010 runAsNonRoot: false 1011 runAsUser: 0 1012 {{- else }} 1013 runAsGroup: 1337 1014 runAsUser: 1337 1015 runAsNonRoot: true 1016 {{- end }} 1017 restartPolicy: Always 1018 {{ end -}} 1019 {{- if eq .Values.global.proxy.enableCoreDump true }} 1020 - name: enable-core-dump 1021 args: 1022 - -c 1023 - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited 1024 command: 1025 - /bin/sh 1026 image: {{ $.Values.global.proxy.enableCoreDumpImage }} 1027 imagePullPolicy: IfNotPresent 1028 resources: {} 1029 securityContext: 1030 allowPrivilegeEscalation: true 1031 capabilities: 1032 add: 1033 - SYS_ADMIN 1034 drop: 1035 - ALL 1036 privileged: true 1037 readOnlyRootFilesystem: false 1038 runAsGroup: 0 1039 runAsNonRoot: false 1040 runAsUser: 0 1041 {{ end }} 1042 {{ end }} 1043 containers: 1044 - name: istio-proxy 1045 {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} 1046 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" 1047 {{- else }} 1048 image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" 1049 {{- end }} 1050 ports: 1051 - containerPort: 15090 1052 protocol: TCP 1053 name: http-envoy-prom 1054 args: 1055 - proxy 1056 - sidecar 1057 - --domain 1058 - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} 1059 - --configPath 1060 - "{{ .ProxyConfig.ConfigPath }}" 1061 - --binaryPath 1062 - "{{ .ProxyConfig.BinaryPath }}" 1063 - --serviceCluster 1064 {{ if ne "" (index .ObjectMeta.Labels "app") -}} 1065 - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" 1066 {{ else -}} 1067 - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" 1068 {{ end -}} 1069 - --drainDuration 1070 - "{{ formatDuration .ProxyConfig.DrainDuration }}" 1071 - --parentShutdownDuration 1072 - "{{ formatDuration .ProxyConfig.ParentShutdownDuration }}" 1073 - --discoveryAddress 1074 - "{{ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress }}" 1075 {{- if eq .Values.global.proxy.tracer "lightstep" }} 1076 - --lightstepAddress 1077 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAddress }}" 1078 - --lightstepAccessToken 1079 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetAccessToken }}" 1080 - --lightstepSecure={{ .ProxyConfig.GetTracing.GetLightstep.GetSecure }} 1081 - --lightstepCacertPath 1082 - "{{ .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }}" 1083 {{- else if eq .Values.global.proxy.tracer "zipkin" }} 1084 - --zipkinAddress 1085 - "{{ .ProxyConfig.GetTracing.GetZipkin.GetAddress }}" 1086 {{- else if eq .Values.global.proxy.tracer "datadog" }} 1087 - --datadogAgentAddress 1088 - "{{ .ProxyConfig.GetTracing.GetDatadog.GetAddress }}" 1089 {{- end }} 1090 {{- if .Values.global.proxy.logLevel }} 1091 - --proxyLogLevel={{ .Values.global.proxy.logLevel }} 1092 {{- end}} 1093 {{- if .Values.global.proxy.componentLogLevel }} 1094 - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} 1095 {{- end}} 1096 - --dnsRefreshRate 1097 - {{ .Values.global.proxy.dnsRefreshRate }} 1098 - --connectTimeout 1099 - "{{ formatDuration .ProxyConfig.ConnectTimeout }}" 1100 {{- if .Values.global.proxy.envoyStatsd.enabled }} 1101 - --statsdUdpAddress 1102 - "{{ .ProxyConfig.StatsdUdpAddress }}" 1103 {{- end }} 1104 {{- if .Values.global.proxy.envoyMetricsService.enabled }} 1105 - --envoyMetricsService 1106 - '{{ protoToJSON .ProxyConfig.EnvoyMetricsService }}' 1107 {{- end }} 1108 {{- if .Values.global.proxy.envoyAccessLogService.enabled }} 1109 - --envoyAccessLogService 1110 - '{{ protoToJSON .ProxyConfig.EnvoyAccessLogService }}' 1111 {{- end }} 1112 - --proxyAdminPort 1113 - "{{ .ProxyConfig.ProxyAdminPort }}" 1114 {{ if gt .ProxyConfig.Concurrency 0 -}} 1115 - --concurrency 1116 - "{{ .ProxyConfig.Concurrency }}" 1117 {{ end -}} 1118 - --controlPlaneAuthPolicy 1119 - "{{ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy }}" 1120 {{- if (ne (annotation .ObjectMeta "status.sidecar.istio.io/port" (valueOrDefault .Values.global.proxy.statusPort 0 )) `0`) }} 1121 - --statusPort 1122 - "{{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }}" 1123 - --applicationPorts 1124 - "{{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) }}" 1125 {{- end }} 1126 {{- if .Values.global.trustDomain }} 1127 - --trust-domain={{ .Values.global.trustDomain }} 1128 {{- end }} 1129 {{- if .Values.global.proxy.lifecycle }} 1130 lifecycle: 1131 {{ toYaml .Values.global.proxy.lifecycle | indent 4 }} 1132 {{- end }} 1133 env: 1134 - name: POD_NAME 1135 valueFrom: 1136 fieldRef: 1137 fieldPath: metadata.name 1138 - name: ISTIO_META_POD_PORTS 1139 value: |- 1140 [ 1141 {{- $first := true }} 1142 {{- range $index1, $c := .Spec.Containers }} 1143 {{- range $index2, $p := $c.Ports }} 1144 {{- if (structToJSON $p) }} 1145 {{if not $first}},{{end}}{{ structToJSON $p }} 1146 {{- $first = false }} 1147 {{- end }} 1148 {{- end}} 1149 {{- end}} 1150 ] 1151 - name: ISTIO_META_CLUSTER_ID 1152 value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" 1153 - name: POD_NAMESPACE 1154 valueFrom: 1155 fieldRef: 1156 fieldPath: metadata.namespace 1157 - name: INSTANCE_IP 1158 valueFrom: 1159 fieldRef: 1160 fieldPath: status.podIP 1161 - name: SERVICE_ACCOUNT 1162 valueFrom: 1163 fieldRef: 1164 fieldPath: spec.serviceAccountName 1165 {{- if .Values.global.mtls.auto }} 1166 - name: ISTIO_AUTO_MTLS_ENABLED 1167 value: "true" 1168 {{- end }} 1169 {{- if eq .Values.global.proxy.tracer "datadog" }} 1170 - name: HOST_IP 1171 valueFrom: 1172 fieldRef: 1173 fieldPath: status.hostIP 1174 {{- if isset .ObjectMeta.Annotations `apm.datadoghq.com/env` }} 1175 {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} 1176 - name: {{ $key }} 1177 value: "{{ $value }}" 1178 {{- end }} 1179 {{- end }} 1180 {{- end }} 1181 - name: ISTIO_META_POD_NAME 1182 valueFrom: 1183 fieldRef: 1184 fieldPath: metadata.name 1185 - name: ISTIO_META_CONFIG_NAMESPACE 1186 valueFrom: 1187 fieldRef: 1188 fieldPath: metadata.namespace 1189 - name: SDS_ENABLED 1190 value: {{ $.Values.global.sds.enabled }} 1191 - name: ISTIO_META_INTERCEPTION_MODE 1192 value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" 1193 - name: ISTIO_META_INCLUDE_INBOUND_PORTS 1194 value: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (applicationPorts .Spec.Containers) }}" 1195 {{- if .Values.global.network }} 1196 - name: ISTIO_META_NETWORK 1197 value: "{{ .Values.global.network }}" 1198 {{- end }} 1199 {{ if .ObjectMeta.Annotations }} 1200 - name: ISTIO_METAJSON_ANNOTATIONS 1201 value: | 1202 {{ toJSON .ObjectMeta.Annotations }} 1203 {{ end }} 1204 {{ if .ObjectMeta.Labels }} 1205 - name: ISTIO_METAJSON_LABELS 1206 value: | 1207 {{ toJSON .ObjectMeta.Labels }} 1208 {{ end }} 1209 {{- if .DeploymentMeta.Name }} 1210 - name: ISTIO_META_WORKLOAD_NAME 1211 value: {{ .DeploymentMeta.Name }} 1212 {{ end }} 1213 {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} 1214 - name: ISTIO_META_OWNER 1215 value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} 1216 {{- end}} 1217 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1218 - name: ISTIO_BOOTSTRAP_OVERRIDE 1219 value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" 1220 {{- end }} 1221 {{- if .Values.global.sds.customTokenDirectory }} 1222 - name: ISTIO_META_SDS_TOKEN_PATH 1223 value: "{{ .Values.global.sds.customTokenDirectory -}}/sdstoken" 1224 {{- end }} 1225 {{- if .Values.global.meshID }} 1226 - name: ISTIO_META_MESH_ID 1227 value: "{{ .Values.global.meshID }}" 1228 {{- else if .Values.global.trustDomain }} 1229 - name: ISTIO_META_MESH_ID 1230 value: "{{ .Values.global.trustDomain }}" 1231 {{- end }} 1232 {{- if eq .Values.global.proxy.tracer "stackdriver" }} 1233 - name: STACKDRIVER_TRACING_ENABLED 1234 value: "true" 1235 - name: STACKDRIVER_TRACING_DEBUG 1236 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetDebug }}" 1237 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations }} 1238 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ANNOTATIONS 1239 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAnnotations.Value }}" 1240 {{- end }} 1241 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes }} 1242 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_ATTRIBUTES 1243 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfAttributes.Value }}" 1244 {{- end }} 1245 {{- if .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents }} 1246 - name: STACKDRIVER_TRACING_MAX_NUMBER_OF_MESSAGE_EVENTS 1247 value: "{{ .ProxyConfig.GetTracing.GetStackdriver.GetMaxNumberOfMessageEvents.Value }}" 1248 {{- end }} 1249 {{- end }} 1250 imagePullPolicy: {{ .Values.global.imagePullPolicy }} 1251 {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` (valueOrDefault .Values.global.proxy.statusPort 0 )) `0` }} 1252 readinessProbe: 1253 httpGet: 1254 path: /healthz/ready 1255 port: {{ annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort }} 1256 initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} 1257 periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} 1258 failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} 1259 {{ end -}} 1260 securityContext: 1261 allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} 1262 capabilities: 1263 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 1264 add: 1265 - NET_ADMIN 1266 {{- end }} 1267 drop: 1268 - ALL 1269 privileged: {{ .Values.global.proxy.privileged }} 1270 readOnlyRootFilesystem: {{ not .Values.global.proxy.enableCoreDump }} 1271 runAsGroup: 1337 1272 {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} 1273 runAsNonRoot: false 1274 runAsUser: 0 1275 {{- else }} 1276 runAsNonRoot: true 1277 runAsUser: 1337 1278 {{- end }} 1279 resources: 1280 {{ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 1281 requests: 1282 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} 1283 cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" 1284 {{ end}} 1285 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} 1286 memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" 1287 {{ end }} 1288 {{ else -}} 1289 {{- if .Values.global.proxy.resources }} 1290 {{ toYaml .Values.global.proxy.resources | indent 4 }} 1291 {{- end }} 1292 {{ end -}} 1293 volumeMounts: 1294 - mountPath: /var/run/cilium 1295 name: cilium-unix-sock-dir 1296 {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1297 - mountPath: /etc/istio/custom-bootstrap 1298 name: custom-bootstrap-volume 1299 {{- end }} 1300 - mountPath: /etc/istio/proxy 1301 name: istio-envoy 1302 {{- if .Values.global.sds.enabled }} 1303 - mountPath: /var/run/sds 1304 name: sds-uds-path 1305 readOnly: true 1306 - mountPath: /var/run/secrets/tokens 1307 name: istio-token 1308 {{- if .Values.global.sds.customTokenDirectory }} 1309 - mountPath: "{{ .Values.global.sds.customTokenDirectory -}}" 1310 name: custom-sds-token 1311 readOnly: true 1312 {{- end }} 1313 {{- else }} 1314 - mountPath: /etc/certs/ 1315 name: istio-certs 1316 readOnly: true 1317 {{- end }} 1318 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 1319 - mountPath: {{ directory .ProxyConfig.GetTracing.GetLightstep.GetCacertPath }} 1320 name: lightstep-certs 1321 readOnly: true 1322 {{- end }} 1323 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} 1324 {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} 1325 - name: "{{ $index }}" 1326 {{ toYaml $value | indent 4 }} 1327 {{ end }} 1328 {{- end }} 1329 volumes: 1330 - hostPath: 1331 path: /var/run/cilium 1332 name: cilium-unix-sock-dir 1333 {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} 1334 - name: custom-bootstrap-volume 1335 configMap: 1336 name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} 1337 {{- end }} 1338 - emptyDir: 1339 medium: Memory 1340 name: istio-envoy 1341 {{- if .Values.global.sds.enabled }} 1342 - name: sds-uds-path 1343 hostPath: 1344 path: /var/run/sds 1345 - name: istio-token 1346 projected: 1347 sources: 1348 - serviceAccountToken: 1349 path: istio-token 1350 expirationSeconds: 43200 1351 audience: {{ .Values.global.sds.token.aud }} 1352 {{- if .Values.global.sds.customTokenDirectory }} 1353 - name: custom-sds-token 1354 secret: 1355 secretName: sdstokensecret 1356 {{- end }} 1357 {{- else }} 1358 - name: istio-certs 1359 secret: 1360 optional: true 1361 {{ if eq .Spec.ServiceAccountName "" }} 1362 secretName: istio.default 1363 {{ else -}} 1364 secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} 1365 {{ end -}} 1366 {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} 1367 {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} 1368 - name: "{{ $index }}" 1369 {{ toYaml $value | indent 2 }} 1370 {{ end }} 1371 {{ end }} 1372 {{- end }} 1373 {{- if and (eq .Values.global.proxy.tracer "lightstep") .Values.global.tracer.lightstep.cacertPath }} 1374 - name: lightstep-certs 1375 secret: 1376 optional: true 1377 secretName: lightstep.cacert 1378 {{- end }} 1379 {{- if .Values.global.podDNSSearchNamespaces }} 1380 dnsConfig: 1381 searches: 1382 {{- range .Values.global.podDNSSearchNamespaces }} 1383 - {{ render . }} 1384 {{- end }} 1385 {{- end }} 1386 podRedirectAnnot: 1387 sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" 1388 traffic.sidecar.istio.io/includeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" 1389 traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" 1390 traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) }}" 1391 traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" 1392 {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} 1393 traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" 1394 {{- end }} 1395 traffic.sidecar.istio.io/kubevirtInterfaces: "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" 1396 injectedAnnotations: 1397 --- 1398 # Source: istio/charts/galley/templates/clusterrole.yaml 1399 apiVersion: rbac.authorization.k8s.io/v1 1400 kind: ClusterRole 1401 metadata: 1402 name: istio-galley-istio-system 1403 labels: 1404 app: galley 1405 chart: galley 1406 heritage: Helm 1407 release: istio 1408 rules: 1409 # For reading Istio resources 1410 - apiGroups: [ 1411 "authentication.istio.io", 1412 "config.istio.io", 1413 "networking.istio.io", 1414 "rbac.istio.io", 1415 "security.istio.io"] 1416 resources: ["*"] 1417 verbs: ["get", "list", "watch"] 1418 # For updating Istio resource statuses 1419 - apiGroups: [ 1420 "authentication.istio.io", 1421 "config.istio.io", 1422 "networking.istio.io", 1423 "rbac.istio.io", 1424 "security.istio.io"] 1425 resources: ["*/status"] 1426 verbs: ["update"] 1427 - apiGroups: ["admissionregistration.k8s.io"] 1428 resources: ["validatingwebhookconfigurations"] 1429 verbs: ["*"] 1430 - apiGroups: ["extensions","apps"] 1431 resources: ["deployments"] 1432 resourceNames: ["istio-galley"] 1433 verbs: ["get"] 1434 - apiGroups: [""] 1435 resources: ["pods", "nodes", "services", "endpoints", "namespaces"] 1436 verbs: ["get", "list", "watch"] 1437 - apiGroups: ["extensions"] 1438 resources: ["ingresses"] 1439 verbs: ["get", "list", "watch"] 1440 - apiGroups: [""] 1441 resources: ["namespaces/finalizers"] 1442 verbs: ["update"] 1443 - apiGroups: ["apiextensions.k8s.io"] 1444 resources: ["customresourcedefinitions"] 1445 verbs: ["get", "list", "watch"] 1446 --- 1447 # Source: istio/charts/mixer/templates/clusterrole.yaml 1448 apiVersion: rbac.authorization.k8s.io/v1 1449 kind: ClusterRole 1450 metadata: 1451 name: istio-mixer-istio-system 1452 labels: 1453 app: mixer 1454 chart: mixer 1455 heritage: Helm 1456 release: istio 1457 rules: 1458 - apiGroups: ["config.istio.io"] # istio CRD watcher 1459 resources: ["*"] 1460 verbs: ["create", "get", "list", "watch", "patch"] 1461 - apiGroups: ["apiextensions.k8s.io"] 1462 resources: ["customresourcedefinitions"] 1463 verbs: ["get", "list", "watch"] 1464 - apiGroups: [""] 1465 resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] 1466 verbs: ["get", "list", "watch"] 1467 - apiGroups: ["extensions", "apps"] 1468 resources: ["replicasets"] 1469 verbs: ["get", "list", "watch"] 1470 --- 1471 # Source: istio/charts/pilot/templates/clusterrole.yaml 1472 apiVersion: rbac.authorization.k8s.io/v1 1473 kind: ClusterRole 1474 metadata: 1475 name: istio-pilot-istio-system 1476 labels: 1477 app: pilot 1478 chart: pilot 1479 heritage: Helm 1480 release: istio 1481 rules: 1482 - apiGroups: ["config.istio.io"] 1483 resources: ["*"] 1484 verbs: ["*"] 1485 - apiGroups: ["rbac.istio.io"] 1486 resources: ["*"] 1487 verbs: ["get", "watch", "list"] 1488 - apiGroups: ["security.istio.io"] 1489 resources: ["*"] 1490 verbs: ["get", "watch", "list"] 1491 - apiGroups: ["networking.istio.io"] 1492 resources: ["*"] 1493 verbs: ["*"] 1494 - apiGroups: ["authentication.istio.io"] 1495 resources: ["*"] 1496 verbs: ["*"] 1497 - apiGroups: ["apiextensions.k8s.io"] 1498 resources: ["customresourcedefinitions"] 1499 verbs: ["*"] 1500 - apiGroups: ["extensions"] 1501 resources: ["ingresses", "ingresses/status"] 1502 verbs: ["*"] 1503 - apiGroups: [""] 1504 resources: ["configmaps"] 1505 verbs: ["create", "get", "list", "watch", "update"] 1506 - apiGroups: [""] 1507 resources: ["endpoints", "pods", "services", "namespaces", "nodes"] 1508 verbs: ["get", "list", "watch"] 1509 - apiGroups: [""] 1510 resources: ["secrets"] 1511 verbs: ["create", "get", "watch", "list", "update", "delete"] 1512 - apiGroups: ["certificates.k8s.io"] 1513 resources: 1514 - "certificatesigningrequests" 1515 - "certificatesigningrequests/approval" 1516 - "certificatesigningrequests/status" 1517 verbs: ["update", "create", "get", "delete"] 1518 --- 1519 # Source: istio/charts/prometheus/templates/clusterrole.yaml 1520 apiVersion: rbac.authorization.k8s.io/v1 1521 kind: ClusterRole 1522 metadata: 1523 name: prometheus-istio-system 1524 labels: 1525 app: prometheus 1526 chart: prometheus 1527 heritage: Helm 1528 release: istio 1529 rules: 1530 - apiGroups: [""] 1531 resources: 1532 - nodes 1533 - services 1534 - endpoints 1535 - pods 1536 - nodes/proxy 1537 verbs: ["get", "list", "watch"] 1538 - apiGroups: [""] 1539 resources: 1540 - configmaps 1541 verbs: ["get"] 1542 - nonResourceURLs: ["/metrics"] 1543 verbs: ["get"] 1544 --- 1545 # Source: istio/charts/security/templates/clusterrole.yaml 1546 apiVersion: rbac.authorization.k8s.io/v1 1547 kind: ClusterRole 1548 metadata: 1549 name: istio-citadel-istio-system 1550 labels: 1551 app: security 1552 chart: security 1553 heritage: Helm 1554 release: istio 1555 rules: 1556 - apiGroups: [""] 1557 resources: ["configmaps"] 1558 verbs: ["create", "get", "update"] 1559 - apiGroups: [""] 1560 resources: ["secrets"] 1561 verbs: ["create", "get", "watch", "list", "update", "delete"] 1562 - apiGroups: [""] 1563 resources: ["serviceaccounts", "services", "namespaces"] 1564 verbs: ["get", "watch", "list"] 1565 - apiGroups: ["authentication.k8s.io"] 1566 resources: ["tokenreviews"] 1567 verbs: ["create"] 1568 --- 1569 # Source: istio/charts/security/templates/create-custom-resources-job.yaml 1570 apiVersion: rbac.authorization.k8s.io/v1 1571 kind: ClusterRole 1572 metadata: 1573 name: istio-security-post-install-istio-system 1574 labels: 1575 app: security 1576 chart: security 1577 heritage: Helm 1578 release: istio 1579 rules: 1580 - apiGroups: ["authentication.istio.io"] # needed to create default authn policy 1581 resources: ["*"] 1582 verbs: ["*"] 1583 - apiGroups: ["networking.istio.io"] # needed to create security destination rules 1584 resources: ["*"] 1585 verbs: ["*"] 1586 - apiGroups: ["admissionregistration.k8s.io"] 1587 resources: ["validatingwebhookconfigurations"] 1588 verbs: ["get"] 1589 - apiGroups: ["extensions", "apps"] 1590 resources: ["deployments", "replicasets"] 1591 verbs: ["get", "list", "watch"] 1592 --- 1593 # Source: istio/templates/clusterrole.yaml 1594 kind: ClusterRole 1595 apiVersion: rbac.authorization.k8s.io/v1 1596 metadata: 1597 name: istio-reader 1598 rules: 1599 - apiGroups: [''] 1600 resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] 1601 verbs: ['get', 'watch', 'list'] 1602 - apiGroups: ["extensions", "apps"] 1603 resources: ["replicasets"] 1604 verbs: ["get", "list", "watch"] 1605 --- 1606 # Source: istio/charts/galley/templates/clusterrolebinding.yaml 1607 apiVersion: rbac.authorization.k8s.io/v1 1608 kind: ClusterRoleBinding 1609 metadata: 1610 name: istio-galley-admin-role-binding-istio-system 1611 labels: 1612 app: galley 1613 chart: galley 1614 heritage: Helm 1615 release: istio 1616 roleRef: 1617 apiGroup: rbac.authorization.k8s.io 1618 kind: ClusterRole 1619 name: istio-galley-istio-system 1620 subjects: 1621 - kind: ServiceAccount 1622 name: istio-galley-service-account 1623 namespace: istio-system 1624 --- 1625 # Source: istio/charts/mixer/templates/clusterrolebinding.yaml 1626 apiVersion: rbac.authorization.k8s.io/v1 1627 kind: ClusterRoleBinding 1628 metadata: 1629 name: istio-mixer-admin-role-binding-istio-system 1630 labels: 1631 app: mixer 1632 chart: mixer 1633 heritage: Helm 1634 release: istio 1635 roleRef: 1636 apiGroup: rbac.authorization.k8s.io 1637 kind: ClusterRole 1638 name: istio-mixer-istio-system 1639 subjects: 1640 - kind: ServiceAccount 1641 name: istio-mixer-service-account 1642 namespace: istio-system 1643 --- 1644 # Source: istio/charts/pilot/templates/clusterrolebinding.yaml 1645 apiVersion: rbac.authorization.k8s.io/v1 1646 kind: ClusterRoleBinding 1647 metadata: 1648 name: istio-pilot-istio-system 1649 labels: 1650 app: pilot 1651 chart: pilot 1652 heritage: Helm 1653 release: istio 1654 roleRef: 1655 apiGroup: rbac.authorization.k8s.io 1656 kind: ClusterRole 1657 name: istio-pilot-istio-system 1658 subjects: 1659 - kind: ServiceAccount 1660 name: istio-pilot-service-account 1661 namespace: istio-system 1662 --- 1663 # Source: istio/charts/prometheus/templates/clusterrolebindings.yaml 1664 apiVersion: rbac.authorization.k8s.io/v1 1665 kind: ClusterRoleBinding 1666 metadata: 1667 name: prometheus-istio-system 1668 labels: 1669 app: prometheus 1670 chart: prometheus 1671 heritage: Helm 1672 release: istio 