github.com/replicatedcom/ship@v0.50.0/integration/unfork/istio-k8s/expected/rendered.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1beta1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 helm.sh/hook: crd-install 6 labels: 7 app: mixer 8 istio: mixer-adapter 9 package: adapter 10 name: adapters.config.istio.io 11 spec: 12 group: config.istio.io 13 names: 14 categories: 15 - istio-io 16 - policy-istio-io 17 kind: adapter 18 plural: adapters 19 singular: adapter 20 scope: Namespaced 21 version: v1alpha2 22 --- 23 apiVersion: apiextensions.k8s.io/v1beta1 24 kind: CustomResourceDefinition 25 metadata: 26 annotations: 27 helm.sh/hook: crd-install 28 labels: 29 app: mixer 30 istio: mixer-instance 31 package: apikey 32 name: apikeys.config.istio.io 33 spec: 34 group: config.istio.io 35 names: 36 categories: 37 - istio-io 38 - policy-istio-io 39 kind: apikey 40 plural: apikeys 41 singular: apikey 42 scope: Namespaced 43 version: v1alpha2 44 --- 45 apiVersion: apiextensions.k8s.io/v1beta1 46 kind: CustomResourceDefinition 47 metadata: 48 annotations: 49 helm.sh/hook: crd-install 50 labels: 51 app: mixer 52 istio: core 53 package: istio.io.mixer 54 name: attributemanifests.config.istio.io 55 spec: 56 group: config.istio.io 57 names: 58 categories: 59 - istio-io 60 - policy-istio-io 61 kind: attributemanifest 62 plural: attributemanifests 63 singular: attributemanifest 64 scope: Namespaced 65 version: v1alpha2 66 --- 67 apiVersion: apiextensions.k8s.io/v1beta1 68 kind: CustomResourceDefinition 69 metadata: 70 annotations: 71 helm.sh/hook: crd-install 72 labels: 73 app: mixer 74 istio: mixer-instance 75 package: authorization 76 name: authorizations.config.istio.io 77 spec: 78 group: config.istio.io 79 names: 80 categories: 81 - istio-io 82 - policy-istio-io 83 kind: authorization 84 plural: authorizations 85 singular: authorization 86 scope: Namespaced 87 version: v1alpha2 88 --- 89 apiVersion: apiextensions.k8s.io/v1beta1 90 kind: CustomResourceDefinition 91 metadata: 92 annotations: 93 helm.sh/hook: crd-install 94 labels: 95 app: mixer 96 istio: mixer-adapter 97 package: bypass 98 name: bypasses.config.istio.io 99 spec: 100 group: config.istio.io 101 names: 102 categories: 103 - istio-io 104 - policy-istio-io 105 kind: bypass 106 plural: bypasses 107 singular: bypass 108 scope: Namespaced 109 version: v1alpha2 110 --- 111 apiVersion: apiextensions.k8s.io/v1beta1 112 kind: CustomResourceDefinition 113 metadata: 114 annotations: 115 helm.sh/hook: crd-install 116 labels: 117 app: mixer 118 istio: mixer-instance 119 package: checknothing 120 name: checknothings.config.istio.io 121 spec: 122 group: config.istio.io 123 names: 124 categories: 125 - istio-io 126 - policy-istio-io 127 kind: checknothing 128 plural: checknothings 129 singular: checknothing 130 scope: Namespaced 131 version: v1alpha2 132 --- 133 apiVersion: apiextensions.k8s.io/v1beta1 134 kind: CustomResourceDefinition 135 metadata: 136 annotations: 137 helm.sh/hook: crd-install 138 labels: 139 app: mixer 140 istio: mixer-adapter 141 package: circonus 142 name: circonuses.config.istio.io 143 spec: 144 group: config.istio.io 145 names: 146 categories: 147 - istio-io 148 - policy-istio-io 149 kind: circonus 150 plural: circonuses 151 singular: circonus 152 scope: Namespaced 153 version: v1alpha2 154 --- 155 apiVersion: apiextensions.k8s.io/v1beta1 156 kind: CustomResourceDefinition 157 metadata: 158 annotations: 159 helm.sh/hook: crd-install 160 labels: 161 app: mixer 162 istio: mixer-adapter 163 package: cloudwatch 164 name: cloudwatches.config.istio.io 165 spec: 166 group: config.istio.io 167 names: 168 categories: 169 - istio-io 170 - policy-istio-io 171 kind: cloudwatch 172 plural: cloudwatches 173 singular: cloudwatch 174 scope: Namespaced 175 version: v1alpha2 176 --- 177 apiVersion: apiextensions.k8s.io/v1beta1 178 kind: CustomResourceDefinition 179 metadata: 180 annotations: 181 helm.sh/hook: crd-install 182 labels: 183 app: mixer 184 istio: mixer-adapter 185 package: denier 186 name: deniers.config.istio.io 187 spec: 188 group: config.istio.io 189 names: 190 categories: 191 - istio-io 192 - policy-istio-io 193 kind: denier 194 plural: deniers 195 singular: denier 196 scope: Namespaced 197 version: v1alpha2 198 --- 199 apiVersion: apiextensions.k8s.io/v1beta1 200 kind: CustomResourceDefinition 201 metadata: 202 annotations: 203 helm.sh/hook: crd-install 204 labels: 205 app: istio-pilot 206 name: destinationrules.networking.istio.io 207 spec: 208 group: networking.istio.io 209 names: 210 categories: 211 - istio-io 212 - networking-istio-io 213 kind: DestinationRule 214 listKind: DestinationRuleList 215 plural: destinationrules 216 singular: destinationrule 217 scope: Namespaced 218 version: v1alpha3 219 --- 220 apiVersion: apiextensions.k8s.io/v1beta1 221 kind: CustomResourceDefinition 222 metadata: 223 annotations: 224 helm.sh/hook: crd-install 225 labels: 226 app: mixer 227 istio: mixer-adapter 228 package: dogstatsd 229 name: dogstatsds.config.istio.io 230 spec: 231 group: config.istio.io 232 names: 233 categories: 234 - istio-io 235 - policy-istio-io 236 kind: dogstatsd 237 plural: dogstatsds 238 singular: dogstatsd 239 scope: Namespaced 240 version: v1alpha2 241 --- 242 apiVersion: apiextensions.k8s.io/v1beta1 243 kind: CustomResourceDefinition 244 metadata: 245 annotations: 246 helm.sh/hook: crd-install 247 labels: 248 app: mixer 249 istio: mixer-instance 250 package: edge 251 name: edges.config.istio.io 252 spec: 253 group: config.istio.io 254 names: 255 categories: 256 - istio-io 257 - policy-istio-io 258 kind: edge 259 plural: edges 260 singular: edge 261 scope: Namespaced 262 version: v1alpha2 263 --- 264 apiVersion: apiextensions.k8s.io/v1beta1 265 kind: CustomResourceDefinition 266 metadata: 267 annotations: 268 helm.sh/hook: crd-install 269 labels: 270 app: istio-pilot 271 name: envoyfilters.networking.istio.io 272 spec: 273 group: networking.istio.io 274 names: 275 categories: 276 - istio-io 277 - networking-istio-io 278 kind: EnvoyFilter 279 plural: envoyfilters 280 singular: envoyfilter 281 scope: Namespaced 282 version: v1alpha3 283 --- 284 apiVersion: apiextensions.k8s.io/v1beta1 285 kind: CustomResourceDefinition 286 metadata: 287 annotations: 288 helm.sh/hook: crd-install 289 labels: 290 app: mixer 291 istio: mixer-adapter 292 package: fluentd 293 name: fluentds.config.istio.io 294 spec: 295 group: config.istio.io 296 names: 297 categories: 298 - istio-io 299 - policy-istio-io 300 kind: fluentd 301 plural: fluentds 302 singular: fluentd 303 scope: Namespaced 304 version: v1alpha2 305 --- 306 apiVersion: apiextensions.k8s.io/v1beta1 307 kind: CustomResourceDefinition 308 metadata: 309 annotations: 310 helm.sh/hook: crd-install 311 helm.sh/hook-weight: "-5" 312 labels: 313 app: istio-pilot 314 name: gateways.networking.istio.io 315 spec: 316 group: networking.istio.io 317 names: 318 categories: 319 - istio-io 320 - networking-istio-io 321 kind: Gateway 322 plural: gateways 323 singular: gateway 324 scope: Namespaced 325 version: v1alpha3 326 --- 327 apiVersion: apiextensions.k8s.io/v1beta1 328 kind: CustomResourceDefinition 329 metadata: 330 annotations: 331 helm.sh/hook: crd-install 332 labels: 333 app: mixer 334 istio: mixer-handler 335 package: handler 336 name: handlers.config.istio.io 337 spec: 338 group: config.istio.io 339 names: 340 categories: 341 - istio-io 342 - policy-istio-io 343 kind: handler 344 plural: handlers 345 singular: handler 346 scope: Namespaced 347 version: v1alpha2 348 --- 349 apiVersion: apiextensions.k8s.io/v1beta1 350 kind: CustomResourceDefinition 351 metadata: 352 annotations: 353 helm.sh/hook: crd-install 354 name: httpapispecbindings.config.istio.io 355 spec: 356 group: config.istio.io 357 names: 358 categories: 359 - istio-io 360 - apim-istio-io 361 kind: HTTPAPISpecBinding 362 plural: httpapispecbindings 363 singular: httpapispecbinding 364 scope: Namespaced 365 version: v1alpha2 366 --- 367 apiVersion: apiextensions.k8s.io/v1beta1 368 kind: CustomResourceDefinition 369 metadata: 370 annotations: 371 helm.sh/hook: crd-install 372 name: httpapispecs.config.istio.io 373 spec: 374 group: config.istio.io 375 names: 376 categories: 377 - istio-io 378 - apim-istio-io 379 kind: HTTPAPISpec 380 plural: httpapispecs 381 singular: httpapispec 382 scope: Namespaced 383 version: v1alpha2 384 --- 385 apiVersion: apiextensions.k8s.io/v1beta1 386 kind: CustomResourceDefinition 387 metadata: 388 annotations: 389 helm.sh/hook: crd-install 390 labels: 391 app: mixer 392 istio: mixer-instance 393 package: instance 394 name: instances.config.istio.io 395 spec: 396 group: config.istio.io 397 names: 398 categories: 399 - istio-io 400 - policy-istio-io 401 kind: instance 402 plural: instances 403 singular: instance 404 scope: Namespaced 405 version: v1alpha2 406 --- 407 apiVersion: apiextensions.k8s.io/v1beta1 408 kind: CustomResourceDefinition 409 metadata: 410 annotations: 411 helm.sh/hook: crd-install 412 labels: 413 app: mixer 414 istio: mixer-adapter 415 package: kubernetesenv 416 name: kubernetesenvs.config.istio.io 417 spec: 418 group: config.istio.io 419 names: 420 categories: 421 - istio-io 422 - policy-istio-io 423 kind: kubernetesenv 424 plural: kubernetesenvs 425 singular: kubernetesenv 426 scope: Namespaced 427 version: v1alpha2 428 --- 429 apiVersion: apiextensions.k8s.io/v1beta1 430 kind: CustomResourceDefinition 431 metadata: 432 annotations: 433 helm.sh/hook: crd-install 434 labels: 435 app: mixer 436 istio: mixer-instance 437 package: adapter.template.kubernetes 438 name: kuberneteses.config.istio.io 439 spec: 440 group: config.istio.io 441 names: 442 categories: 443 - istio-io 444 - policy-istio-io 445 kind: kubernetes 446 plural: kuberneteses 447 singular: kubernetes 448 scope: Namespaced 449 version: v1alpha2 450 --- 451 apiVersion: apiextensions.k8s.io/v1beta1 452 kind: CustomResourceDefinition 453 metadata: 454 annotations: 455 helm.sh/hook: crd-install 456 labels: 457 app: mixer 458 istio: mixer-adapter 459 package: listchecker 460 name: listcheckers.config.istio.io 461 spec: 462 group: config.istio.io 463 names: 464 categories: 465 - istio-io 466 - policy-istio-io 467 kind: listchecker 468 plural: listcheckers 469 singular: listchecker 470 scope: Namespaced 471 version: v1alpha2 472 --- 473 apiVersion: apiextensions.k8s.io/v1beta1 474 kind: CustomResourceDefinition 475 metadata: 476 annotations: 477 helm.sh/hook: crd-install 478 labels: 479 app: mixer 480 istio: mixer-instance 481 package: listentry 482 name: listentries.config.istio.io 483 spec: 484 group: config.istio.io 485 names: 486 categories: 487 - istio-io 488 - policy-istio-io 489 kind: listentry 490 plural: listentries 491 singular: listentry 492 scope: Namespaced 493 version: v1alpha2 494 --- 495 apiVersion: apiextensions.k8s.io/v1beta1 496 kind: CustomResourceDefinition 497 metadata: 498 annotations: 499 helm.sh/hook: crd-install 500 labels: 501 app: mixer 502 istio: mixer-instance 503 package: logentry 504 name: logentries.config.istio.io 505 spec: 506 group: config.istio.io 507 names: 508 categories: 509 - istio-io 510 - policy-istio-io 511 kind: logentry 512 plural: logentries 513 singular: logentry 514 scope: Namespaced 515 version: v1alpha2 516 --- 517 apiVersion: apiextensions.k8s.io/v1beta1 518 kind: CustomResourceDefinition 519 metadata: 520 annotations: 521 helm.sh/hook: crd-install 522 labels: 523 app: mixer 524 istio: mixer-adapter 525 package: memquota 526 name: memquotas.config.istio.io 527 spec: 528 group: config.istio.io 529 names: 530 categories: 531 - istio-io 532 - policy-istio-io 533 kind: memquota 534 plural: memquotas 535 singular: memquota 536 scope: Namespaced 537 version: v1alpha2 538 --- 539 apiVersion: apiextensions.k8s.io/v1beta1 540 kind: CustomResourceDefinition 541 metadata: 542 annotations: 543 helm.sh/hook: crd-install 544 labels: 545 app: mixer 546 istio: mixer-instance 547 package: metric 548 name: metrics.config.istio.io 549 spec: 550 group: config.istio.io 551 names: 552 categories: 553 - istio-io 554 - policy-istio-io 555 kind: metric 556 plural: metrics 557 singular: metric 558 scope: Namespaced 559 version: v1alpha2 560 --- 561 apiVersion: apiextensions.k8s.io/v1beta1 562 kind: CustomResourceDefinition 563 metadata: 564 annotations: 565 helm.sh/hook: crd-install 566 labels: 567 app: mixer 568 istio: mixer-adapter 569 package: noop 570 name: noops.config.istio.io 571 spec: 572 group: config.istio.io 573 names: 574 categories: 575 - istio-io 576 - policy-istio-io 577 kind: noop 578 plural: noops 579 singular: noop 580 scope: Namespaced 581 version: v1alpha2 582 --- 583 apiVersion: apiextensions.k8s.io/v1beta1 584 kind: CustomResourceDefinition 585 metadata: 586 annotations: 587 helm.sh/hook: crd-install 588 labels: 589 app: mixer 590 istio: mixer-adapter 591 package: opa 592 name: opas.config.istio.io 593 spec: 594 group: config.istio.io 595 names: 596 categories: 597 - istio-io 598 - policy-istio-io 599 kind: opa 600 plural: opas 601 singular: opa 602 scope: Namespaced 603 version: v1alpha2 604 --- 605 apiVersion: apiextensions.k8s.io/v1beta1 606 kind: CustomResourceDefinition 607 metadata: 608 annotations: 609 helm.sh/hook: crd-install 610 labels: 611 app: mixer 612 istio: mixer-adapter 613 package: prometheus 614 name: prometheuses.config.istio.io 615 spec: 616 group: config.istio.io 617 names: 618 categories: 619 - istio-io 620 - policy-istio-io 621 kind: prometheus 622 plural: prometheuses 623 singular: prometheus 624 scope: Namespaced 625 version: v1alpha2 626 --- 627 apiVersion: apiextensions.k8s.io/v1beta1 628 kind: CustomResourceDefinition 629 metadata: 630 annotations: 631 helm.sh/hook: crd-install 632 labels: 633 app: mixer 634 istio: mixer-instance 635 package: quota 636 name: quotas.config.istio.io 637 spec: 638 group: config.istio.io 639 names: 640 categories: 641 - istio-io 642 - policy-istio-io 643 kind: quota 644 plural: quotas 645 singular: quota 646 scope: Namespaced 647 version: v1alpha2 648 --- 649 apiVersion: apiextensions.k8s.io/v1beta1 650 kind: CustomResourceDefinition 651 metadata: 652 annotations: 653 helm.sh/hook: crd-install 654 name: quotaspecbindings.config.istio.io 655 spec: 656 group: config.istio.io 657 names: 658 categories: 659 - istio-io 660 - apim-istio-io 661 kind: QuotaSpecBinding 662 plural: quotaspecbindings 663 singular: quotaspecbinding 664 scope: Namespaced 665 version: v1alpha2 666 --- 667 apiVersion: apiextensions.k8s.io/v1beta1 668 kind: CustomResourceDefinition 669 metadata: 670 annotations: 671 helm.sh/hook: crd-install 672 name: quotaspecs.config.istio.io 673 spec: 674 group: config.istio.io 675 names: 676 categories: 677 - istio-io 678 - apim-istio-io 679 kind: QuotaSpec 680 plural: quotaspecs 681 singular: quotaspec 682 scope: Namespaced 683 version: v1alpha2 684 --- 685 apiVersion: apiextensions.k8s.io/v1beta1 686 kind: CustomResourceDefinition 687 metadata: 688 annotations: 689 helm.sh/hook: crd-install 690 labels: 691 app: mixer 692 istio: rbac 693 package: istio.io.mixer 694 name: rbacconfigs.rbac.istio.io 695 spec: 696 group: rbac.istio.io 697 names: 698 categories: 699 - istio-io 700 - rbac-istio-io 701 kind: RbacConfig 702 plural: rbacconfigs 703 singular: rbacconfig 704 scope: Namespaced 705 version: v1alpha1 706 --- 707 apiVersion: apiextensions.k8s.io/v1beta1 708 kind: CustomResourceDefinition 709 metadata: 710 annotations: 711 helm.sh/hook: crd-install 712 labels: 713 app: mixer 714 istio: mixer-adapter 715 package: rbac 716 name: rbacs.config.istio.io 717 spec: 718 group: config.istio.io 719 names: 720 categories: 721 - istio-io 722 - policy-istio-io 723 kind: rbac 724 plural: rbacs 725 singular: rbac 726 scope: Namespaced 727 version: v1alpha2 728 --- 729 apiVersion: apiextensions.k8s.io/v1beta1 730 kind: CustomResourceDefinition 731 metadata: 732 annotations: 733 helm.sh/hook: crd-install 734 labels: 735 istio: mixer-adapter 736 package: redisquota 737 name: redisquotas.config.istio.io 738 spec: 739 group: config.istio.io 740 names: 741 kind: redisquota 742 plural: redisquotas 743 singular: redisquota 744 scope: Namespaced 745 version: v1alpha2 746 --- 747 apiVersion: apiextensions.k8s.io/v1beta1 748 kind: CustomResourceDefinition 749 metadata: 750 annotations: 751 helm.sh/hook: crd-install 752 labels: 753 app: mixer 754 istio: mixer-instance 755 package: reportnothing 756 name: reportnothings.config.istio.io 757 spec: 758 group: config.istio.io 759 names: 760 categories: 761 - istio-io 762 - policy-istio-io 763 kind: reportnothing 764 plural: reportnothings 765 singular: reportnothing 766 scope: Namespaced 767 version: v1alpha2 768 --- 769 apiVersion: apiextensions.k8s.io/v1beta1 770 kind: CustomResourceDefinition 771 metadata: 772 annotations: 773 helm.sh/hook: crd-install 774 labels: 775 app: mixer 776 istio: core 777 package: istio.io.mixer 778 name: rules.config.istio.io 779 spec: 780 group: config.istio.io 781 names: 782 categories: 783 - istio-io 784 - policy-istio-io 785 kind: rule 786 plural: rules 787 singular: rule 788 scope: Namespaced 789 version: v1alpha2 790 --- 791 apiVersion: apiextensions.k8s.io/v1beta1 792 kind: CustomResourceDefinition 793 metadata: 794 annotations: 795 helm.sh/hook: crd-install 796 labels: 797 app: mixer 798 istio: mixer-instance 799 package: servicecontrolreport 800 name: servicecontrolreports.config.istio.io 801 spec: 802 group: config.istio.io 803 names: 804 categories: 805 - istio-io 806 - policy-istio-io 807 kind: servicecontrolreport 808 plural: servicecontrolreports 809 singular: servicecontrolreport 810 scope: Namespaced 811 version: v1alpha2 812 --- 813 apiVersion: apiextensions.k8s.io/v1beta1 814 kind: CustomResourceDefinition 815 metadata: 816 annotations: 817 helm.sh/hook: crd-install 818 labels: 819 app: mixer 820 istio: mixer-adapter 821 package: servicecontrol 822 name: servicecontrols.config.istio.io 823 spec: 824 group: config.istio.io 825 names: 826 categories: 827 - istio-io 828 - policy-istio-io 