1673 roleRef: 1674 apiGroup: rbac.authorization.k8s.io 1675 kind: ClusterRole 1676 name: prometheus-istio-system 1677 subjects: 1678 - kind: ServiceAccount 1679 name: prometheus 1680 namespace: istio-system 1681 --- 1682 # Source: istio/charts/security/templates/clusterrolebinding.yaml 1683 apiVersion: rbac.authorization.k8s.io/v1 1684 kind: ClusterRoleBinding 1685 metadata: 1686 name: istio-citadel-istio-system 1687 labels: 1688 app: security 1689 chart: security 1690 heritage: Helm 1691 release: istio 1692 roleRef: 1693 apiGroup: rbac.authorization.k8s.io 1694 kind: ClusterRole 1695 name: istio-citadel-istio-system 1696 subjects: 1697 - kind: ServiceAccount 1698 name: istio-citadel-service-account 1699 namespace: istio-system 1700 --- 1701 # Source: istio/charts/security/templates/create-custom-resources-job.yaml 1702 apiVersion: rbac.authorization.k8s.io/v1 1703 kind: ClusterRoleBinding 1704 metadata: 1705 name: istio-security-post-install-role-binding-istio-system 1706 labels: 1707 app: security 1708 chart: security 1709 heritage: Helm 1710 release: istio 1711 roleRef: 1712 apiGroup: rbac.authorization.k8s.io 1713 kind: ClusterRole 1714 name: istio-security-post-install-istio-system 1715 subjects: 1716 - kind: ServiceAccount 1717 name: istio-security-post-install-account 1718 namespace: istio-system 1719 --- 1720 # Source: istio/templates/clusterrolebinding.yaml 1721 apiVersion: rbac.authorization.k8s.io/v1 1722 kind: ClusterRoleBinding 1723 metadata: 1724 name: istio-multi 1725 labels: 1726 chart: istio-1.4.6 1727 roleRef: 1728 apiGroup: rbac.authorization.k8s.io 1729 kind: ClusterRole 1730 name: istio-reader 1731 subjects: 1732 - kind: ServiceAccount 1733 name: istio-multi 1734 namespace: istio-system 1735 --- 1736 # Source: istio/charts/gateways/templates/role.yaml 1737 apiVersion: rbac.authorization.k8s.io/v1 1738 kind: Role 1739 metadata: 1740 name: istio-ingressgateway-sds 1741 namespace: istio-system 1742 rules: 1743 - apiGroups: [""] 1744 resources: ["secrets"] 1745 verbs: ["get", "watch", "list"] 1746 --- 1747 # Source: istio/charts/gateways/templates/rolebindings.yaml 1748 apiVersion: rbac.authorization.k8s.io/v1 1749 kind: RoleBinding 1750 metadata: 1751 name: istio-ingressgateway-sds 1752 namespace: istio-system 1753 roleRef: 1754 apiGroup: rbac.authorization.k8s.io 1755 kind: Role 1756 name: istio-ingressgateway-sds 1757 subjects: 1758 - kind: ServiceAccount 1759 name: istio-ingressgateway-service-account 1760 --- 1761 # Source: istio/charts/galley/templates/service.yaml 1762 apiVersion: v1 1763 kind: Service 1764 metadata: 1765 name: istio-galley 1766 namespace: istio-system 1767 labels: 1768 app: galley 1769 chart: galley 1770 heritage: Helm 1771 release: istio 1772 istio: galley 1773 spec: 1774 ports: 1775 - port: 443 1776 name: https-validation 1777 - port: 15014 1778 name: http-monitoring 1779 - port: 9901 1780 name: grpc-mcp 1781 selector: 1782 istio: galley 1783 --- 1784 # Source: istio/charts/gateways/templates/service.yaml 1785 apiVersion: v1 1786 kind: Service 1787 metadata: 1788 name: istio-ingressgateway 1789 namespace: istio-system 1790 annotations: 1791 labels: 1792 chart: gateways 1793 heritage: Helm 1794 release: istio 1795 app: istio-ingressgateway 1796 istio: ingressgateway 1797 spec: 1798 type: LoadBalancer 1799 selector: 1800 release: istio 1801 app: istio-ingressgateway 1802 istio: ingressgateway 1803 ports: 1804 - 1805 name: status-port 1806 port: 15020 1807 targetPort: 15020 1808 - 1809 name: http2 1810 nodePort: 31380 1811 port: 80 1812 targetPort: 80 1813 - 1814 name: https 1815 nodePort: 31390 1816 port: 443 1817 - 1818 name: tcp 1819 nodePort: 31400 1820 port: 31400 1821 - 1822 name: https-kiali 1823 port: 15029 1824 targetPort: 15029 1825 - 1826 name: https-prometheus 1827 port: 15030 1828 targetPort: 15030 1829 - 1830 name: https-grafana 1831 port: 15031 1832 targetPort: 15031 1833 - 1834 name: https-tracing 1835 port: 15032 1836 targetPort: 15032 1837 - 1838 name: tls 1839 port: 15443 1840 targetPort: 15443 1841 --- 1842 # Source: istio/charts/mixer/templates/service.yaml 1843 apiVersion: v1 1844 kind: Service 1845 metadata: 1846 name: istio-policy 1847 namespace: istio-system 1848 annotations: 1849 networking.istio.io/exportTo: "*" 1850 labels: 1851 app: mixer 1852 chart: mixer 1853 heritage: Helm 1854 release: istio 1855 istio: mixer 1856 spec: 1857 ports: 1858 - name: grpc-mixer 1859 port: 9091 1860 - name: grpc-mixer-mtls 1861 port: 15004 1862 - name: http-monitoring 1863 port: 15014 1864 selector: 1865 istio: mixer 1866 istio-mixer-type: policy 1867 --- 1868 # Source: istio/charts/mixer/templates/service.yaml 1869 apiVersion: v1 1870 kind: Service 1871 metadata: 1872 name: istio-telemetry 1873 namespace: istio-system 1874 annotations: 1875 networking.istio.io/exportTo: "*" 1876 labels: 1877 app: mixer 1878 chart: mixer 1879 heritage: Helm 1880 release: istio 1881 istio: mixer 1882 spec: 1883 ports: 1884 - name: grpc-mixer 1885 port: 9091 1886 - name: grpc-mixer-mtls 1887 port: 15004 1888 - name: http-monitoring 1889 port: 15014 1890 - name: prometheus 1891 port: 42422 1892 selector: 1893 istio: mixer 1894 istio-mixer-type: telemetry 1895 --- 1896 # Source: istio/charts/pilot/templates/service.yaml 1897 apiVersion: v1 1898 kind: Service 1899 metadata: 1900 name: istio-pilot 1901 namespace: istio-system 1902 labels: 1903 app: pilot 1904 chart: pilot 1905 heritage: Helm 1906 release: istio 1907 istio: pilot 1908 spec: 1909 ports: 1910 - port: 15010 1911 name: grpc-xds # direct 1912 - port: 15011 1913 name: https-xds # mTLS 1914 - port: 8080 1915 name: http-legacy-discovery # direct 1916 - port: 15014 1917 name: http-monitoring 1918 selector: 1919 istio: pilot 1920 --- 1921 # Source: istio/charts/prometheus/templates/service.yaml 1922 apiVersion: v1 1923 kind: Service 1924 metadata: 1925 name: prometheus 1926 namespace: istio-system 1927 annotations: 1928 prometheus.io/scrape: 'true' 1929 labels: 1930 app: prometheus 1931 chart: prometheus 1932 heritage: Helm 1933 release: istio 1934 spec: 1935 selector: 1936 app: prometheus 1937 ports: 1938 - name: http-prometheus 1939 protocol: TCP 1940 port: 9090 1941 --- 1942 # Source: istio/charts/security/templates/service.yaml 1943 apiVersion: v1 1944 kind: Service 1945 metadata: 1946 # we use the normal name here (e.g. 'prometheus') 1947 # as grafana is configured to use this as a data source 1948 name: istio-citadel 1949 namespace: istio-system 1950 labels: 1951 app: security 1952 chart: security 1953 heritage: Helm 1954 release: istio 1955 istio: citadel 1956 spec: 1957 ports: 1958 - name: grpc-citadel 1959 port: 8060 1960 targetPort: 8060 1961 protocol: TCP 1962 - name: http-monitoring 1963 port: 15014 1964 selector: 1965 istio: citadel 1966 --- 1967 # Source: istio/charts/galley/templates/deployment.yaml 1968 apiVersion: apps/v1 1969 kind: Deployment 1970 metadata: 1971 name: istio-galley 1972 namespace: istio-system 1973 labels: 1974 app: galley 1975 chart: galley 1976 heritage: Helm 1977 release: istio 1978 istio: galley 1979 spec: 1980 replicas: 1 1981 selector: 1982 matchLabels: 1983 istio: galley 1984 strategy: 1985 rollingUpdate: 1986 maxSurge: 100% 1987 maxUnavailable: 25% 1988 template: 1989 metadata: 1990 labels: 1991 app: galley 1992 chart: galley 1993 heritage: Helm 1994 release: istio 1995 istio: galley 1996 annotations: 1997 sidecar.istio.io/inject: "false" 1998 spec: 1999 serviceAccountName: istio-galley-service-account 2000 containers: 2001 - name: galley 2002 image: "docker.io/istio/galley:1.4.6" 2003 imagePullPolicy: IfNotPresent 2004 ports: 2005 - containerPort: 443 2006 - containerPort: 15014 2007 - containerPort: 9901 2008 command: 2009 - /usr/local/bin/galley 2010 - server 2011 - --meshConfigFile=/etc/mesh-config/mesh 2012 - --livenessProbeInterval=1s 2013 - --livenessProbePath=/healthliveness 2014 - --readinessProbePath=/healthready 2015 - --readinessProbeInterval=1s 2016 - --deployment-namespace=istio-system 2017 - --insecure=false 2018 - --enable-reconcileWebhookConfiguration=true 2019 - --validation-webhook-config-file 2020 - /etc/config/validatingwebhookconfiguration.yaml 2021 - --monitoringPort=15014 2022 - --log_output_level=default:info 2023 volumeMounts: 2024 - name: certs 2025 mountPath: /etc/certs 2026 readOnly: true 2027 - name: config 2028 mountPath: /etc/config 2029 readOnly: true 2030 - name: mesh-config 2031 mountPath: /etc/mesh-config 2032 readOnly: true 2033 livenessProbe: 2034 exec: 2035 command: 2036 - /usr/local/bin/galley 2037 - probe 2038 - --probe-path=/healthliveness 2039 - --interval=10s 2040 initialDelaySeconds: 5 2041 periodSeconds: 5 2042 readinessProbe: 2043 exec: 2044 command: 2045 - /usr/local/bin/galley 2046 - probe 2047 - --probe-path=/healthready 2048 - --interval=10s 2049 initialDelaySeconds: 5 2050 periodSeconds: 5 2051 resources: 2052 requests: 2053 cpu: 10m 2054 volumes: 2055 - name: certs 2056 secret: 2057 secretName: istio.istio-galley-service-account 2058 - name: config 2059 configMap: 2060 name: istio-galley-configuration 2061 - name: mesh-config 2062 configMap: 2063 name: istio 2064 affinity: 2065 nodeAffinity: 2066 requiredDuringSchedulingIgnoredDuringExecution: 2067 nodeSelectorTerms: 2068 - matchExpressions: 2069 - key: beta.kubernetes.io/arch 2070 operator: In 2071 values: 2072 - "amd64" 2073 - "ppc64le" 2074 - "s390x" 2075 preferredDuringSchedulingIgnoredDuringExecution: 2076 - weight: 2 2077 preference: 2078 matchExpressions: 2079 - key: beta.kubernetes.io/arch 2080 operator: In 2081 values: 2082 - "amd64" 2083 - weight: 2 2084 preference: 2085 matchExpressions: 2086 - key: beta.kubernetes.io/arch 2087 operator: In 2088 values: 2089 - "ppc64le" 2090 - weight: 2 2091 preference: 2092 matchExpressions: 2093 - key: beta.kubernetes.io/arch 2094 operator: In 2095 values: 2096 - "s390x" 2097 --- 2098 # Source: istio/charts/gateways/templates/deployment.yaml 2099 apiVersion: apps/v1 2100 kind: Deployment 2101 metadata: 2102 name: istio-ingressgateway 2103 namespace: istio-system 2104 labels: 2105 app: istio-ingressgateway 2106 chart: gateways 2107 heritage: Helm 2108 istio: ingressgateway 2109 release: istio 2110 spec: 2111 selector: 2112 matchLabels: 2113 app: istio-ingressgateway 2114 istio: ingressgateway 2115 strategy: 2116 rollingUpdate: 2117 maxSurge: 100% 2118 maxUnavailable: 25% 2119 template: 2120 metadata: 2121 labels: 2122 app: istio-ingressgateway 2123 chart: gateways 2124 heritage: Helm 2125 istio: ingressgateway 2126 release: istio 2127 annotations: 2128 sidecar.istio.io/inject: "false" 2129 spec: 2130 serviceAccountName: istio-ingressgateway-service-account 2131 containers: 2132 - name: istio-proxy 2133 image: "docker.io/cilium/istio_proxy:1.4.6" 2134 imagePullPolicy: IfNotPresent 2135 ports: 2136 - containerPort: 15020 2137 - containerPort: 80 2138 - containerPort: 443 2139 - containerPort: 31400 2140 - containerPort: 15029 2141 - containerPort: 