829 kind: servicecontrol 830 plural: servicecontrols 831 singular: servicecontrol 832 scope: Namespaced 833 version: v1alpha2 834 --- 835 apiVersion: apiextensions.k8s.io/v1beta1 836 kind: CustomResourceDefinition 837 metadata: 838 annotations: 839 helm.sh/hook: crd-install 840 labels: 841 app: istio-pilot 842 name: serviceentries.networking.istio.io 843 spec: 844 group: networking.istio.io 845 names: 846 categories: 847 - istio-io 848 - networking-istio-io 849 kind: ServiceEntry 850 listKind: ServiceEntryList 851 plural: serviceentries 852 singular: serviceentry 853 scope: Namespaced 854 version: v1alpha3 855 --- 856 apiVersion: apiextensions.k8s.io/v1beta1 857 kind: CustomResourceDefinition 858 metadata: 859 annotations: 860 helm.sh/hook: crd-install 861 labels: 862 app: mixer 863 istio: rbac 864 package: istio.io.mixer 865 name: servicerolebindings.rbac.istio.io 866 spec: 867 group: rbac.istio.io 868 names: 869 categories: 870 - istio-io 871 - rbac-istio-io 872 kind: ServiceRoleBinding 873 plural: servicerolebindings 874 singular: servicerolebinding 875 scope: Namespaced 876 version: v1alpha1 877 --- 878 apiVersion: apiextensions.k8s.io/v1beta1 879 kind: CustomResourceDefinition 880 metadata: 881 annotations: 882 helm.sh/hook: crd-install 883 labels: 884 app: mixer 885 istio: rbac 886 package: istio.io.mixer 887 name: serviceroles.rbac.istio.io 888 spec: 889 group: rbac.istio.io 890 names: 891 categories: 892 - istio-io 893 - rbac-istio-io 894 kind: ServiceRole 895 plural: serviceroles 896 singular: servicerole 897 scope: Namespaced 898 version: v1alpha1 899 --- 900 apiVersion: apiextensions.k8s.io/v1beta1 901 kind: CustomResourceDefinition 902 metadata: 903 annotations: 904 helm.sh/hook: crd-install 905 labels: 906 app: mixer 907 istio: mixer-adapter 908 package: signalfx 909 name: signalfxs.config.istio.io 910 spec: 911 group: config.istio.io 912 names: 913 categories: 914 - istio-io 915 - policy-istio-io 916 kind: signalfx 917 plural: signalfxs 918 singular: signalfx 919 scope: Namespaced 920 version: v1alpha2 921 --- 922 apiVersion: apiextensions.k8s.io/v1beta1 923 kind: CustomResourceDefinition 924 metadata: 925 annotations: 926 helm.sh/hook: crd-install 927 labels: 928 app: mixer 929 istio: mixer-adapter 930 package: solarwinds 931 name: solarwindses.config.istio.io 932 spec: 933 group: config.istio.io 934 names: 935 categories: 936 - istio-io 937 - policy-istio-io 938 kind: solarwinds 939 plural: solarwindses 940 singular: solarwinds 941 scope: Namespaced 942 version: v1alpha2 943 --- 944 apiVersion: apiextensions.k8s.io/v1beta1 945 kind: CustomResourceDefinition 946 metadata: 947 annotations: 948 helm.sh/hook: crd-install 949 labels: 950 app: mixer 951 istio: mixer-adapter 952 package: stackdriver 953 name: stackdrivers.config.istio.io 954 spec: 955 group: config.istio.io 956 names: 957 categories: 958 - istio-io 959 - policy-istio-io 960 kind: stackdriver 961 plural: stackdrivers 962 singular: stackdriver 963 scope: Namespaced 964 version: v1alpha2 965 --- 966 apiVersion: apiextensions.k8s.io/v1beta1 967 kind: CustomResourceDefinition 968 metadata: 969 annotations: 970 helm.sh/hook: crd-install 971 labels: 972 app: mixer 973 istio: mixer-adapter 974 package: statsd 975 name: statsds.config.istio.io 976 spec: 977 group: config.istio.io 978 names: 979 categories: 980 - istio-io 981 - policy-istio-io 982 kind: statsd 983 plural: statsds 984 singular: statsd 985 scope: Namespaced 986 version: v1alpha2 987 --- 988 apiVersion: apiextensions.k8s.io/v1beta1 989 kind: CustomResourceDefinition 990 metadata: 991 annotations: 992 helm.sh/hook: crd-install 993 labels: 994 app: mixer 995 istio: mixer-adapter 996 package: stdio 997 name: stdios.config.istio.io 998 spec: 999 group: config.istio.io 1000 names: 1001 categories: 1002 - istio-io 1003 - policy-istio-io 1004 kind: stdio 1005 plural: stdios 1006 singular: stdio 1007 scope: Namespaced 1008 version: v1alpha2 1009 --- 1010 apiVersion: apiextensions.k8s.io/v1beta1 1011 kind: CustomResourceDefinition 1012 metadata: 1013 annotations: 1014 helm.sh/hook: crd-install 1015 labels: 1016 app: mixer 1017 istio: mixer-template 1018 package: template 1019 name: templates.config.istio.io 1020 spec: 1021 group: config.istio.io 1022 names: 1023 categories: 1024 - istio-io 1025 - policy-istio-io 1026 kind: template 1027 plural: templates 1028 singular: template 1029 scope: Namespaced 1030 version: v1alpha2 1031 --- 1032 apiVersion: apiextensions.k8s.io/v1beta1 1033 kind: CustomResourceDefinition 1034 metadata: 1035 annotations: 1036 helm.sh/hook: crd-install 1037 labels: 1038 app: mixer 1039 istio: mixer-instance 1040 package: tracespan 1041 name: tracespans.config.istio.io 1042 spec: 1043 group: config.istio.io 1044 names: 1045 categories: 1046 - istio-io 1047 - policy-istio-io 1048 kind: tracespan 1049 plural: tracespans 1050 singular: tracespan 1051 scope: Namespaced 1052 version: v1alpha2 1053 --- 1054 apiVersion: apiextensions.k8s.io/v1beta1 1055 kind: CustomResourceDefinition 1056 metadata: 1057 annotations: 1058 helm.sh/hook: crd-install 1059 labels: 1060 app: istio-pilot 1061 name: virtualservices.networking.istio.io 1062 spec: 1063 group: networking.istio.io 1064 names: 1065 categories: 1066 - istio-io 1067 - networking-istio-io 1068 kind: VirtualService 1069 listKind: VirtualServiceList 1070 plural: virtualservices 1071 singular: virtualservice 1072 scope: Namespaced 1073 version: v1alpha3 1074 --- 1075 apiVersion: admissionregistration.k8s.io/v1beta1 1076 kind: MutatingWebhookConfiguration 1077 metadata: 1078 labels: 1079 app: istio-sidecar-injector 1080 chart: sidecarInjectorWebhook-1.0.3 1081 heritage: Tiller 1082 release: istio 1083 name: istio-sidecar-injector 1084 namespace: default 1085 webhooks: 1086 - clientConfig: 1087 caBundle: "" 1088 service: 1089 name: istio-sidecar-injector 1090 namespace: default 1091 path: /inject 1092 failurePolicy: Fail 1093 name: sidecar-injector.istio.io 1094 namespaceSelector: 1095 matchLabels: 1096 istio-injection: enabled 1097 rules: 1098 - apiGroups: 1099 - "" 1100 apiVersions: 1101 - v1 1102 operations: 1103 - CREATE 1104 resources: 1105 - pods 1106 --- 1107 apiVersion: v1 1108 kind: ServiceAccount 1109 metadata: 1110 labels: 1111 app: security 1112 chart: security-1.0.3 1113 heritage: Tiller 1114 release: istio 1115 name: istio-citadel-service-account 1116 namespace: default 1117 --- 1118 apiVersion: v1 1119 kind: ServiceAccount 1120 metadata: 1121 annotations: 1122 helm.sh/hook: post-delete 1123 helm.sh/hook-delete-policy: hook-succeeded 1124 helm.sh/hook-weight: "1" 1125 labels: 1126 app: security 1127 chart: security-1.0.3 1128 heritage: Tiller 1129 release: istio 1130 name: istio-cleanup-secrets-service-account 1131 namespace: default 1132 --- 1133 apiVersion: v1 1134 kind: ServiceAccount 1135 metadata: 1136 labels: 1137 app: egressgateway 1138 chart: gateways-1.0.3 1139 heritage: Tiller 1140 release: istio 1141 name: istio-egressgateway-service-account 1142 namespace: default 1143 --- 1144 apiVersion: v1 1145 kind: ServiceAccount 1146 metadata: 1147 labels: 1148 app: istio-galley 1149 chart: galley-1.0.3 1150 heritage: Tiller 1151 release: istio 1152 name: istio-galley-service-account 1153 namespace: default 1154 --- 1155 apiVersion: v1 1156 kind: ServiceAccount 1157 metadata: 1158 labels: 1159 app: ingressgateway 1160 chart: gateways-1.0.3 1161 heritage: Tiller 1162 release: istio 1163 name: istio-ingressgateway-service-account 1164 namespace: default 1165 --- 1166 apiVersion: v1 1167 kind: ServiceAccount 1168 metadata: 1169 labels: 1170 app: mixer 1171 chart: mixer-1.0.3 1172 heritage: Tiller 1173 release: istio 1174 name: istio-mixer-service-account 1175 namespace: default 1176 --- 1177 apiVersion: v1 1178 kind: ServiceAccount 1179 metadata: 1180 labels: 1181 app: istio-pilot 1182 chart: pilot-1.0.3 1183 heritage: Tiller 1184 release: istio 1185 name: istio-pilot-service-account 1186 namespace: default 1187 --- 1188 apiVersion: v1 1189 kind: ServiceAccount 1190 metadata: 1191 labels: 1192 app: istio-security 1193 chart: security-1.0.3 1194 heritage: Tiller 1195 release: istio 1196 name: istio-security-post-install-account 1197 namespace: default 1198 --- 1199 apiVersion: v1 1200 kind: ServiceAccount 1201 metadata: 1202 labels: 1203 app: istio-sidecar-injector 1204 chart: sidecarInjectorWebhook-1.0.3 1205 heritage: Tiller 1206 release: istio 1207 name: istio-sidecar-injector-service-account 1208 namespace: default 1209 --- 1210 apiVersion: v1 1211 kind: ServiceAccount 1212 metadata: 1213 name: prometheus 1214 namespace: default 1215 --- 1216 apiVersion: rbac.authorization.k8s.io/v1beta1 1217 kind: ClusterRole 1218 metadata: 1219 labels: 1220 app: security 1221 chart: security-1.0.3 1222 heritage: Tiller 1223 release: istio 1224 name: istio-citadel-default 1225 rules: 1226 - apiGroups: 1227 - "" 1228 resources: 1229 - secrets 1230 verbs: 1231 - create 1232 - get 1233 - watch 1234 - list 1235 - update 1236 - delete 1237 - apiGroups: 1238 - "" 1239 resources: 1240 - serviceaccounts 1241 verbs: 1242 - get 1243 - watch 1244 - list 1245 - apiGroups: 1246 - "" 1247 resources: 1248 - services 1249 verbs: 1250 - get 1251 - watch 1252 - list 1253 --- 1254 apiVersion: rbac.authorization.k8s.io/v1beta1 1255 kind: ClusterRole 1256 metadata: 1257 annotations: 1258 helm.sh/hook: post-delete 1259 helm.sh/hook-delete-policy: hook-succeeded 1260 helm.sh/hook-weight: "1" 1261 labels: 1262 app: security 1263 chart: security-1.0.3 1264 heritage: Tiller 1265 release: istio 1266 name: istio-cleanup-secrets-default 1267 rules: 1268 - apiGroups: 1269 - "" 1270 resources: 1271 - secrets 1272 verbs: 1273 - list 1274 - delete 1275 --- 1276 apiVersion: rbac.authorization.k8s.io/v1beta1 1277 kind: ClusterRole 1278 metadata: 1279 labels: 1280 app: gateways 1281 chart: gateways-1.0.3 1282 heritage: Tiller 1283 release: istio 1284 name: istio-egressgateway-default 1285 rules: 1286 - apiGroups: 1287 - extensions 1288 resources: 1289 - thirdpartyresources 1290 - virtualservices 1291 - destinationrules 1292 - gateways 1293 verbs: 1294 - get 1295 - watch 1296 - list 1297 - update 1298 --- 1299 apiVersion: rbac.authorization.k8s.io/v1beta1 1300 kind: ClusterRole 1301 metadata: 1302 labels: 1303 app: istio-galley 1304 chart: galley-1.0.3 1305 heritage: Tiller 1306 release: istio 1307 name: istio-galley-default 1308 rules: 1309 - apiGroups: 1310 - admissionregistration.k8s.io 1311 resources: 1312 - validatingwebhookconfigurations 1313 verbs: 1314 - '*' 1315 - apiGroups: 1316 - config.istio.io 1317 resources: 1318 - '*' 1319 verbs: 1320 - get 1321 - list 1322 - watch 1323 - apiGroups: 1324 - '*' 1325 resourceNames: 1326 - istio-galley 1327 resources: 1328 - deployments 1329 verbs: 1330 - get 1331 - apiGroups: 1332 - '*' 1333 resourceNames: 1334 - istio-galley 1335 resources: 1336 - endpoints 1337 verbs: 1338 - get 1339 --- 1340 apiVersion: rbac.authorization.k8s.io/v1beta1 1341 kind: ClusterRole 1342 metadata: 1343 labels: 1344 app: gateways 1345 chart: gateways-1.0.3 1346 heritage: Tiller 1347 release: istio 1348 name: istio-ingressgateway-default 1349 rules: 1350 - apiGroups: 1351 - extensions 1352 resources: 1353 - thirdpartyresources 1354 - virtualservices 1355 - destinationrules 1356 - gateways 1357 verbs: 1358 - get 1359 - watch 1360 - list 1361 - update 1362 --- 1363 apiVersion: rbac.authorization.k8s.io/v1beta1 1364 kind: ClusterRole 1365 metadata: 1366 labels: 1367 app: mixer 1368 chart: mixer-1.0.3 1369 heritage: Tiller 1370 release: istio 1371 name: istio-mixer-default 1372 rules: 1373 - apiGroups: 1374 - config.istio.io 1375 resources: 1376 - '*' 1377 verbs: 1378 - create 1379 - get 1380 - list 1381 - watch 1382 - patch 1383 - apiGroups: 1384 - rbac.istio.io 1385 resources: 1386 - '*' 1387 verbs: 1388 - get 1389 - list 1390 - watch 1391 - apiGroups: 1392 - apiextensions.k8s.io 1393 resources: 1394 - customresourcedefinitions 1395 verbs: 1396 - get 1397 - list 1398 - watch 1399 - apiGroups: 1400 - "" 1401 resources: 1402 - configmaps 1403 - endpoints 1404 - pods 1405 - services 1406 - namespaces 1407 - secrets 1408 - replicationcontrollers 1409 verbs: 1410 - get 1411 - list 1412 - watch 1413 - apiGroups: 1414 - extensions 1415 resources: 1416 - replicasets 1417 verbs: 1418 - get 1419 - list 1420 - watch 1421 - apiGroups: 1422 - apps 1423 resources: 1424 - replicasets 1425 verbs: 1426 - get 1427 - list 1428 - watch 1429 --- 1430 apiVersion: rbac.authorization.k8s.io/v1beta1 1431 kind: ClusterRole 1432 metadata: 1433 labels: 1434 app: istio-pilot 1435 chart: pilot-1.0.3 1436 heritage: Tiller 1437 release: istio 1438 name: istio-pilot-default 1439 rules: 1440 - apiGroups: 1441 - config.istio.io 1442 resources: 1443 - '*' 1444 verbs: 1445 - '*' 1446 - apiGroups: 1447 - rbac.istio.io 1448 resources: 1449 - '*' 1450 verbs: 1451 - get 1452 - watch 1453 - list 1454 - apiGroups: 1455 - networking.istio.io 1456 resources: 1457 - '*' 1458 verbs: 1459 - '*' 1460 - apiGroups: 1461 - authentication.istio.io 1462 resources: 1463 - '*' 1464 verbs: 1465 - '*' 1466 - apiGroups: 1467 - apiextensions.k8s.io 1468 resources: 1469 - customresourcedefinitions 1470 verbs: 1471 - '*' 1472 - apiGroups: 1473 - extensions 1474 resources: 1475 - thirdpartyresources 1476 - thirdpartyresources.extensions 1477 - ingresses 1478 - ingresses/status 1479 verbs: 1480 - '*' 1481 - apiGroups: 1482 - "" 1483 resources: 1484 - configmaps 1485 verbs: 1486 - create 1487 - get 1488 - list 1489 - watch 1490 - update 1491 - apiGroups: 1492 - "" 1493 resources: 1494 - endpoints 1495 - pods 1496 - services 1497 verbs: 1498 - get 1499 - list 1500 - watch 1501 - apiGroups: 1502 - "" 1503 resources: 1504 - namespaces 1505 - nodes 1506 - secrets 1507 verbs: 1508 - get 1509 - list 1510 - watch 1511 --- 1512 apiVersion: rbac.authorization.k8s.io/v1beta1 1513 kind: ClusterRole 1514 metadata: 1515 labels: 1516 app: istio-security 1517 chart: security-1.0.3 1518 heritage: Tiller 1519 release: istio 1520 name: istio-security-post-install-default 1521 rules: 1522 - apiGroups: 1523 - authentication.istio.io 1524 resources: 1525 - '*' 1526 verbs: 1527 - '*' 1528 - apiGroups: 1529 - networking.istio.io 1530 resources: 1531 - '*' 1532 verbs: 1533 - '*' 1534 - apiGroups: 1535 - admissionregistration.k8s.io 1536 resources: 1537 - validatingwebhookconfigurations 1538 verbs: 1539 - get 1540 - apiGroups: 1541 - extensions 1542 resources: 1543 - deployments 1544 - replicasets 1545 verbs: 1546 - get 1547 - list 1548 - watch 1549 --- 1550 apiVersion: rbac.authorization.k8s.io/v1beta1 1551 kind: ClusterRole 1552 metadata: 1553 labels: 1554 app: istio-sidecar-injector 1555 chart: sidecarInjectorWebhook-1.0.3 1556 heritage: Tiller 1557 release: istio 1558 name: istio-sidecar-injector-default 1559 rules: 1560 - apiGroups: 1561 - '*' 1562 resources: 1563 - configmaps 1564 verbs: 1565 - get 1566 - list 1567 - watch 1568 - apiGroups: 1569 - admissionregistration.k8s.io 1570 resources: 1571 - mutatingwebhookconfigurations 1572 verbs: 1573 - get 1574 - list 1575 - watch 1576 - patch 1577 --- 1578 apiVersion: rbac.authorization.k8s.io/v1beta1 1579 kind: ClusterRole 1580 metadata: 1581 name: prometheus-default 1582 rules: 1583 - apiGroups: 1584 - "" 1585 resources: 1586 - nodes 1587 - services 1588 - endpoints 1589 - pods 1590 - nodes/proxy 1591 verbs: 1592 - get 1593 - list 1594 - watch 1595 - apiGroups: 1596 - "" 1597 resources: 1598 - configmaps 1599 verbs: 1600 - get 1601 - nonResourceURLs: 1602 - /metrics 1603 verbs: 1604 - get 1605 --- 1606 apiVersion: rbac.authorization.k8s.io/v1beta1 1607 kind: ClusterRoleBinding 1608 metadata: 1609 labels: 1610 app: security 1611 chart: security-1.0.3 1612 heritage: Tiller 1613 release: istio 1614 name: istio-citadel-default 1615 roleRef: 1616 apiGroup: rbac.authorization.k8s.io 1617 kind: ClusterRole 1618 name: istio-citadel-default 1619 subjects: 1620 - kind: ServiceAccount 1621 name: istio-citadel-service-account 1622 namespace: default 1623 --- 1624 apiVersion: rbac.authorization.k8s.io/v1beta1 1625 kind: ClusterRoleBinding 1626 metadata: 1627 annotations: 1628 helm.sh/hook: post-delete 1629 helm.sh/hook-delete-policy: hook-succeeded 1630 helm.sh/hook-weight: "2" 1631 labels: 1632 app: security 1633 chart: security-1.0.3 1634 heritage: Tiller 1635 release: istio 1636 name: istio-cleanup-secrets-default 1637 roleRef: 1638 apiGroup: rbac.authorization.k8s.io 1639 kind: ClusterRole 1640 name: istio-cleanup-secrets-default 1641 subjects: 1642 - kind: ServiceAccount 1643 name: istio-cleanup-secrets-service-account 1644 namespace: default 1645 --- 1646 apiVersion: rbac.authorization.k8s.io/v1beta1 1647 kind: ClusterRoleBinding 1648 metadata: 1649 name: istio-egressgateway-default 1650 roleRef: 1651 apiGroup: rbac.authorization.k8s.io 1652 kind: ClusterRole 1653 name: istio-egressgateway-default 1654 subjects: 1655 - kind: ServiceAccount 1656 name: istio-egressgateway-service-account 1657 namespace: default 1658 --- 1659 apiVersion: rbac.authorization.k8s.io/v1beta1 1660 kind: ClusterRoleBinding 1661 metadata: 1662 labels: 1663 app: istio-galley 1664 chart: galley-1.0.3 1665 heritage: Tiller 1666 release: istio 1667 name: istio-galley-admin-role-binding-default 1668 roleRef: 1669 apiGroup: rbac.authorization.k8s.io 1670 kind: ClusterRole 1671 name: istio-galley-default 1672 subjects: 1673 - kind: ServiceAccount 1674 name: istio-galley-service-account 1675 namespace: default 1676 --- 1677 apiVersion: rbac.authorization.k8s.io/v1beta1 1678 kind: ClusterRoleBinding 1679 metadata: 1680 name: istio-ingressgateway-default 1681 roleRef: 1682 apiGroup: rbac.authorization.k8s.io 1683 kind: ClusterRole 1684 name: istio-ingressgateway-default 1685 subjects: 1686 - kind: ServiceAccount 1687 name: istio-ingressgateway-service-account 1688 namespace: default 1689 --- 1690 apiVersion: rbac.authorization.k8s.io/v1beta1 1691 kind: ClusterRoleBinding 1692 metadata: 1693 labels: 1694 app: mixer 1695 chart: mixer-1.0.3 1696 heritage: Tiller 1697 release: istio 1698 name: istio-mixer-admin-role-binding-default 1699 roleRef: 1700 apiGroup: rbac.authorization.k8s.io 1701 kind: ClusterRole 1702 name: istio-mixer-default 1703 subjects: 1704 - kind: ServiceAccount 1705 name: istio-mixer-service-account 1706 namespace: default 1707 --- 1708 apiVersion: rbac.authorization.k8s.io/v1beta1 1709 kind: ClusterRoleBinding 1710 metadata: 1711 labels: 1712 app: istio-pilot 1713 chart: pilot-1.0.3 1714 heritage: Tiller 1715 release: istio 1716 name: istio-pilot-default 1717 roleRef: 1718 apiGroup: rbac.authorization.k8s.io 1719 kind: ClusterRole 1720 name: istio-pilot-default 1721 subjects: 1722 - kind: ServiceAccount 1723 name: istio-pilot-service-account 1724 namespace: default 1725 --- 1726 apiVersion: rbac.authorization.k8s.io/v1beta1 1727 kind: ClusterRoleBinding 1728 metadata: 1729 labels: 1730 app: istio-security 1731 chart: security-1.0.3 1732 heritage: Tiller 1733 release: istio 1734 name: istio-security-post-install-role-binding-default 1735 roleRef: 1736 apiGroup: rbac.authorization.k8s.io 1737 kind: ClusterRole 1738 name: istio-security-post-install-default 1739 subjects: 1740 - kind: ServiceAccount 1741 name: istio-security-post-install-account 1742 namespace: default 1743 --- 1744 apiVersion: rbac.authorization.k8s.io/v1beta1 1745 kind: ClusterRoleBinding 1746 metadata: 1747 labels: 1748 app: istio-sidecar-injector 1749 chart: sidecarInjectorWebhook-1.0.3 1750 heritage: Tiller 1751 release: istio 1752 name: istio-sidecar-injector-admin-role-binding-default 1753 roleRef: 1754 apiGroup: rbac.authorization.k8s.io 1755 kind: ClusterRole 1756 name: istio-sidecar-injector-default 1757 subjects: 1758 - kind: ServiceAccount 1759 name: istio-sidecar-injector-service-account 1760 namespace: default 1761 --- 1762 apiVersion: rbac.authorization.k8s.io/v1beta1 1763 kind: ClusterRoleBinding 1764 metadata: 1765 name: prometheus-default 1766 roleRef: 1767 apiGroup: rbac.authorization.k8s.io 1768 kind: ClusterRole 1769 name: prometheus-default 1770 subjects: 1771 - kind: ServiceAccount 1772 name: prometheus 1773 namespace: default 1774 --- 1775 apiVersion: v1 1776 data: 1777 validatingwebhookconfiguration.yaml: |- 1778 apiVersion: admissionregistration.k8s.io/v1beta1 1779 kind: ValidatingWebhookConfiguration 1780 metadata: 1781 name: istio-galley 1782 namespace: default 1783 labels: 1784 app: istio-galley 1785 chart: galley-1.0.3 1786 release: istio 1787 heritage: Tiller 1788 webhooks: 1789 - name: pilot.validation.istio.io 1790 clientConfig: 1791 service: 1792 name: istio-galley 1793 namespace: default 1794 path: "/admitpilot" 1795 caBundle: "" 1796 rules: 1797 - operations: 1798 - CREATE 1799 - UPDATE 1800 apiGroups: 1801 - config.istio.io 1802 apiVersions: 1803 - v1alpha2 1804 resources: 1805 - httpapispecs 1806 - httpapispecbindings 1807 - quotaspecs 1808 - quotaspecbindings 1809 - operations: 1810 - CREATE 1811 - UPDATE 1812 apiGroups: 1813 - rbac.istio.io 1814 apiVersions: 1815 - "*" 1816 resources: 1817 - "*" 1818 - operations: 1819 - CREATE 1820 - UPDATE 1821 apiGroups: 1822 - authentication.istio.io 1823 apiVersions: 1824 - "*" 1825 resources: 1826 - "*" 1827 - operations: 1828 - CREATE 1829 - UPDATE 1830 apiGroups: 1831 - networking.istio.io 1832 apiVersions: 1833 - "*" 1834 resources: 1835 - destinationrules 1836 - envoyfilters 1837 - gateways 1838 - serviceentries 1839 - virtualservices 1840 failurePolicy: Fail 1841 - name: mixer.validation.istio.io 1842 clientConfig: 1843 service: 1844 name: istio-galley 1845 namespace: default 1846 path: "/admitmixer" 1847 caBundle: "" 1848 rules: 1849 - operations: 1850 - CREATE 1851 - UPDATE 1852 apiGroups: 1853 - config.istio.io 1854 apiVersions: 1855 - v1alpha2 1856 resources: 1857 - rules 1858 - attributemanifests 1859 - circonuses 1860 - deniers 1861 - fluentds 1862 - kubernetesenvs 1863 - listcheckers 1864 - memquotas 1865 - noops 1866 - opas 1867 - prometheuses 1868 - rbacs 1869 - servicecontrols 1870 - solarwindses 1871 - stackdrivers 1872 - cloudwatches 1873 - dogstatsds 1874 - statsds 1875 - stdios 1876 - apikeys 1877 - authorizations 1878 - checknothings 1879 # - kuberneteses 1880 - listentries 1881 - logentries 1882 - metrics 1883 - quotas 1884 - reportnothings 1885 - servicecontrolreports 1886 - tracespans 1887 failurePolicy: Fail 1888 kind: ConfigMap 1889 metadata: 1890 labels: 1891 app: istio-galley 1892 chart: galley-1.0.3 1893 heritage: Tiller 1894 istio: mixer 1895 release: istio 1896 name: istio-galley-configuration 1897 namespace: default 1898 --- 1899 apiVersion: v1 1900 data: 1901 custom-resources.yaml: |- 1902 # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. 1903 apiVersion: "authentication.istio.io/v1alpha1" 1904 kind: "MeshPolicy" 1905 metadata: 1906 name: "default" 1907 labels: 1908 app: istio-security 1909 chart: security-1.0.3 1910 release: istio 1911 heritage: Tiller 1912 spec: 1913 peers: 1914 - mtls: 1915 mode: PERMISSIVE 1916 run.sh: |- 1917 #!/bin/sh 1918 1919 set -x 1920 1921 if [ "$#" -ne "1" ]; then 1922 echo "first argument should be path to custom resource yaml" 1923 exit 1 1924 fi 1925 1926 pathToResourceYAML=${1} 1927 1928 /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null 1929 if [ "$?" -eq 0 ]; then 1930 echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" 1931 while true; do 1932 /kubectl -n default get deployment istio-galley 2>/dev/null 1933 if [ "$?" -eq 0 ]; then 1934 break 1935 fi 1936 sleep 1 1937 done 1938 /kubectl -n default rollout status deployment istio-galley 1939 if [ "$?" -ne 0 ]; then 1940 echo "istio-galley deployment rollout status check failed" 1941 exit 1 1942 fi 1943 echo "istio-galley deployment ready for configuration validation" 1944 fi 1945 sleep 5 1946 /kubectl apply -f ${pathToResourceYAML} 1947 kind: ConfigMap 1948 metadata: 1949 labels: 1950 app: istio-security 1951 chart: security-1.0.3 1952 heritage: Tiller 1953 istio: security 1954 release: istio 1955 name: istio-security-custom-resources 1956 namespace: default 1957 --- 1958 apiVersion: v1 1959 data: 1960 config: "policy: enabled\ntemplate: |-\n initContainers:\n - name: istio-init\n image: \"gcr.io/istio-release/proxy_init:release-1.0-latest-daily\"\n args:\n - \"-p\"\n - [[ .MeshConfig.ProxyListenPort ]]\n - \"-u\"\n - 1337\n - \"-m\"\n - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]\n - \"-i\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` \"*\" ]]\"\n - \"-x\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` \"\" ]]\"\n - \"-b\"\n - \"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"\n - \"-d\"\n - \"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` \"\" ) ]]\"\n imagePullPolicy: IfNotPresent\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n privileged: true\n restartPolicy: Always\n containers:\n - name: istio-proxy\n image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` \"gcr.io/istio-release/proxyv2:release-1.0-latest-daily\" ]]\n\n ports:\n - containerPort: 15090\n protocol: TCP\n name: http-envoy-prom\n\n args:\n - proxy\n - sidecar\n - --configPath\n - [[ .ProxyConfig.ConfigPath ]]\n - --binaryPath\n - [[ .ProxyConfig.BinaryPath ]]\n - --serviceCluster\n [[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]\n - [[ index .ObjectMeta.Labels \"app\" ]]\n [[ else -]]\n - \"istio-proxy\"\n [[ end -]]\n - --drainDuration\n - [[ formatDuration .ProxyConfig.DrainDuration ]]\n - --parentShutdownDuration\n - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]]\n - --discoveryAddress\n - [[ .ProxyConfig.DiscoveryAddress ]]\n - --discoveryRefreshDelay\n - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]\n - --zipkinAddress\n - [[ .ProxyConfig.ZipkinAddress ]]\n - --connectTimeout\n - [[ formatDuration .ProxyConfig.ConnectTimeout ]]\n - --proxyAdminPort\n - [[ .ProxyConfig.ProxyAdminPort ]]\n [[ if gt .ProxyConfig.Concurrency 0 -]]\n - --concurrency\n - [[ .ProxyConfig.Concurrency ]]\n [[ end -]]\n - --controlPlaneAuthPolicy\n - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]\n [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) \"0\") ]]\n - --statusPort\n - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]]\n - --applicationPorts\n - \"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"\n [[- end ]]\n env:\n - name: POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: POD_NAMESPACE\n valueFrom:\n fieldRef:\n fieldPath: metadata.namespace\n - name: INSTANCE_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n - name: ISTIO_META_POD_NAME\n valueFrom:\n fieldRef:\n fieldPath: metadata.name\n - name: ISTIO_META_INTERCEPTION_MODE\n value: [[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]\n [[ if .ObjectMeta.Annotations ]]\n - name: ISTIO_METAJSON_ANNOTATIONS\n value: |\n [[ toJson .ObjectMeta.Annotations ]]\n [[ end ]]\n [[ range $k,$v := .ObjectMeta.Labels ]]\n - name: ISTIO_META_[[ $k ]]\n value: \"[[ $v ]]\"\n [[ end ]]\n imagePullPolicy: IfNotPresent\n [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) \"0\") ]]\n readinessProbe:\n httpGet:\n path: /healthz/ready\n port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]]\n initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]]\n periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]]\n failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]]\n [[ end -]]securityContext:\n \n readOnlyRootFilesystem: true\n [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]\n capabilities:\n add:\n - NET_ADMIN\n runAsGroup: 1337\n [[ else -]]\n runAsUser: 1337\n [[ end -]]\n restartPolicy: Always\n resources:\n [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]\n requests:\n cpu: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"\n memory: \"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"\n [[ else -]]\n requests:\n cpu: 10m\n \n [[ end -]]\n volumeMounts:\n - mountPath: /etc/istio/proxy\n name: istio-envoy\n - mountPath: /etc/certs/\n name: istio-certs\n readOnly: true\n volumes:\n - emptyDir:\n medium: Memory\n name: istio-envoy\n - name: istio-certs\n secret:\n optional: true\n [[ if eq .Spec.ServiceAccountName \"\" -]]\n secretName: istio.default\n [[ else -]]\n secretName: [[ printf \"istio.