15030 2142 - containerPort: 15031 2143 - containerPort: 15032 2144 - containerPort: 15443 2145 - containerPort: 15090 2146 protocol: TCP 2147 name: http-envoy-prom 2148 args: 2149 - proxy 2150 - router 2151 - --domain 2152 - $(POD_NAMESPACE).svc.cluster.local 2153 - --log_output_level=default:info 2154 - --drainDuration 2155 - '45s' #drainDuration 2156 - --parentShutdownDuration 2157 - '1m0s' #parentShutdownDuration 2158 - --connectTimeout 2159 - '10s' #connectTimeout 2160 - --serviceCluster 2161 - istio-ingressgateway 2162 - --zipkinAddress 2163 - zipkin:9411 2164 - --proxyAdminPort 2165 - "15000" 2166 - --statusPort 2167 - "15020" 2168 - --controlPlaneAuthPolicy 2169 - MUTUAL_TLS 2170 - --discoveryAddress 2171 - istio-pilot:15011 2172 readinessProbe: 2173 failureThreshold: 30 2174 httpGet: 2175 path: /healthz/ready 2176 port: 15020 2177 scheme: HTTP 2178 initialDelaySeconds: 1 2179 periodSeconds: 2 2180 successThreshold: 1 2181 timeoutSeconds: 1 2182 resources: 2183 limits: 2184 cpu: 2000m 2185 memory: 1024Mi 2186 requests: 2187 cpu: 100m 2188 memory: 128Mi 2189 env: 2190 - name: NODE_NAME 2191 valueFrom: 2192 fieldRef: 2193 apiVersion: v1 2194 fieldPath: spec.nodeName 2195 - name: POD_NAME 2196 valueFrom: 2197 fieldRef: 2198 apiVersion: v1 2199 fieldPath: metadata.name 2200 - name: POD_NAMESPACE 2201 valueFrom: 2202 fieldRef: 2203 apiVersion: v1 2204 fieldPath: metadata.namespace 2205 - name: INSTANCE_IP 2206 valueFrom: 2207 fieldRef: 2208 apiVersion: v1 2209 fieldPath: status.podIP 2210 - name: HOST_IP 2211 valueFrom: 2212 fieldRef: 2213 apiVersion: v1 2214 fieldPath: status.hostIP 2215 - name: SERVICE_ACCOUNT 2216 valueFrom: 2217 fieldRef: 2218 fieldPath: spec.serviceAccountName 2219 - name: ISTIO_META_POD_NAME 2220 valueFrom: 2221 fieldRef: 2222 apiVersion: v1 2223 fieldPath: metadata.name 2224 - name: ISTIO_META_CONFIG_NAMESPACE 2225 valueFrom: 2226 fieldRef: 2227 fieldPath: metadata.namespace 2228 - name: ISTIO_METAJSON_LABELS 2229 value: | 2230 {"app":"istio-ingressgateway","chart":"gateways","heritage":"Helm","istio":"ingressgateway","release":"istio"} 2231 - name: ISTIO_META_CLUSTER_ID 2232 value: "Kubernetes" 2233 - name: SDS_ENABLED 2234 value: "false" 2235 - name: ISTIO_META_WORKLOAD_NAME 2236 value: istio-ingressgateway 2237 - name: ISTIO_META_OWNER 2238 value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway 2239 - name: ISTIO_META_ROUTER_MODE 2240 value: sni-dnat 2241 2242 2243 volumeMounts: 2244 - name: istio-certs 2245 mountPath: /etc/certs 2246 readOnly: true 2247 - name: ingressgateway-certs 2248 mountPath: "/etc/istio/ingressgateway-certs" 2249 readOnly: true 2250 - name: ingressgateway-ca-certs 2251 mountPath: "/etc/istio/ingressgateway-ca-certs" 2252 readOnly: true 2253 volumes: 2254 - name: istio-certs 2255 secret: 2256 secretName: istio.istio-ingressgateway-service-account 2257 optional: true 2258 - name: ingressgateway-certs 2259 secret: 2260 secretName: "istio-ingressgateway-certs" 2261 optional: true 2262 - name: ingressgateway-ca-certs 2263 secret: 2264 secretName: "istio-ingressgateway-ca-certs" 2265 optional: true 2266 affinity: 2267 nodeAffinity: 2268 requiredDuringSchedulingIgnoredDuringExecution: 2269 nodeSelectorTerms: 2270 - matchExpressions: 2271 - key: beta.kubernetes.io/arch 2272 operator: In 2273 values: 2274 - "amd64" 2275 - "ppc64le" 2276 - "s390x" 2277 preferredDuringSchedulingIgnoredDuringExecution: 2278 - weight: 2 2279 preference: 2280 matchExpressions: 2281 - key: beta.kubernetes.io/arch 2282 operator: In 2283 values: 2284 - "amd64" 2285 - weight: 2 2286 preference: 2287 matchExpressions: 2288 - key: beta.kubernetes.io/arch 2289 operator: In 2290 values: 2291 - "ppc64le" 2292 - weight: 2 2293 preference: 2294 matchExpressions: 2295 - key: beta.kubernetes.io/arch 2296 operator: In 2297 values: 2298 - "s390x" 2299 --- 2300 # Source: istio/charts/mixer/templates/deployment.yaml 2301 apiVersion: apps/v1 2302 kind: Deployment 2303 metadata: 2304 name: istio-policy 2305 namespace: istio-system 2306 labels: 2307 app: istio-mixer 2308 chart: mixer 2309 heritage: Helm 2310 release: istio 2311 istio: mixer 2312 spec: 2313 strategy: 2314 rollingUpdate: 2315 maxSurge: 100% 2316 maxUnavailable: 25% 2317 selector: 2318 matchLabels: 2319 istio: mixer 2320 istio-mixer-type: policy 2321 template: 2322 metadata: 2323 labels: 2324 app: policy 2325 chart: mixer 2326 heritage: Helm 2327 release: istio 2328 security.istio.io/tlsMode: "istio" 2329 istio: mixer 2330 istio-mixer-type: policy 2331 annotations: 2332 sidecar.istio.io/inject: "false" 2333 spec: 2334 serviceAccountName: istio-mixer-service-account 2335 volumes: 2336 - name: istio-certs 2337 secret: 2338 secretName: istio.istio-mixer-service-account 2339 optional: true 2340 - name: uds-socket 2341 emptyDir: {} 2342 - name: policy-adapter-secret 2343 secret: 2344 secretName: policy-adapter-secret 2345 optional: true 2346 affinity: 2347 nodeAffinity: 2348 requiredDuringSchedulingIgnoredDuringExecution: 2349 nodeSelectorTerms: 2350 - matchExpressions: 2351 - key: beta.kubernetes.io/arch 2352 operator: In 2353 values: 2354 - "amd64" 2355 - "ppc64le" 2356 - "s390x" 2357 preferredDuringSchedulingIgnoredDuringExecution: 2358 - weight: 2 2359 preference: 2360 matchExpressions: 2361 - key: beta.kubernetes.io/arch 2362 operator: In 2363 values: 2364 - "amd64" 2365 - weight: 2 2366 preference: 2367 matchExpressions: 2368 - key: beta.kubernetes.io/arch 2369 operator: In 2370 values: 2371 - "ppc64le" 2372 - weight: 2 2373 preference: 2374 matchExpressions: 2375 - key: beta.kubernetes.io/arch 2376 operator: In 2377 values: 2378 - "s390x" 2379 containers: 2380 - name: mixer 2381 image: "docker.io/istio/mixer:1.4.6" 2382 imagePullPolicy: IfNotPresent 2383 ports: 2384 - containerPort: 15014 2385 - containerPort: 42422 2386 args: 2387 - --monitoringPort=15014 2388 - --address 2389 - unix:///sock/mixer.socket 2390 - --log_output_level=default:info 2391 - --configStoreURL=mcps://istio-galley.istio-system.svc:9901 2392 - --configDefaultNamespace=istio-system 2393 - --useAdapterCRDs=false 2394 - --useTemplateCRDs=false 2395 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans 2396 env: 2397 - name: POD_NAMESPACE 2398 valueFrom: 2399 fieldRef: 2400 apiVersion: v1 2401 fieldPath: metadata.namespace 2402 - name: GOMAXPROCS 2403 value: "6" 2404 resources: 2405 requests: 2406 cpu: 10m 2407 volumeMounts: 2408 - name: istio-certs 2409 mountPath: /etc/certs 2410 readOnly: true 2411 - name: uds-socket 2412 mountPath: /sock 2413 livenessProbe: 2414 httpGet: 2415 path: /version 2416 port: 15014 2417 initialDelaySeconds: 5 2418 periodSeconds: 5 2419 - name: istio-proxy 2420 image: "docker.io/cilium/istio_proxy:1.4.6" 2421 imagePullPolicy: IfNotPresent 2422 ports: 2423 - containerPort: 9091 2424 - containerPort: 15004 2425 - containerPort: 15090 2426 protocol: TCP 2427 name: http-envoy-prom 2428 args: 2429 - proxy 2430 - --domain 2431 - $(POD_NAMESPACE).svc.cluster.local 2432 - --serviceCluster 2433 - istio-policy 2434 - --templateFile 2435 - /etc/istio/proxy/envoy_policy.yaml.tmpl 2436 - --controlPlaneAuthPolicy 2437 - MUTUAL_TLS 2438 - --log_output_level=default:info 2439 env: 2440 - name: POD_NAME 2441 valueFrom: 2442 fieldRef: 2443 apiVersion: v1 2444 fieldPath: metadata.name 2445 - name: POD_NAMESPACE 2446 valueFrom: 2447 fieldRef: 2448 apiVersion: v1 2449 fieldPath: metadata.namespace 2450 - name: INSTANCE_IP 2451 valueFrom: 2452 fieldRef: 2453 apiVersion: v1 2454 fieldPath: status.podIP 2455 - name: SDS_ENABLED 2456 value: "false" 2457 resources: 2458 limits: 2459 cpu: 2000m 2460 memory: 1024Mi 2461 requests: 2462 cpu: 100m 2463 memory: 128Mi 2464 volumeMounts: 2465 - name: istio-certs 2466 mountPath: /etc/certs 2467 readOnly: true 2468 - name: uds-socket 2469 mountPath: /sock 2470 - name: policy-adapter-secret 2471 mountPath: /var/run/secrets/istio.io/policy/adapter 2472 readOnly: true 2473 --- 2474 # Source: istio/charts/mixer/templates/deployment.yaml 2475 apiVersion: apps/v1 2476 kind: Deployment 2477 metadata: 2478 name: istio-telemetry 2479 namespace: istio-system 2480 labels: 2481 app: istio-mixer 2482 chart: mixer 2483 heritage: Helm 2484 release: istio 2485 istio: mixer 2486 spec: 2487 strategy: 2488 rollingUpdate: 2489 maxSurge: 100% 2490 maxUnavailable: 25% 2491 selector: 2492 matchLabels: 2493 istio: mixer 2494 istio-mixer-type: telemetry 2495 template: 2496 metadata: 2497 labels: 2498 app: telemetry 2499 chart: mixer 2500 heritage: Helm 2501 release: istio 2502 security.istio.io/tlsMode: "istio" 2503 istio: mixer 2504 istio-mixer-type: telemetry 2505 annotations: 2506 sidecar.istio.io/inject: "false" 2507 spec: 2508 serviceAccountName: istio-mixer-service-account 2509 volumes: 2510 - name: istio-certs 2511 secret: 2512 secretName: istio.istio-mixer-service-account 2513 optional: true 2514 - name: uds-socket 2515 emptyDir: {} 2516 - name: telemetry-adapter-secret 2517 secret: 2518 secretName: telemetry-adapter-secret 2519 optional: true 2520 affinity: 2521 nodeAffinity: 2522 requiredDuringSchedulingIgnoredDuringExecution: 2523 nodeSelectorTerms: 2524 - matchExpressions: 2525 - key: beta.kubernetes.io/arch 2526 operator: In 2527 values: 2528 - "amd64" 2529 - "ppc64le" 2530 - "s390x" 2531 preferredDuringSchedulingIgnoredDuringExecution: 2532 - weight: 2 2533 preference: 2534 matchExpressions: 2535 - key: beta.kubernetes.io/arch 2536 operator: In 2537 values: 2538 - "amd64" 2539 - weight: 2 2540 preference: 2541 matchExpressions: 2542 - key: beta.kubernetes.io/arch 2543 operator: In 2544 values: 2545 - "ppc64le" 2546 - weight: 2 2547 preference: 2548 matchExpressions: 2549 - key: beta.kubernetes.io/arch 2550 operator: In 2551 values: 2552 - "s390x" 2553 containers: 2554 - name: mixer 2555 image: "docker.io/istio/mixer:1.4.6" 2556 imagePullPolicy: IfNotPresent 2557 ports: 2558 - containerPort: 15014 2559 - containerPort: 42422 2560 args: 2561 - --monitoringPort=15014 2562 - --address 2563 - unix:///sock/mixer.socket 2564 - --log_output_level=default:info 2565 - --configStoreURL=mcps://istio-galley.istio-system.svc:9901 2566 - --certFile=/etc/certs/cert-chain.pem 2567 - --keyFile=/etc/certs/key.pem 2568 - --caCertFile=/etc/certs/root-cert.pem 2569 - --configDefaultNamespace=istio-system 2570 - --useAdapterCRDs=false 2571 - --trace_zipkin_url=http://zipkin.istio-system:9411/api/v1/spans 2572 - --averageLatencyThreshold 2573 - 100ms 2574 - --loadsheddingMode 2575 - enforce 2576 env: 2577 - name: POD_NAMESPACE 2578 valueFrom: 2579 fieldRef: 2580 apiVersion: v1 2581 fieldPath: metadata.namespace 2582 - name: GOMAXPROCS 2583 value: "6" 2584 resources: 2585 limits: 2586 cpu: 4800m 2587 memory: 4G 2588 requests: 2589 cpu: 1000m 2590 memory: 1G 2591 volumeMounts: 2592 - name: istio-certs 2593 mountPath: /etc/certs 2594 readOnly: true 2595 - name: telemetry-adapter-secret 2596 mountPath: /var/run/secrets/istio.io/telemetry/adapter 2597 readOnly: true 2598 - name: uds-socket 2599 mountPath: /sock 2600 livenessProbe: 2601 httpGet: 2602 path: /version 2603 port: 15014 2604 initialDelaySeconds: 5 2605 periodSeconds: 5 2606 - name: istio-proxy 2607 image: "docker.io/cilium/istio_proxy:1.4.6" 2608 imagePullPolicy: IfNotPresent 2609 ports: 2610 - containerPort: 9091 2611 - containerPort: 15004 2612 - containerPort: 15090 2613 protocol: TCP 2614 name: http-envoy-prom 2615 args: 2616 - proxy 2617 - --domain 2618 - $(POD_NAMESPACE).svc.cluster.local 2619 - --serviceCluster 2620 - istio-telemetry 2621 - --templateFile 2622 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl 2623 - --controlPlaneAuthPolicy 2624 - MUTUAL_TLS 2625 - --log_output_level=default:info 2626 env: 2627 - name: POD_NAME 2628 valueFrom: 2629 fieldRef: 2630 apiVersion: v1 2631 fieldPath: metadata.name 2632 - name: POD_NAMESPACE 2633 valueFrom: 2634 fieldRef: 2635 apiVersion: v1 2636 fieldPath: metadata.namespace 2637 - name: INSTANCE_IP 2638 valueFrom: 2639 fieldRef: 2640 apiVersion: v1 2641 fieldPath: status.podIP 2642 - name: SDS_ENABLED 2643 value: "false" 2644 resources: 2645 limits: 2646 cpu: 2000m 2647 memory: 1024Mi 2648 requests: 2649 cpu: 100m 2650 memory: 128Mi 2651 volumeMounts: 2652 - name: istio-certs 2653 mountPath: /etc/certs 2654 readOnly: true 2655 - name: uds-socket 2656 mountPath: /sock 2657 --- 2658 # Source: istio/charts/pilot/templates/deployment.yaml 2659 apiVersion: apps/v1 2660 kind: Deployment 2661 metadata: 2662 name: istio-pilot 2663 namespace: istio-system 2664 # TODO: default template doesn't have this, which one is right ? 