%s\" .Spec.ServiceAccountName ]]\n [[ end -]]" 1961 kind: ConfigMap 1962 metadata: 1963 labels: 1964 app: istio 1965 chart: istio-1.0.3 1966 heritage: Tiller 1967 istio: sidecar-injector 1968 release: istio 1969 name: istio-sidecar-injector 1970 namespace: default 1971 --- 1972 apiVersion: v1 1973 data: 1974 mapping.conf: "" 1975 kind: ConfigMap 1976 metadata: 1977 labels: 1978 app: istio-statsd-prom-bridge 1979 chart: mixer-1.0.3 1980 heritage: Tiller 1981 istio: mixer 1982 release: istio 1983 name: istio-statsd-prom-bridge 1984 namespace: default 1985 --- 1986 apiVersion: v1 1987 data: 1988 mesh: "# Set the following variable to true to disable policy checks by the Mixer.\n# Note that metrics will still be reported to the Mixer.\ndisablePolicyChecks: false\n\n# Set enableTracing to false to disable request tracing.\nenableTracing: true\n\n# Set accessLogFile to empty string to disable access log.\naccessLogFile: \"/dev/stdout\"\n#\n# Deprecated: mixer is using EDS\nmixerCheckServer: istio-policy.default.svc.cluster.local:9091\nmixerReportServer: istio-telemetry.default.svc.cluster.local:9091\n\n# policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached.\n# Default is false which means the traffic is denied when the client is unable to connect to Mixer.\npolicyCheckFailOpen: false\n\n# Unix Domain Socket through which envoy communicates with NodeAgent SDS to get\n# key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. \nsdsUdsPath: \"\"\n\n# How frequently should Envoy fetch key/cert from NodeAgent.\nsdsRefreshDelay: 15s\n\n#\ndefaultConfig:\n #\n # TCP connection timeout between Envoy & the application, and between Envoys.\n connectTimeout: 10s\n #\n ### ADVANCED SETTINGS #############\n # Where should envoy's configuration be stored in the istio-proxy container\n configPath: \"/etc/istio/proxy\"\n binaryPath: \"/usr/local/bin/envoy\"\n # The pseudo service name used for Envoy.\n serviceCluster: istio-proxy\n # These settings that determine how long an old Envoy\n # process should be kept alive after an occasional reload.\n drainDuration: 45s\n parentShutdownDuration: 1m0s\n #\n # The mode used to redirect inbound connections to Envoy. This setting\n # has no effect on outbound traffic: iptables REDIRECT is always used for\n # outbound connections.\n # If \"REDIRECT\", use iptables REDIRECT to NAT and redirect to Envoy.\n # The \"REDIRECT\" mode loses source addresses during redirection.\n # If \"TPROXY\", use iptables TPROXY to redirect to Envoy.\n # The \"TPROXY\" mode preserves both the source and destination IP\n # addresses and ports, so that they can be used for advanced filtering\n # and manipulation.\n # The \"TPROXY\" mode also configures the sidecar to run with the\n # CAP_NET_ADMIN capability, which is required to use TPROXY.\n #interceptionMode: REDIRECT\n #\n # Port where Envoy listens (on local host) for admin commands\n # You can exec into the istio-proxy container in a pod and\n # curl the admin port (curl http://localhost:15000/) to obtain\n # diagnostic information from Envoy. See\n # https://lyft.github.io/envoy/docs/operations/admin.html\n # for more details\n proxyAdminPort: 15000\n #\n # Set concurrency to a specific number to control the number of Proxy worker threads.\n # If set to 0 (default), then start worker thread for each CPU thread/core.\n concurrency: 0\n #\n # Zipkin trace collector\n zipkinAddress: zipkin.default:9411\n #\n # Mutual TLS authentication between sidecars and istio control plane.\n controlPlaneAuthPolicy: NONE\n #\n # Address where istio Pilot service is running\n discoveryAddress: istio-pilot.default:15007" 1989 kind: ConfigMap 1990 metadata: 1991 labels: 1992 app: istio 1993 chart: istio-1.0.3 1994 heritage: Tiller 1995 release: istio 1996 name: istio 1997 namespace: default 1998 --- 1999 apiVersion: v1 2000 data: 2001 prometheus.yml: |- 2002 global: 2003 scrape_interval: 15s 2004 scrape_configs: 2005 2006 - job_name: 'istio-mesh' 2007 # Override the global default and scrape targets from this job every 5 seconds. 2008 scrape_interval: 5s 2009 2010 kubernetes_sd_configs: 2011 - role: endpoints 2012 namespaces: 2013 names: 2014 - default 2015 2016 relabel_configs: 2017 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2018 action: keep 2019 regex: istio-telemetry;prometheus 2020 2021 2022 # Scrape config for envoy stats 2023 - job_name: 'envoy-stats' 2024 metrics_path: /stats/prometheus 2025 kubernetes_sd_configs: 2026 - role: pod 2027 2028 relabel_configs: 2029 - source_labels: [__meta_kubernetes_pod_container_port_name] 2030 action: keep 2031 regex: '.*-envoy-prom' 2032 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2033 action: replace 2034 regex: ([^:]+)(?::\d+)?;(\d+) 2035 replacement: $1:15090 2036 target_label: __address__ 2037 - action: labelmap 2038 regex: __meta_kubernetes_pod_label_(.+) 2039 - source_labels: [__meta_kubernetes_namespace] 2040 action: replace 2041 target_label: namespace 2042 - source_labels: [__meta_kubernetes_pod_name] 2043 action: replace 2044 target_label: pod_name 2045 2046 metric_relabel_configs: 2047 # Exclude some of the envoy metrics that have massive cardinality 2048 # This list may need to be pruned further moving forward, as informed 2049 # by performance and scalability testing. 2050 - source_labels: [ cluster_name ] 2051 regex: '(outbound|inbound|prometheus_stats).*' 2052 action: drop 2053 - source_labels: [ tcp_prefix ] 2054 regex: '(outbound|inbound|prometheus_stats).*' 2055 action: drop 2056 - source_labels: [ listener_address ] 2057 regex: '(.+)' 2058 action: drop 2059 - source_labels: [ http_conn_manager_listener_prefix ] 2060 regex: '(.+)' 2061 action: drop 2062 - source_labels: [ http_conn_manager_prefix ] 2063 regex: '(.+)' 2064 action: drop 2065 - source_labels: [ __name__ ] 2066 regex: 'envoy_tls.*' 2067 action: drop 2068 - source_labels: [ __name__ ] 2069 regex: 'envoy_tcp_downstream.*' 2070 action: drop 2071 - source_labels: [ __name__ ] 2072 regex: 'envoy_http_(stats|admin).*' 2073 action: drop 2074 - source_labels: [ __name__ ] 2075 regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' 2076 action: drop 2077 2078 2079 - job_name: 'istio-policy' 2080 # Override the global default and scrape targets from this job every 5 seconds. 2081 scrape_interval: 5s 2082 # metrics_path defaults to '/metrics' 2083 # scheme defaults to 'http'. 2084 2085 kubernetes_sd_configs: 2086 - role: endpoints 2087 namespaces: 2088 names: 2089 - default 2090 2091 2092 relabel_configs: 2093 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2094 action: keep 2095 regex: istio-policy;http-monitoring 2096 2097 - job_name: 'istio-telemetry' 2098 # Override the global default and scrape targets from this job every 5 seconds. 2099 scrape_interval: 5s 2100 # metrics_path defaults to '/metrics' 2101 # scheme defaults to 'http'. 2102 2103 kubernetes_sd_configs: 2104 - role: endpoints 2105 namespaces: 2106 names: 2107 - default 2108 2109 relabel_configs: 2110 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2111 action: keep 2112 regex: istio-telemetry;http-monitoring 2113 2114 - job_name: 'pilot' 2115 # Override the global default and scrape targets from this job every 5 seconds. 2116 scrape_interval: 5s 2117 # metrics_path defaults to '/metrics' 2118 # scheme defaults to 'http'. 2119 2120 kubernetes_sd_configs: 2121 - role: endpoints 2122 namespaces: 2123 names: 2124 - default 2125 2126 relabel_configs: 2127 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2128 action: keep 2129 regex: istio-pilot;http-monitoring 2130 2131 - job_name: 'galley' 2132 # Override the global default and scrape targets from this job every 5 seconds. 2133 scrape_interval: 5s 2134 # metrics_path defaults to '/metrics' 2135 # scheme defaults to 'http'. 2136 2137 kubernetes_sd_configs: 2138 - role: endpoints 2139 namespaces: 2140 names: 2141 - default 2142 2143 relabel_configs: 2144 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2145 action: keep 2146 regex: istio-galley;http-monitoring 2147 2148 # scrape config for API servers 2149 - job_name: 'kubernetes-apiservers' 2150 kubernetes_sd_configs: 2151 - role: endpoints 2152 namespaces: 2153 names: 2154 - default 2155 scheme: https 2156 tls_config: 2157 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2158 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2159 relabel_configs: 2160 - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] 2161 action: keep 2162 regex: kubernetes;https 2163 2164 # scrape config for nodes (kubelet) 2165 - job_name: 'kubernetes-nodes' 2166 scheme: https 2167 tls_config: 2168 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2169 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2170 kubernetes_sd_configs: 2171 - role: node 2172 relabel_configs: 2173 - action: labelmap 2174 regex: __meta_kubernetes_node_label_(.+) 2175 - target_label: __address__ 2176 replacement: kubernetes.default.svc:443 2177 - source_labels: [__meta_kubernetes_node_name] 2178 regex: (.+) 2179 target_label: __metrics_path__ 2180 replacement: /api/v1/nodes/${1}/proxy/metrics 2181 2182 # Scrape config for Kubelet cAdvisor. 2183 # 2184 # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics 2185 # (those whose names begin with 'container_') have been removed from the 2186 # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to 2187 # retrieve those metrics. 2188 # 2189 # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor 2190 # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" 2191 # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with 2192 # the --cadvisor-port=0 Kubelet flag). 2193 # 2194 # This job is not necessary and should be removed in Kubernetes 1.6 and 2195 # earlier versions, or it will cause the metrics to be scraped twice. 2196 - job_name: 'kubernetes-cadvisor' 2197 scheme: https 2198 tls_config: 2199 ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt 2200 bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token 2201 kubernetes_sd_configs: 2202 - role: node 2203 relabel_configs: 2204 - action: labelmap 2205 regex: __meta_kubernetes_node_label_(.+) 2206 - target_label: __address__ 2207 replacement: kubernetes.default.svc:443 2208 - source_labels: [__meta_kubernetes_node_name] 2209 regex: (.+) 2210 target_label: __metrics_path__ 2211 replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor 2212 2213 # scrape config for service endpoints. 2214 - job_name: 'kubernetes-service-endpoints' 2215 kubernetes_sd_configs: 2216 - role: endpoints 2217 relabel_configs: 2218 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] 2219 action: keep 2220 regex: true 2221 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] 2222 action: replace 2223 target_label: __scheme__ 2224 regex: (https?) 2225 - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] 2226 action: replace 2227 target_label: __metrics_path__ 2228 regex: (.+) 2229 - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] 2230 action: replace 2231 target_label: __address__ 2232 regex: ([^:]+)(?::\d+)?;(\d+) 2233 replacement: $1:$2 2234 - action: labelmap 2235 regex: __meta_kubernetes_service_label_(.+) 2236 - source_labels: [__meta_kubernetes_namespace] 2237 action: replace 2238 target_label: kubernetes_namespace 2239 - source_labels: [__meta_kubernetes_service_name] 2240 action: replace 2241 target_label: kubernetes_name 2242 2243 - job_name: 'kubernetes-pods' 2244 kubernetes_sd_configs: 2245 - role: pod 2246 relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. 2247 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 2248 action: keep 2249 regex: true 2250 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] 2251 action: drop 2252 regex: (.+) 2253 - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] 2254 action: drop 2255 regex: (true) 2256 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 2257 action: replace 2258 target_label: __metrics_path__ 2259 regex: (.+) 2260 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2261 action: replace 2262 regex: ([^:]+)(?::\d+)?;(\d+) 2263 replacement: $1:$2 2264 target_label: __address__ 2265 - action: labelmap 2266 regex: __meta_kubernetes_pod_label_(.+) 2267 - source_labels: [__meta_kubernetes_namespace] 2268 action: replace 2269 target_label: namespace 2270 - source_labels: [__meta_kubernetes_pod_name] 2271 action: replace 2272 target_label: pod_name 2273 2274 - job_name: 'kubernetes-pods-istio-secure' 2275 scheme: https 2276 tls_config: 2277 ca_file: /etc/istio-certs/root-cert.pem 2278 cert_file: /etc/istio-certs/cert-chain.pem 2279 key_file: /etc/istio-certs/key.pem 2280 insecure_skip_verify: true # prometheus does not support secure naming. 2281 kubernetes_sd_configs: 2282 - role: pod 2283 relabel_configs: 2284 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] 2285 action: keep 2286 regex: true 2287 # sidecar status annotation is added by sidecar injector and 2288 # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. 2289 - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] 2290 action: keep 2291 regex: (([^;]+);([^;]*))|(([^;]*);(true)) 2292 - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] 2293 action: replace 2294 target_label: __metrics_path__ 2295 regex: (.+) 2296 - source_labels: [__address__] # Only keep address that is host:port 2297 action: keep # otherwise an extra target with ':443' is added for https scheme 2298 regex: ([^:]+):(\d+) 2299 - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] 2300 action: replace 2301 regex: ([^:]+)(?::\d+)?;(\d+) 2302 replacement: $1:$2 2303 target_label: __address__ 2304 - action: labelmap 2305 regex: __meta_kubernetes_pod_label_(.+) 2306 - source_labels: [__meta_kubernetes_namespace] 2307 action: replace 2308 target_label: namespace 2309 - source_labels: [__meta_kubernetes_pod_name] 2310 action: replace 2311 target_label: pod_name 2312 kind: ConfigMap 2313 metadata: 2314 labels: 2315 app: prometheus 2316 chart: prometheus-1.0.3 2317 heritage: Tiller 2318 release: istio 2319 name: prometheus 2320 namespace: default 2321 --- 2322 apiVersion: v1 2323 kind: Service 2324 metadata: 2325 labels: 2326 app: istio-citadel 2327 name: istio-citadel 2328 namespace: default 2329 spec: 2330 ports: 2331 - name: grpc-citadel 2332 port: 8060 2333 protocol: TCP 2334 targetPort: 8060 2335 - name: http-monitoring 2336 port: 9093 2337 selector: 2338 istio: citadel 2339 --- 2340 apiVersion: v1 2341 kind: Service 2342 metadata: 2343 annotations: null 2344 labels: 2345 app: istio-egressgateway 2346 chart: gateways-1.0.3 2347 heritage: Tiller 2348 istio: egressgateway 2349 release: istio 2350 name: istio-egressgateway 2351 namespace: default 2352 spec: 2353 ports: 2354 - name: http2 2355 port: 80 2356 - name: https 2357 port: 443 2358 selector: 2359 app: istio-egressgateway 2360 istio: egressgateway 2361 type: ClusterIP 2362 --- 2363 apiVersion: v1 2364 kind: Service 2365 metadata: 2366 labels: 2367 istio: galley 2368 name: istio-galley 2369 namespace: default 2370 spec: 2371 ports: 2372 - name: https-validation 2373 port: 443 2374 - name: http-monitoring 2375 port: 9093 2376 selector: 2377 istio: galley 2378 --- 2379 apiVersion: v1 2380 kind: Service 2381 metadata: 2382 labels: 2383 app: istio-ingressgateway 2384 chart: gateways-1.0.3 2385 heritage: Tiller 2386 istio: ingressgateway 2387 release: istio 2388 name: istio-ingressgateway 2389 namespace: default 2390 spec: 2391 ports: 2392 - name: http2 2393 nodePort: 31380 2394 port: 80 2395 targetPort: 80 2396 - name: https 2397 nodePort: 31390 2398 port: 443 2399 - name: tcp 2400 nodePort: 31400 2401 port: 31400 2402 - name: tcp-pilot-grpc-tls 2403 port: 15011 2404 targetPort: 15011 2405 - name: tcp-citadel-grpc-tls 2406 port: 8060 2407 targetPort: 8060 2408 - name: tcp-dns-tls 2409 port: 853 2410 targetPort: 853 2411 - name: http2-prometheus 2412 port: 15030 2413 targetPort: 15030 2414 - name: http2-grafana 2415 port: 15031 2416 targetPort: 15031 2417 selector: 2418 app: istio-ingressgateway 2419 istio: ingressgateway 2420 type: FORKED_SERVICE_TYPE 2421 --- 2422 apiVersion: v1 2423 kind: Service 2424 metadata: 2425 labels: 2426 app: istio-pilot 2427 chart: pilot-1.0.3 2428 heritage: Tiller 2429 release: istio 2430 name: istio-pilot 2431 namespace: default 2432 spec: 2433 ports: 2434 - name: grpc-xds 2435 port: 15010 2436 - name: https-xds 2437 port: 15011 2438 - name: http-legacy-discovery 2439 port: 8080 2440 - name: http-monitoring 2441 port: 9093 2442 selector: 2443 istio: pilot 2444 --- 2445 apiVersion: v1 2446 kind: Service 2447 metadata: 2448 labels: 2449 chart: mixer-1.0.3 2450 istio: mixer 2451 release: istio 2452 name: istio-policy 2453 namespace: default 2454 spec: 2455 ports: 2456 - name: grpc-mixer 2457 port: 9091 2458 - name: grpc-mixer-mtls 2459 port: 15004 2460 - name: http-monitoring 2461 