2665 labels: 2666 app: pilot 2667 chart: pilot 2668 heritage: Helm 2669 release: istio 2670 istio: pilot 2671 spec: 2672 strategy: 2673 rollingUpdate: 2674 maxSurge: 100% 2675 maxUnavailable: 25% 2676 selector: 2677 matchLabels: 2678 istio: pilot 2679 template: 2680 metadata: 2681 labels: 2682 app: pilot 2683 chart: pilot 2684 heritage: Helm 2685 release: istio 2686 istio: pilot 2687 annotations: 2688 sidecar.istio.io/inject: "false" 2689 spec: 2690 serviceAccountName: istio-pilot-service-account 2691 containers: 2692 - name: discovery 2693 image: "docker.io/cilium/istio_pilot:1.4.6" 2694 imagePullPolicy: IfNotPresent 2695 args: 2696 - "discovery" 2697 - --plugins=authn,authz,health,mixer,envoyfilter,cilium 2698 - --monitoringAddr=:15014 2699 - --log_output_level=default:info 2700 - --domain 2701 - cluster.local 2702 - --secureGrpcAddr 2703 - "" 2704 - --keepaliveMaxServerConnectionAge 2705 - "30m" 2706 ports: 2707 - containerPort: 8080 2708 - containerPort: 15010 2709 readinessProbe: 2710 httpGet: 2711 path: /ready 2712 port: 8080 2713 initialDelaySeconds: 5 2714 periodSeconds: 5 2715 timeoutSeconds: 5 2716 env: 2717 - name: POD_NAME 2718 valueFrom: 2719 fieldRef: 2720 apiVersion: v1 2721 fieldPath: metadata.name 2722 - name: POD_NAMESPACE 2723 valueFrom: 2724 fieldRef: 2725 apiVersion: v1 2726 fieldPath: metadata.namespace 2727 - name: PILOT_PUSH_THROTTLE 2728 value: "100" 2729 - name: PILOT_TRACE_SAMPLING 2730 value: "1" 2731 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND 2732 value: "true" 2733 - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND 2734 value: "false" 2735 resources: 2736 requests: 2737 cpu: 500m 2738 memory: 2048Mi 2739 volumeMounts: 2740 - name: config-volume 2741 mountPath: /etc/istio/config 2742 - name: istio-certs 2743 mountPath: /etc/certs 2744 readOnly: true 2745 - name: istio-proxy 2746 image: "docker.io/cilium/istio_proxy:1.4.6" 2747 imagePullPolicy: IfNotPresent 2748 ports: 2749 - containerPort: 15003 2750 - containerPort: 15005 2751 - containerPort: 15007 2752 - containerPort: 15011 2753 args: 2754 - proxy 2755 - --domain 2756 - $(POD_NAMESPACE).svc.cluster.local 2757 - --serviceCluster 2758 - istio-pilot 2759 - --templateFile 2760 - /etc/istio/proxy/envoy_pilot.yaml.tmpl 2761 - --controlPlaneAuthPolicy 2762 - MUTUAL_TLS 2763 - --log_output_level=default:info 2764 env: 2765 - name: POD_NAME 2766 valueFrom: 2767 fieldRef: 2768 apiVersion: v1 2769 fieldPath: metadata.name 2770 - name: POD_NAMESPACE 2771 valueFrom: 2772 fieldRef: 2773 apiVersion: v1 2774 fieldPath: metadata.namespace 2775 - name: INSTANCE_IP 2776 valueFrom: 2777 fieldRef: 2778 apiVersion: v1 2779 fieldPath: status.podIP 2780 - name: SDS_ENABLED 2781 value: "false" 2782 resources: 2783 limits: 2784 cpu: 2000m 2785 memory: 1024Mi 2786 requests: 2787 cpu: 100m 2788 memory: 128Mi 2789 volumeMounts: 2790 - name: istio-certs 2791 mountPath: /etc/certs 2792 readOnly: true 2793 volumes: 2794 - name: config-volume 2795 configMap: 2796 name: istio 2797 - name: istio-certs 2798 secret: 2799 secretName: istio.istio-pilot-service-account 2800 optional: true 2801 affinity: 2802 nodeAffinity: 2803 requiredDuringSchedulingIgnoredDuringExecution: 2804 nodeSelectorTerms: 2805 - matchExpressions: 2806 - key: beta.kubernetes.io/arch 2807 operator: In 2808 values: 2809 - "amd64" 2810 - "ppc64le" 2811 - "s390x" 2812 preferredDuringSchedulingIgnoredDuringExecution: 2813 - weight: 2 2814 preference: 2815 matchExpressions: 2816 - key: beta.kubernetes.io/arch 2817 operator: In 2818 values: 2819 - "amd64" 2820 - weight: 2 2821 preference: 2822 matchExpressions: 2823 - key: beta.kubernetes.io/arch 2824 operator: In 2825 values: 2826 - "ppc64le" 2827 - weight: 2 2828 preference: 2829 matchExpressions: 2830 - key: beta.kubernetes.io/arch 2831 operator: In 2832 values: 2833 - "s390x" 2834 --- 2835 # Source: istio/charts/prometheus/templates/deployment.yaml 2836 # TODO: the original template has service account, roles, etc 2837 apiVersion: apps/v1 2838 kind: Deployment 2839 metadata: 2840 name: prometheus 2841 namespace: istio-system 2842 labels: 2843 app: prometheus 2844 chart: prometheus 2845 heritage: Helm 2846 release: istio 2847 spec: 2848 replicas: 1 2849 selector: 2850 matchLabels: 2851 app: prometheus 2852 template: 2853 metadata: 2854 labels: 2855 app: prometheus 2856 chart: prometheus 2857 heritage: Helm 2858 release: istio 2859 annotations: 2860 sidecar.istio.io/inject: "false" 2861 spec: 2862 serviceAccountName: prometheus 2863 containers: 2864 - name: prometheus 2865 image: "docker.io/prom/prometheus:v2.12.0" 2866 imagePullPolicy: IfNotPresent 2867 args: 2868 - '--storage.tsdb.retention=6h' 2869 - '--config.file=/etc/prometheus/prometheus.yml' 2870 ports: 2871 - containerPort: 9090 2872 name: http 2873 livenessProbe: 2874 httpGet: 2875 path: /-/healthy 2876 port: 9090 2877 readinessProbe: 2878 httpGet: 2879 path: /-/ready 2880 port: 9090 2881 resources: 2882 requests: 2883 cpu: 10m 2884 volumeMounts: 2885 - name: config-volume 2886 mountPath: /etc/prometheus 2887 - mountPath: /etc/istio-certs 2888 name: istio-certs 2889 volumes: 2890 - name: config-volume 2891 configMap: 2892 name: prometheus 2893 - name: istio-certs 2894 secret: 2895 defaultMode: 420 2896 secretName: istio.default 2897 affinity: 2898 nodeAffinity: 2899 requiredDuringSchedulingIgnoredDuringExecution: 2900 nodeSelectorTerms: 2901 - matchExpressions: 2902 - key: beta.kubernetes.io/arch 2903 operator: In 2904 values: 2905 - "amd64" 2906 - "ppc64le" 2907 - "s390x" 2908 preferredDuringSchedulingIgnoredDuringExecution: 2909 - weight: 2 2910 preference: 2911 matchExpressions: 2912 - key: beta.kubernetes.io/arch 2913 operator: In 2914 values: 2915 - "amd64" 2916 - weight: 2 2917 preference: 2918 matchExpressions: 2919 - key: beta.kubernetes.io/arch 2920 operator: In 2921 values: 2922 - "ppc64le" 2923 - weight: 2 2924 preference: 2925 matchExpressions: 2926 - key: beta.kubernetes.io/arch 2927 operator: In 2928 values: 2929 - "s390x" 2930 --- 2931 # Source: istio/charts/security/templates/deployment.yaml 2932 # istio CA watching all namespaces 2933 apiVersion: apps/v1 2934 kind: Deployment 2935 metadata: 2936 name: istio-citadel 2937 namespace: istio-system 2938 labels: 2939 app: security 2940 chart: security 2941 heritage: Helm 2942 release: istio 2943 istio: citadel 2944 spec: 2945 replicas: 1 2946 selector: 2947 matchLabels: 2948 istio: citadel 2949 strategy: 2950 rollingUpdate: 2951 maxSurge: 100% 2952 maxUnavailable: 25% 2953 template: 2954 metadata: 2955 labels: 2956 app: security 2957 chart: security 2958 heritage: Helm 2959 release: istio 2960 istio: citadel 2961 annotations: 2962 sidecar.istio.io/inject: "false" 2963 spec: 2964 serviceAccountName: istio-citadel-service-account 2965 containers: 2966 - name: citadel 2967 image: "docker.io/istio/citadel:1.4.6" 2968 imagePullPolicy: IfNotPresent 2969 args: 2970 - --append-dns-names=true 2971 - --grpc-port=8060 2972 - --citadel-storage-namespace=istio-system 2973 - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system 2974 - --monitoring-port=15014 2975 - --self-signed-ca=true 2976 - --workload-cert-ttl=2160h 2977 env: 2978 - name: CITADEL_ENABLE_NAMESPACES_BY_DEFAULT 2979 value: "true" 2980 resources: 2981 requests: 2982 cpu: 10m 2983 affinity: 2984 nodeAffinity: 2985 requiredDuringSchedulingIgnoredDuringExecution: 2986 nodeSelectorTerms: 2987 - matchExpressions: 2988 - key: beta.kubernetes.io/arch 2989 operator: In 2990 values: 2991 - "amd64" 2992 - "ppc64le" 2993 - "s390x" 2994 preferredDuringSchedulingIgnoredDuringExecution: 2995 - weight: 2 2996 preference: 2997 matchExpressions: 2998 - key: beta.kubernetes.io/arch 2999 operator: In 3000 values: 3001 - "amd64" 3002 - weight: 2 3003 preference: 3004 matchExpressions: 3005 - key: beta.kubernetes.io/arch 3006 operator: In 3007 values: 3008 - "ppc64le" 3009 - weight: 2 3010 preference: 3011 matchExpressions: 3012 - key: beta.kubernetes.io/arch 3013 operator: In 3014 values: 3015 - "s390x" 3016 --- 3017 # Source: istio/charts/gateways/templates/autoscale.yaml 3018 apiVersion: autoscaling/v2beta1 3019 kind: HorizontalPodAutoscaler 3020 metadata: 3021 name: istio-ingressgateway 3022 namespace: istio-system 3023 labels: 3024 chart: gateways 3025 heritage: Helm 3026 release: istio 3027 app: istio-ingressgateway 3028 istio: ingressgateway 3029 spec: 3030 maxReplicas: 5 3031 minReplicas: 1 3032 scaleTargetRef: 3033 apiVersion: apps/v1 3034 kind: Deployment 3035 name: istio-ingressgateway 3036 metrics: 3037 - type: Resource 3038 resource: 3039 name: cpu 3040 targetAverageUtilization: 80 3041 --- 3042 # Source: istio/charts/mixer/templates/autoscale.yaml 3043 apiVersion: autoscaling/v2beta1 3044 kind: HorizontalPodAutoscaler 3045 metadata: 3046 name: istio-policy 3047 namespace: istio-system 3048 labels: 3049 app: mixer 3050 chart: mixer 3051 heritage: Helm 3052 release: istio 3053 spec: 3054 maxReplicas: 5 3055 minReplicas: 1 3056 scaleTargetRef: 3057 apiVersion: apps/v1 3058 kind: Deployment 3059 name: istio-policy 3060 metrics: 3061 - type: Resource 3062 resource: 3063 name: cpu 3064 targetAverageUtilization: 80 3065 --- 3066 # Source: istio/charts/mixer/templates/autoscale.yaml 3067 apiVersion: autoscaling/v2beta1 3068 kind: HorizontalPodAutoscaler 3069 metadata: 3070 name: istio-telemetry 3071 namespace: istio-system 3072 labels: 3073 app: mixer 3074 chart: mixer 3075 heritage: Helm 3076 release: istio 3077 spec: 3078 maxReplicas: 5 3079 minReplicas: 1 3080 scaleTargetRef: 3081 apiVersion: apps/v1 3082 kind: Deployment 3083 name: istio-telemetry 3084 metrics: 3085 - type: Resource 3086 resource: 3087 name: cpu 3088 targetAverageUtilization: 80 3089 --- 3090 # Source: istio/charts/pilot/templates/autoscale.yaml 3091 apiVersion: autoscaling/v2beta1 3092 kind: HorizontalPodAutoscaler 3093 metadata: 3094 name: istio-pilot 3095 namespace: istio-system 3096 labels: 3097 app: pilot 3098 chart: pilot 3099 heritage: Helm 3100 release: istio 3101 spec: 3102 maxReplicas: 5 3103 minReplicas: 1 3104 scaleTargetRef: 3105 apiVersion: apps/v1 3106 kind: Deployment 3107 name: istio-pilot 3108 metrics: 3109 - type: Resource 3110 resource: 3111 name: cpu 3112 targetAverageUtilization: 80 3113 --- 3114 # Source: istio/charts/mixer/templates/config.yaml 3115 # Configuration needed by Mixer. 3116 # Mixer cluster is delivered via CDS 3117 # Specify mixer cluster settings 3118 apiVersion: networking.istio.io/v1alpha3 3119 kind: DestinationRule 3120 metadata: 3121 name: istio-policy 3122 namespace: istio-system 3123 labels: 3124 app: mixer 3125 chart: mixer 3126 heritage: Helm 3127 release: istio 3128 spec: 3129 host: istio-policy.istio-system.svc.cluster.local 3130 trafficPolicy: 3131 portLevelSettings: 3132 - port: 3133 number: 15004 # grpc-mixer-mtls 3134 tls: 3135 mode: ISTIO_MUTUAL 3136 - port: 3137 number: 9091 # grpc-mixer 3138 tls: 3139 mode: DISABLE 3140 connectionPool: 3141 http: 3142 http2MaxRequests: 10000 3143 maxRequestsPerConnection: 10000 3144 --- 3145 # Source: istio/charts/mixer/templates/config.yaml 3146 apiVersion: networking.istio.io/v1alpha3 3147 kind: DestinationRule 3148 metadata: 3149 name: istio-telemetry 3150 namespace: istio-system 3151 labels: 3152 app: mixer 3153 chart: mixer 3154 heritage: Helm 3155 release: istio 3156 spec: 3157 host: istio-telemetry.istio-system.svc.cluster.local 3158 trafficPolicy: 3159 portLevelSettings: 3160 - port: 3161 number: 15004 # grpc-mixer-mtls 3162 tls: 3163 mode: ISTIO_MUTUAL 3164 - port: 3165 number: 9091 # grpc-mixer 3166 tls: 3167 mode: DISABLE 3168 connectionPool: 3169 http: 3170 http2MaxRequests: 10000 3171 maxRequestsPerConnection: 10000 3172 --- 3173 # Source: istio/charts/mixer/templates/config.yaml 3174 apiVersion: "config.istio.io/v1alpha2" 3175 kind: attributemanifest 3176 metadata: 3177 name: istioproxy 3178 namespace: istio-system 3179 labels: 3180 app: mixer 3181 chart: mixer 3182 heritage: Helm 3183 release: istio 3184 spec: 3185 attributes: 3186 origin.ip: 3187 valueType: IP_ADDRESS 3188 origin.uid: 3189 valueType: STRING 3190 origin.user: 3191 valueType: STRING 3192 request.headers: 3193 valueType: STRING_MAP 3194 request.id: 3195 valueType: STRING 3196 request.host: 3197 valueType: STRING 3198 request.method: 3199 valueType: STRING 3200 request.path: 3201 valueType: STRING 3202 request.url_path: 3203 valueType: STRING 3204 request.query_params: 3205 valueType: STRING_MAP 3206 request.reason: 3207 valueType: STRING 3208 request.referer: 3209 valueType: STRING 3210 request.scheme: 3211 valueType: STRING 3212 request.total_size: 3213 valueType: INT64 3214 request.size: 3215 valueType: INT64 3216 request.time: 3217 valueType: TIMESTAMP 3218 request.useragent: 3219 valueType: STRING 3220 response.code: 3221 valueType: INT64 3222 response.duration: 3223 valueType: DURATION 3224 response.headers: 3225 valueType: STRING_MAP 3226 response.total_size: 3227 valueType: INT64 3228 response.size: 3229 valueType: INT64 3230 response.time: 3231 valueType: TIMESTAMP 3232 response.grpc_status: 3233 valueType: STRING 3234 response.grpc_message: 3235 valueType: STRING 3236 source.uid: 3237 valueType: STRING 3238 source.user: # DEPRECATED 3239 valueType: STRING 3240 source.principal: 3241 valueType: STRING 3242 destination.uid: 3243 valueType: STRING 3244 destination.principal: 3245 valueType: STRING 3246 destination.port: 3247 valueType: INT64 3248 connection.event: 3249 valueType: STRING 3250 connection.id: 3251 valueType: STRING 3252 connection.received.bytes: 3253 valueType: INT64 3254 connection.received.bytes_total: 3255 valueType: INT64 3256 connection.sent.bytes: 3257 valueType: INT64 3258 connection.sent.bytes_total: 3259 valueType: INT64 3260 connection.duration: 3261 valueType: DURATION 3262 connection.mtls: 3263 valueType: BOOL 3264 connection.requested_server_name: 3265 valueType: STRING 3266 context.protocol: 3267 valueType: STRING 3268 context.proxy_error_code: 3269 valueType: STRING 3270 context.timestamp: 3271 valueType: TIMESTAMP 3272 context.time: 3273 valueType: TIMESTAMP 3274 # Deprecated, kept for compatibility 3275 context.reporter.local: 3276 valueType: BOOL 3277 context.reporter.kind: 3278 valueType: STRING 3279 context.reporter.uid: 3280 valueType: STRING 3281 api.service: 3282 valueType: STRING 3283 api.version: 3284 valueType: STRING 3285 api.operation: 3286 valueType: STRING 3287 api.protocol: 3288 valueType: STRING 3289 request.auth.principal: 3290 valueType: STRING 3291 request.auth.audiences: 3292 valueType: STRING 3293 request.auth.presenter: 3294 valueType: STRING 3295 request.auth.claims: 3296 valueType: STRING_MAP 3297 request.auth.raw_claims: 3298 valueType: STRING 3299 request.api_key: 3300 valueType: STRING 3301 rbac.permissive.response_code: 3302 valueType: STRING 3303 rbac.permissive.effective_policy_id: 3304 valueType: STRING 3305 check.error_code: 3306 valueType: INT64 3307 check.error_message: 3308 valueType: STRING 3309 check.cache_hit: 3310 valueType: BOOL 3311 quota.cache_hit: 3312 valueType: BOOL 3313 context.proxy_version: 3314 valueType: STRING 3315 --- 3316 # Source: istio/charts/mixer/templates/config.yaml 3317 apiVersion: "config.istio.io/v1alpha2" 3318 kind: attributemanifest 3319 metadata: 3320 name: kubernetes 3321 namespace: istio-system 3322 labels: 3323 app: mixer 3324 chart: mixer 3325 heritage: Helm 3326 release: istio 3327 spec: 3328 attributes: 3329 source.ip: 3330 valueType: IP_ADDRESS 3331 source.labels: 3332 valueType: STRING_MAP 3333 source.metadata: 3334 valueType: STRING_MAP 3335 source.name: 3336 valueType: STRING 3337 source.namespace: 3338 valueType: STRING 3339 source.owner: 3340 valueType: STRING 3341 source.serviceAccount: 3342 valueType: STRING 3343 source.services: 3344 valueType: STRING 3345 source.workload.uid: 3346 valueType: STRING 3347 source.workload.name: 3348 valueType: STRING 3349 source.workload.namespace: 3350 valueType: STRING 3351 destination.ip: 3352 valueType: IP_ADDRESS 3353 destination.labels: 3354 valueType: STRING_MAP 3355 destination.metadata: 3356 valueType: STRING_MAP 3357 destination.owner: 3358 valueType: STRING 3359 destination.name: 3360 valueType: STRING 3361 destination.container.name: 3362 valueType: STRING 3363 destination.namespace: 3364 valueType: STRING 3365 destination.service.uid: 3366 valueType: STRING 3367 destination.service.name: 3368 valueType: STRING 3369 destination.service.namespace: 3370 valueType: STRING 3371 destination.service.host: 3372 valueType: STRING 3373 destination.serviceAccount: 3374 valueType: STRING 3375 destination.workload.uid: 3376 valueType: STRING 3377 destination.workload.name: 3378 valueType: STRING 3379 destination.workload.namespace: 3380 valueType: STRING 3381 --- 3382 # Source: istio/charts/mixer/templates/config.yaml 3383 apiVersion: "config.istio.io/v1alpha2" 3384 kind: handler 3385 metadata: 3386 name: prometheus 3387 namespace: istio-system 3388 labels: 3389 app: mixer 3390 chart: mixer 3391 heritage: Helm 3392 release: istio 3393 spec: 3394 compiledAdapter: prometheus 3395 params: 3396 metricsExpirationPolicy: 3397 metricsExpiryDuration: "10m" 3398 metrics: 3399 - name: requests_total 3400 instance_name: requestcount.instance.istio-system 3401 kind: COUNTER 3402 label_names: 3403 - reporter 3404 - source_app 3405 - source_principal 3406 - source_workload 3407 - source_workload_namespace 3408 - source_version 3409 - destination_app 3410 - destination_principal 3411 - destination_workload 3412 - destination_workload_namespace 3413 - destination_version 3414 - destination_service 3415 - destination_service_name 3416 - destination_service_namespace 3417 - request_protocol 3418 - response_code 3419 - response_flags 3420 - permissive_response_code 3421 - permissive_response_policyid 3422 - connection_security_policy 3423 - name: request_duration_seconds 3424 instance_name: requestduration.instance.istio-system 3425 kind: DISTRIBUTION 3426 label_names: 3427 - reporter 3428 - source_app 3429 - source_principal 3430 - source_workload 3431 - source_workload_namespace 3432 - source_version 3433 - destination_app 3434 - destination_principal 3435 - destination_workload 3436 - destination_workload_namespace 3437 - destination_version 3438 - destination_service 3439 - destination_service_name 3440 - destination_service_namespace 3441 - request_protocol 3442 - response_code 3443 - response_flags 3444 - permissive_response_code 3445 - permissive_response_policyid 3446 - connection_security_policy 3447 buckets: 3448 explicit_buckets: 3449 bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] 3450 - name: request_bytes 3451 instance_name: requestsize.instance.istio-system 3452 kind: DISTRIBUTION 3453 label_names: 3454 - reporter 3455 - source_app 3456 - source_principal 3457 - source_workload 3458 - source_workload_namespace 3459 - source_version 3460 - destination_app 3461 - destination_principal 3462 - destination_workload 3463 - destination_workload_namespace 3464 - destination_version 3465 - destination_service 3466 - destination_service_name 3467 - destination_service_namespace 3468 - request_protocol 3469 - response_code 3470 - response_flags 3471 - permissive_response_code 3472 - permissive_response_policyid 3473 - connection_security_policy 3474 buckets: 3475 exponentialBuckets: 3476 numFiniteBuckets: 8 3477 scale: 1 3478 growthFactor: 10 3479 - name: response_bytes 3480 instance_name: responsesize.instance.istio-system 3481 kind: DISTRIBUTION 3482 label_names: 3483 - reporter 3484 - source_app 3485 - source_principal 3486 - source_workload 3487 - source_workload_namespace 3488 - source_version 3489 - destination_app 3490 - destination_principal 3491 - destination_workload 3492 - destination_workload_namespace 3493 - destination_version 3494 - destination_service 3495 - destination_service_name 3496 - destination_service_namespace 3497 - request_protocol 3498 - response_code 3499 - response_flags 3500 - permissive_response_code 3501 - permissive_response_policyid 3502 - connection_security_policy 3503 buckets: 3504 exponentialBuckets: 3505 numFiniteBuckets: 8 3506 scale: 1 3507 growthFactor: 10 3508 - name: tcp_sent_bytes_total 3509 instance_name: tcpbytesent.instance.istio-system 3510 kind: COUNTER 3511 label_names: 3512 - reporter 3513 - source_app 3514 - source_principal 3515 - source_workload 3516 - source_workload_namespace 3517 - source_version 3518 - destination_app 3519 - destination_principal 3520 - destination_workload 3521 - destination_workload_namespace 3522 - destination_version 3523 - destination_service 3524 - destination_service_name 3525 - destination_service_namespace 3526 - connection_security_policy 3527 - response_flags 3528 - name: tcp_received_bytes_total 3529 instance_name: tcpbytereceived.instance.istio-system 3530 kind: COUNTER 3531 label_names: 3532 - reporter 3533 - source_app 3534 - source_principal 3535 - source_workload 3536 - source_workload_namespace 3537 - source_version 3538 - destination_app 3539 - destination_principal 3540 - destination_workload 3541 - destination_workload_namespace 3542 - destination_version 3543 - destination_service 3544 - destination_service_name 3545 - destination_service_namespace 3546 - connection_security_policy 3547 - response_flags 3548 - name: tcp_connections_opened_total 3549 instance_name: tcpconnectionsopened.instance.istio-system 3550 kind: COUNTER 3551 label_names: 3552 - reporter 3553 - source_app 3554 - source_principal 3555 - source_workload 3556 - source_workload_namespace 3557 - source_version 3558 - destination_app 3559 - destination_principal 3560 - destination_workload 3561 - destination_workload_namespace 3562 - destination_version 3563 - destination_service 3564 - destination_service_name 3565 - destination_service_namespace 3566 - connection_security_policy 3567 - response_flags 3568 - name: tcp_connections_closed_total 3569 instance_name: tcpconnectionsclosed.instance.istio-system 3570 kind: COUNTER 3571 label_names: 3572 - reporter 3573 - source_app 3574 - source_principal 3575 - source_workload 3576 - source_workload_namespace 3577 - source_version 3578 - destination_app 3579 - destination_principal 3580 - destination_workload 3581 - destination_workload_namespace 3582 - destination_version 3583 - destination_service 3584 - destination_service_name 3585 - destination_service_namespace 3586 - connection_security_policy 3587 - response_flags 3588 --- 3589 # Source: istio/charts/mixer/templates/config.yaml 3590 apiVersion: "config.istio.io/v1alpha2" 3591 kind: handler 3592 metadata: 3593 name: kubernetesenv 3594 namespace: istio-system 3595 labels: 3596 app: mixer 3597 chart: mixer 3598 heritage: Helm 3599 release: istio 3600 spec: 3601 compiledAdapter: kubernetesenv 3602 params: 3603 # when running from mixer root, use the following config after adding a 3604 # symbolic link to a kubernetes config file via: 3605 # 3606 # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig 3607 # 3608 # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" 3609 --- 3610 # Source: istio/charts/mixer/templates/config.yaml 3611 --- 3612 apiVersion: "config.istio.io/v1alpha2" 3613 kind: instance 3614 metadata: 3615 name: requestcount 3616 namespace: istio-system 3617 labels: 3618 app: mixer 3619 chart: mixer 3620 heritage: Helm 3621 release: istio 3622 spec: 3623 compiledTemplate: metric 3624 params: 3625 value: "1" 3626 dimensions: 3627 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3628 source_workload: source.workload.name | "unknown" 3629 source_workload_namespace: source.workload.namespace | "unknown" 3630 source_principal: source.principal | "unknown" 3631 source_app: source.labels["app"] | "unknown" 3632 source_version: source.labels["version"] | "unknown" 3633 destination_workload: destination.workload.name | "unknown" 3634 destination_workload_namespace: destination.workload.namespace | "unknown" 3635 destination_principal: destination.principal | "unknown" 3636 destination_app: destination.labels["app"] | "unknown" 3637 destination_version: destination.labels["version"] | "unknown" 3638 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 3639 destination_service_name: destination.service.name | "unknown" 3640 destination_service_namespace: destination.service.namespace | "unknown" 3641 request_protocol: api.protocol | context.protocol | "unknown" 3642 response_code: response.code | 200 3643 response_flags: context.proxy_error_code | "-" 3644 permissive_response_code: rbac.permissive.response_code | "none" 3645 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 3646 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3647 monitored_resource_type: '"UNSPECIFIED"' 3648 --- 3649 # Source: istio/charts/mixer/templates/config.yaml 3650 apiVersion: "config.istio.io/v1alpha2" 3651 kind: instance 3652 metadata: 3653 name: requestduration 3654 namespace: istio-system 3655 labels: 3656 app: mixer 3657 chart: mixer 3658 heritage: Helm 3659 release: istio 3660 spec: 3661 compiledTemplate: metric 3662 params: 3663 value: response.duration | "0ms" 3664 dimensions: 3665 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3666 source_workload: source.workload.name | "unknown" 3667 source_workload_namespace: source.workload.namespace | "unknown" 3668 source_principal: source.principal | "unknown" 3669 source_app: source.labels["app"] | "unknown" 3670 source_version: source.labels["version"] | "unknown" 3671 destination_workload: destination.workload.name | "unknown" 3672 destination_workload_namespace: destination.workload.namespace | "unknown" 3673 destination_principal: destination.principal | "unknown" 3674 destination_app: destination.labels["app"] | "unknown" 3675 destination_version: destination.labels["version"] | "unknown" 3676 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 3677 destination_service_name: destination.service.name | "unknown" 3678 destination_service_namespace: destination.service.namespace | "unknown" 3679 request_protocol: api.protocol | context.protocol | "unknown" 3680 response_code: response.code | 200 3681 response_flags: context.proxy_error_code | "-" 3682 permissive_response_code: rbac.permissive.response_code | "none" 3683 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 3684 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3685 monitored_resource_type: '"UNSPECIFIED"' 3686 --- 3687 # Source: istio/charts/mixer/templates/config.yaml 3688 apiVersion: "config.istio.io/v1alpha2" 3689 kind: instance 3690 metadata: 3691 name: requestsize 3692 namespace: istio-system 3693 labels: 3694 app: mixer 3695 chart: mixer 3696 heritage: Helm 3697 release: istio 3698 spec: 3699 compiledTemplate: metric 3700 params: 3701 value: request.size | 0 3702 dimensions: 3703 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3704 source_workload: source.workload.name | "unknown" 3705 source_workload_namespace: source.workload.namespace | "unknown" 3706 source_principal: source.principal | "unknown" 3707 source_app: source.labels["app"] | "unknown" 3708 source_version: source.labels["version"] | "unknown" 3709 destination_workload: destination.workload.name | "unknown" 3710 destination_workload_namespace: destination.workload.namespace | "unknown" 3711 destination_principal: destination.principal | "unknown" 3712 destination_app: destination.labels["app"] | "unknown" 3713 destination_version: destination.labels["version"] | "unknown" 3714 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 3715 destination_service_name: destination.service.name | "unknown" 3716 destination_service_namespace: destination.service.namespace | "unknown" 3717 request_protocol: api.protocol | context.protocol | "unknown" 3718 response_code: response.code | 200 3719 response_flags: context.proxy_error_code | "-" 3720 permissive_response_code: rbac.permissive.response_code | "none" 3721 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 3722 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3723 monitored_resource_type: '"UNSPECIFIED"' 3724 --- 3725 # Source: istio/charts/mixer/templates/config.yaml 3726 apiVersion: "config.istio.io/v1alpha2" 3727 kind: instance 3728 metadata: 3729 name: responsesize 3730 namespace: istio-system 3731 labels: 3732 app: mixer 3733 chart: mixer 3734 heritage: Helm 3735 release: istio 3736 spec: 3737 compiledTemplate: metric 3738 params: 3739 value: response.size | 0 3740 dimensions: 3741 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3742 source_workload: source.workload.name | "unknown" 3743 source_workload_namespace: source.workload.namespace | "unknown" 3744 source_principal: source.principal | "unknown" 3745 source_app: source.labels["app"] | "unknown" 3746 source_version: source.labels["version"] | "unknown" 3747 destination_workload: destination.workload.name | "unknown" 3748 destination_workload_namespace: destination.workload.namespace | "unknown" 3749 destination_principal: destination.principal | "unknown" 3750 destination_app: destination.labels["app"] | "unknown" 3751 destination_version: destination.labels["version"] | "unknown" 3752 destination_service: destination.service.host | conditional((destination.service.name | "unknown") == "unknown", "unknown", request.host) 3753 destination_service_name: destination.service.name | "unknown" 3754 destination_service_namespace: destination.service.namespace | "unknown" 3755 request_protocol: api.protocol | context.protocol | "unknown" 3756 response_code: response.code | 200 3757 response_flags: context.proxy_error_code | "-" 3758 permissive_response_code: rbac.permissive.response_code | "none" 3759 permissive_response_policyid: rbac.permissive.effective_policy_id | "none" 3760 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3761 monitored_resource_type: '"UNSPECIFIED"' 3762 --- 3763 # Source: istio/charts/mixer/templates/config.yaml 3764 apiVersion: "config.istio.io/v1alpha2" 3765 kind: instance 3766 metadata: 3767 name: tcpbytesent 3768 namespace: istio-system 3769 labels: 3770 app: mixer 3771 chart: mixer 3772 heritage: Helm 3773 release: istio 3774 spec: 3775 compiledTemplate: metric 3776 params: 3777 value: connection.sent.bytes | 0 3778 dimensions: 3779 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3780 source_workload: source.workload.name | "unknown" 3781 source_workload_namespace: source.workload.namespace | "unknown" 3782 source_principal: source.principal | "unknown" 3783 source_app: source.labels["app"] | "unknown" 3784 source_version: source.labels["version"] | "unknown" 3785 destination_workload: destination.workload.name | "unknown" 3786 destination_workload_namespace: destination.workload.namespace | "unknown" 3787 destination_principal: destination.principal | "unknown" 3788 destination_app: destination.labels["app"] | "unknown" 3789 destination_version: destination.labels["version"] | "unknown" 3790 destination_service: destination.service.host | "unknown" 3791 destination_service_name: destination.service.name | "unknown" 3792 destination_service_namespace: destination.service.namespace | "unknown" 3793 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3794 response_flags: context.proxy_error_code | "-" 3795 monitored_resource_type: '"UNSPECIFIED"' 3796 --- 3797 # Source: istio/charts/mixer/templates/config.yaml 3798 apiVersion: "config.istio.io/v1alpha2" 3799 kind: instance 3800 metadata: 3801 name: tcpbytereceived 3802 namespace: istio-system 3803 labels: 3804 app: mixer 3805 chart: mixer 3806 heritage: Helm 3807 release: istio 3808 spec: 3809 compiledTemplate: metric 3810 params: 3811 value: connection.received.bytes | 0 3812 dimensions: 3813 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3814 source_workload: source.workload.name | "unknown" 3815 source_workload_namespace: source.workload.namespace | "unknown" 3816 source_principal: source.principal | "unknown" 3817 source_app: source.labels["app"] | "unknown" 3818 source_version: source.labels["version"] | "unknown" 3819 destination_workload: destination.workload.name | "unknown" 3820 destination_workload_namespace: destination.workload.namespace | "unknown" 3821 destination_principal: destination.principal | "unknown" 3822 destination_app: destination.labels["app"] | "unknown" 3823 destination_version: destination.labels["version"] | "unknown" 3824 destination_service: destination.service.host | "unknown" 3825 destination_service_name: destination.service.name | "unknown" 3826 destination_service_namespace: destination.service.namespace | "unknown" 3827 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3828 response_flags: context.proxy_error_code | "-" 3829 monitored_resource_type: '"UNSPECIFIED"' 3830 --- 3831 # Source: istio/charts/mixer/templates/config.yaml 3832 apiVersion: "config.istio.io/v1alpha2" 3833 kind: instance 3834 metadata: 3835 name: tcpconnectionsopened 3836 namespace: istio-system 3837 labels: 3838 app: mixer 3839 chart: mixer 3840 heritage: Helm 3841 release: istio 3842 spec: 3843 compiledTemplate: metric 3844 params: 3845 value: "1" 3846 dimensions: 3847 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3848 source_workload: source.workload.name | "unknown" 3849 source_workload_namespace: source.workload.namespace | "unknown" 3850 source_principal: source.principal | "unknown" 3851 source_app: source.labels["app"] | "unknown" 3852 source_version: source.labels["version"] | "unknown" 3853 destination_workload: destination.workload.name | "unknown" 3854 destination_workload_namespace: destination.workload.namespace | "unknown" 3855 destination_principal: destination.principal | "unknown" 3856 destination_app: destination.labels["app"] | "unknown" 3857 destination_version: destination.labels["version"] | "unknown" 3858 destination_service: destination.service.host | "unknown" 3859 destination_service_name: destination.service.name | "unknown" 3860 destination_service_namespace: destination.service.namespace | "unknown" 3861 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3862 response_flags: context.proxy_error_code | "-" 3863 monitored_resource_type: '"UNSPECIFIED"' 3864 --- 3865 # Source: istio/charts/mixer/templates/config.yaml 3866 apiVersion: "config.istio.io/v1alpha2" 3867 kind: instance 3868 metadata: 3869 name: tcpconnectionsclosed 3870 namespace: istio-system 3871 labels: 3872 app: mixer 3873 chart: mixer 3874 heritage: Helm 3875 release: istio 3876 spec: 3877 compiledTemplate: metric 3878 params: 3879 value: "1" 3880 dimensions: 3881 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3882 source_workload: source.workload.name | "unknown" 3883 source_workload_namespace: source.workload.namespace | "unknown" 3884 source_principal: source.principal | "unknown" 3885 source_app: source.labels["app"] | "unknown" 3886 source_version: source.labels["version"] | "unknown" 3887 destination_workload: destination.workload.name | "unknown" 3888 destination_workload_namespace: destination.workload.namespace | "unknown" 3889 destination_principal: destination.principal | "unknown" 3890 destination_app: destination.labels["app"] | "unknown" 3891 destination_version: destination.labels["version"] | "unknown" 3892 destination_service: destination.service.host | "unknown" 3893 destination_service_name: destination.service.name | "unknown" 3894 destination_service_namespace: destination.service.namespace | "unknown" 3895 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3896 response_flags: context.proxy_error_code | "-" 3897 monitored_resource_type: '"UNSPECIFIED"' 3898 --- 3899 # Source: istio/charts/mixer/templates/config.yaml 3900 apiVersion: "config.istio.io/v1alpha2" 3901 kind: instance 3902 metadata: 3903 name: attributes 3904 namespace: istio-system 3905 labels: 3906 app: mixer 3907 chart: mixer 3908 heritage: Helm 3909 release: istio 3910 spec: 3911 compiledTemplate: kubernetes 3912 params: 3913 # Pass the required attribute data to the adapter 3914 source_uid: source.uid | "" 3915 source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr 3916 destination_uid: destination.uid | "" 3917 destination_port: destination.port | 0 3918 attributeBindings: 3919 # Fill the new attributes from the adapter produced output. 3920 # $out refers to an instance of OutputTemplate message 3921 source.ip: $out.source_pod_ip | ip("0.0.0.0") 3922 source.uid: $out.source_pod_uid | "unknown" 3923 source.labels: $out.source_labels | emptyStringMap() 3924 source.name: $out.source_pod_name | "unknown" 3925 source.namespace: $out.source_namespace | "default" 3926 source.owner: $out.source_owner | "unknown" 3927 source.serviceAccount: $out.source_service_account_name | "unknown" 3928 source.workload.uid: $out.source_workload_uid | "unknown" 3929 source.workload.name: $out.source_workload_name | "unknown" 3930 source.workload.namespace: $out.source_workload_namespace | "unknown" 3931 destination.ip: $out.destination_pod_ip | ip("0.0.0.0") 3932 destination.uid: $out.destination_pod_uid | "unknown" 3933 destination.labels: $out.destination_labels | emptyStringMap() 3934 destination.name: $out.destination_pod_name | "unknown" 3935 destination.container.name: $out.destination_container_name | "unknown" 3936 destination.namespace: $out.destination_namespace | "default" 3937 destination.owner: $out.destination_owner | "unknown" 3938 destination.serviceAccount: $out.destination_service_account_name | "unknown" 3939 destination.workload.uid: $out.destination_workload_uid | "unknown" 3940 destination.workload.name: $out.destination_workload_name | "unknown" 3941 destination.workload.namespace: $out.destination_workload_namespace | "unknown" 3942 --- 3943 # Source: istio/charts/mixer/templates/config.yaml 3944 apiVersion: "config.istio.io/v1alpha2" 3945 kind: rule 3946 metadata: 3947 name: promhttp 3948 namespace: istio-system 3949 labels: 3950 app: mixer 3951 chart: mixer 3952 heritage: Helm 3953 release: istio 3954 spec: 3955 match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) && (match((request.useragent | "-"), "Prometheus*") == false) 3956 actions: 3957 - handler: prometheus 3958 instances: 3959 - requestcount 3960 - requestduration 3961 - requestsize 3962 - responsesize 3963 --- 3964 # Source: istio/charts/mixer/templates/config.yaml 3965 apiVersion: "config.istio.io/v1alpha2" 3966 kind: rule 3967 metadata: 3968 name: promtcp 3969 namespace: istio-system 3970 labels: 3971 app: mixer 3972 chart: mixer 3973 heritage: Helm 3974 release: istio 3975 spec: 3976 match: context.protocol == "tcp" 3977 actions: 3978 - handler: prometheus 3979 instances: 3980 - tcpbytesent 3981 - tcpbytereceived 3982 --- 3983 # Source: istio/charts/mixer/templates/config.yaml 3984 apiVersion: "config.istio.io/v1alpha2" 3985 kind: rule 3986 metadata: 3987 name: promtcpconnectionopen 3988 namespace: istio-system 3989 labels: 3990 app: mixer 3991 chart: mixer 3992 heritage: Helm 3993 release: istio 3994 spec: 3995 match: context.protocol == "tcp" && ((connection.event | "na") == "open") 3996 actions: 3997 - handler: prometheus 3998 instances: 3999 - tcpconnectionsopened 4000 --- 4001 # Source: istio/charts/mixer/templates/config.yaml 4002 apiVersion: "config.istio.io/v1alpha2" 4003 kind: rule 4004 metadata: 4005 name: promtcpconnectionclosed 4006 namespace: istio-system 4007 labels: 4008 app: mixer 4009 chart: mixer 4010 heritage: Helm 4011 release: istio 4012 spec: 4013 match: context.protocol == "tcp" && ((connection.event | "na") == "close") 4014 actions: 4015 - handler: prometheus 4016 instances: 4017 - tcpconnectionsclosed 4018 --- 4019 # Source: istio/charts/mixer/templates/config.yaml 4020 apiVersion: "config.istio.io/v1alpha2" 4021 kind: rule 4022 metadata: 4023 name: kubeattrgenrulerule 4024 namespace: istio-system 4025 labels: 4026 app: mixer 4027 chart: mixer 4028 heritage: Helm 4029 release: istio 4030 spec: 4031 actions: 4032 - handler: kubernetesenv 4033 instances: 4034 - attributes 4035 --- 4036 # Source: istio/charts/mixer/templates/config.yaml 4037 apiVersion: "config.istio.io/v1alpha2" 4038 kind: rule 4039 metadata: 4040 name: tcpkubeattrgenrulerule 4041 namespace: istio-system 4042 labels: 4043 app: mixer 4044 chart: mixer 4045 heritage: Helm 4046 release: istio 4047 spec: 4048 match: context.protocol == "tcp" 4049 actions: 4050 - handler: kubernetesenv 4051 instances: 4052 - attributes 4053 --- 4054 # Source: istio/charts/security/templates/create-custom-resources-job.yaml 4055 apiVersion: batch/v1 4056 kind: Job 4057 metadata: 4058 name: istio-security-post-install-1.4.6 4059 namespace: istio-system 4060 annotations: 4061 "helm.sh/hook": post-install,post-upgrade 4062 "helm.sh/hook-delete-policy": hook-succeeded 4063 labels: 4064 app: security 4065 chart: security 4066 heritage: Helm 4067 release: istio 4068 spec: 4069 template: 4070 metadata: 4071 name: istio-security-post-install 4072 labels: 4073 app: security 4074 chart: security 4075 heritage: Helm 4076 release: istio 4077 annotations: 4078 sidecar.istio.io/inject: "false" 4079 spec: 4080 serviceAccountName: istio-security-post-install-account 4081 containers: 4082 - name: kubectl 4083 image: "docker.io/istio/kubectl:1.4.6" 4084 imagePullPolicy: IfNotPresent 4085 command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] 4086 volumeMounts: 4087 - mountPath: "/tmp/security" 4088 name: tmp-configmap-security 4089 volumes: 4090 - name: tmp-configmap-security 4091 configMap: 4092 name: istio-security-custom-resources 4093 restartPolicy: OnFailure 4094 affinity: 4095 nodeAffinity: 4096 requiredDuringSchedulingIgnoredDuringExecution: 4097 nodeSelectorTerms: 4098 - matchExpressions: 4099 - key: beta.kubernetes.io/arch 4100 operator: In 4101 values: 4102 - "amd64" 4103 - "ppc64le" 4104 - "s390x" 4105 preferredDuringSchedulingIgnoredDuringExecution: 4106 - weight: 2 4107 preference: 4108 matchExpressions: 4109 - key: beta.kubernetes.io/arch 4110 operator: In 4111 values: 4112 - "amd64" 4113 - weight: 2 4114 preference: 4115 matchExpressions: 4116 - key: beta.kubernetes.io/arch 4117 operator: In 4118 values: 4119 - "ppc64le" 4120 - weight: 2 4121 preference: 4122 matchExpressions: 4123 - key: beta.kubernetes.io/arch 4124 operator: In 4125 values: 4126 - "s390x"