port: FORKED_HTTP_MONITORING 2462 selector: 2463 istio: mixer 2464 istio-mixer-type: policy 2465 --- 2466 apiVersion: v1 2467 kind: Service 2468 metadata: 2469 labels: 2470 istio: sidecar-injector 2471 name: istio-sidecar-injector 2472 namespace: default 2473 spec: 2474 ports: 2475 - port: 443 2476 selector: 2477 istio: sidecar-injector 2478 --- 2479 apiVersion: v1 2480 kind: Service 2481 metadata: 2482 labels: 2483 chart: mixer-1.0.3 2484 istio: mixer 2485 release: istio 2486 name: istio-telemetry 2487 namespace: default 2488 spec: 2489 ports: 2490 - name: grpc-mixer 2491 port: 9091 2492 - name: grpc-mixer-mtls 2493 port: 15004 2494 - name: http-monitoring 2495 port: 9093 2496 - name: prometheus 2497 port: 42422 2498 selector: 2499 istio: mixer 2500 istio-mixer-type: telemetry 2501 --- 2502 apiVersion: v1 2503 kind: Service 2504 metadata: 2505 annotations: 2506 prometheus.io/scrape: "true" 2507 labels: 2508 name: prometheus 2509 name: prometheus 2510 namespace: default 2511 spec: 2512 ports: 2513 - name: http-prometheus 2514 port: 9090 2515 protocol: TCP 2516 selector: 2517 app: prometheus 2518 --- 2519 apiVersion: extensions/v1beta1 2520 kind: Deployment 2521 metadata: 2522 labels: 2523 app: security 2524 chart: security-1.0.3 2525 heritage: Tiller 2526 istio: citadel 2527 release: istio 2528 name: istio-citadel 2529 namespace: default 2530 spec: 2531 replicas: 1 2532 template: 2533 metadata: 2534 annotations: 2535 scheduler.alpha.kubernetes.io/critical-pod: "" 2536 sidecar.istio.io/inject: "false" 2537 labels: 2538 istio: citadel 2539 spec: 2540 affinity: 2541 nodeAffinity: 2542 preferredDuringSchedulingIgnoredDuringExecution: 2543 - preference: 2544 matchExpressions: 2545 - key: beta.kubernetes.io/arch 2546 operator: In 2547 values: 2548 - amd64 2549 weight: 2 2550 - preference: 2551 matchExpressions: 2552 - key: beta.kubernetes.io/arch 2553 operator: In 2554 values: 2555 - ppc64le 2556 weight: 2 2557 - preference: 2558 matchExpressions: 2559 - key: beta.kubernetes.io/arch 2560 operator: In 2561 values: 2562 - s390x 2563 weight: 2 2564 requiredDuringSchedulingIgnoredDuringExecution: 2565 nodeSelectorTerms: 2566 - matchExpressions: 2567 - key: beta.kubernetes.io/arch 2568 operator: In 2569 values: 2570 - amd64 2571 - ppc64le 2572 - s390x 2573 containers: 2574 - args: 2575 - --append-dns-names=true 2576 - --grpc-port=8060 2577 - --grpc-hostname=citadel 2578 - --citadel-storage-namespace=default 2579 - --custom-dns-names=istio-pilot-service-account.default:istio-pilot.default,istio-ingressgateway-service-account.default:istio-ingressgateway.default 2580 - --self-signed-ca=true 2581 image: gcr.io/istio-release/citadel:release-1.0-latest-daily 2582 imagePullPolicy: IfNotPresent 2583 name: citadel 2584 resources: 2585 requests: 2586 cpu: 10m 2587 serviceAccountName: istio-citadel-service-account 2588 --- 2589 apiVersion: extensions/v1beta1 2590 kind: Deployment 2591 metadata: 2592 labels: 2593 app: istio-egressgateway 2594 chart: gateways-1.0.3 2595 heritage: Tiller 2596 istio: egressgateway 2597 release: istio 2598 name: istio-egressgateway 2599 namespace: default 2600 spec: 2601 replicas: 1 2602 template: 2603 metadata: 2604 annotations: 2605 scheduler.alpha.kubernetes.io/critical-pod: "" 2606 sidecar.istio.io/inject: "false" 2607 labels: 2608 app: istio-egressgateway 2609 istio: egressgateway 2610 spec: 2611 affinity: 2612 nodeAffinity: 2613 preferredDuringSchedulingIgnoredDuringExecution: 2614 - preference: 2615 matchExpressions: 2616 - key: beta.kubernetes.io/arch 2617 operator: In 2618 values: 2619 - amd64 2620 weight: 2 2621 - preference: 2622 matchExpressions: 2623 - key: beta.kubernetes.io/arch 2624 operator: In 2625 values: 2626 - ppc64le 2627 weight: 2 2628 - preference: 2629 matchExpressions: 2630 - key: beta.kubernetes.io/arch 2631 operator: In 2632 values: 2633 - s390x 2634 weight: 2 2635 requiredDuringSchedulingIgnoredDuringExecution: 2636 nodeSelectorTerms: 2637 - matchExpressions: 2638 - key: beta.kubernetes.io/arch 2639 operator: In 2640 values: 2641 - amd64 2642 - ppc64le 2643 - s390x 2644 containers: 2645 - args: 2646 - proxy 2647 - router 2648 - -v 2649 - "2" 2650 - --discoveryRefreshDelay 2651 - 1s 2652 - --drainDuration 2653 - 45s 2654 - --parentShutdownDuration 2655 - 1m0s 2656 - --connectTimeout 2657 - 10s 2658 - --serviceCluster 2659 - istio-egressgateway 2660 - --zipkinAddress 2661 - zipkin:9411 2662 - --proxyAdminPort 2663 - "15000" 2664 - --controlPlaneAuthPolicy 2665 - NONE 2666 - --discoveryAddress 2667 - istio-pilot:8080 2668 env: 2669 - name: POD_NAME 2670 valueFrom: 2671 fieldRef: 2672 apiVersion: v1 2673 fieldPath: metadata.name 2674 - name: POD_NAMESPACE 2675 valueFrom: 2676 fieldRef: 2677 apiVersion: v1 2678 fieldPath: metadata.namespace 2679 - name: INSTANCE_IP 2680 valueFrom: 2681 fieldRef: 2682 apiVersion: v1 2683 fieldPath: status.podIP 2684 - name: ISTIO_META_POD_NAME 2685 valueFrom: 2686 fieldRef: 2687 fieldPath: metadata.name 2688 image: gcr.io/istio-release/proxyv2:release-1.0-latest-daily 2689 imagePullPolicy: IfNotPresent 2690 name: istio-proxy 2691 ports: 2692 - containerPort: 80 2693 - containerPort: 443 2694 - containerPort: 15090 2695 name: http-envoy-prom 2696 protocol: TCP 2697 resources: 2698 requests: 2699 cpu: 10m 2700 volumeMounts: 2701 - mountPath: /etc/certs 2702 name: istio-certs 2703 readOnly: true 2704 - mountPath: /etc/istio/egressgateway-certs 2705 name: egressgateway-certs 2706 readOnly: true 2707 - mountPath: /etc/istio/egressgateway-ca-certs 2708 name: egressgateway-ca-certs 2709 readOnly: true 2710 serviceAccountName: istio-egressgateway-service-account 2711 volumes: 2712 - name: istio-certs 2713 secret: 2714 optional: true 2715 secretName: istio.istio-egressgateway-service-account 2716 - name: egressgateway-certs 2717 secret: 2718 optional: true 2719 secretName: istio-egressgateway-certs 2720 - name: egressgateway-ca-certs 2721 secret: 2722 optional: true 2723 secretName: istio-egressgateway-ca-certs 2724 --- 2725 apiVersion: extensions/v1beta1 2726 kind: Deployment 2727 metadata: 2728 labels: 2729 app: galley 2730 chart: galley-1.0.3 2731 heritage: Tiller 2732 istio: galley 2733 release: istio 2734 name: istio-galley 2735 namespace: default 2736 spec: 2737 replicas: 1 2738 strategy: 2739 rollingUpdate: 2740 maxSurge: 1 2741 maxUnavailable: 0 2742 template: 2743 metadata: 2744 annotations: 2745 scheduler.alpha.kubernetes.io/critical-pod: "" 2746 sidecar.istio.io/inject: "false" 2747 labels: 2748 istio: galley 2749 spec: 2750 affinity: 2751 nodeAffinity: 2752 preferredDuringSchedulingIgnoredDuringExecution: 2753 - preference: 2754 matchExpressions: 2755 - key: beta.kubernetes.io/arch 2756 operator: In 2757 values: 2758 - amd64 2759 weight: 2 2760 - preference: 2761 matchExpressions: 2762 - key: beta.kubernetes.io/arch 2763 operator: In 2764 values: 2765 - ppc64le 2766 weight: 2 2767 - preference: 2768 matchExpressions: 2769 - key: beta.kubernetes.io/arch 2770 operator: In 2771 values: 2772 - s390x 2773 weight: 2 2774 requiredDuringSchedulingIgnoredDuringExecution: 2775 nodeSelectorTerms: 2776 - matchExpressions: 2777 - key: beta.kubernetes.io/arch 2778 operator: In 2779 values: 2780 - amd64 2781 - ppc64le 2782 - s390x 2783 containers: 2784 - command: 2785 - /usr/local/bin/galley 2786 - validator 2787 - --deployment-namespace=default 2788 - --caCertFile=/etc/istio/certs/root-cert.pem 2789 - --tlsCertFile=/etc/istio/certs/cert-chain.pem 2790 - --tlsKeyFile=/etc/istio/certs/key.pem 2791 - --healthCheckInterval=1s 2792 - --healthCheckFile=/health 2793 - --webhook-config-file 2794 - /etc/istio/config/validatingwebhookconfiguration.yaml 2795 image: gcr.io/istio-release/galley:release-1.0-latest-daily 2796 imagePullPolicy: IfNotPresent 2797 livenessProbe: 2798 exec: 2799 command: 2800 - /usr/local/bin/galley 2801 - probe 2802 - --probe-path=/health 2803 - --interval=10s 2804 initialDelaySeconds: 5 2805 periodSeconds: 5 2806 name: validator 2807 ports: 2808 - containerPort: 443 2809 - containerPort: 9093 2810 readinessProbe: 2811 exec: 2812 command: 2813 - /usr/local/bin/galley 2814 - probe 2815 - --probe-path=/health 2816 - --interval=10s 2817 initialDelaySeconds: FORKED_INITIAL_DELAY_SECONDS 2818 periodSeconds: 5 2819 resources: 2820 requests: 2821 cpu: 10m 2822 volumeMounts: 2823 - mountPath: /etc/istio/certs 2824 name: certs 2825 readOnly: true 2826 - mountPath: /etc/istio/config 2827 name: config 2828 readOnly: true 2829 serviceAccountName: istio-galley-service-account 2830 volumes: 2831 - name: certs 2832 secret: 2833 secretName: istio.istio-galley-service-account 2834 - configMap: 2835 name: istio-galley-configuration 2836 name: config 2837 --- 2838 apiVersion: extensions/v1beta1 2839 kind: Deployment 2840 metadata: 2841 labels: 2842 app: istio-ingressgateway 2843 chart: gateways-1.0.3 2844 heritage: Tiller 2845 istio: ingressgateway 2846 release: istio 2847 name: istio-ingressgateway 2848 namespace: default 2849 spec: 2850 replicas: 1 2851 template: 2852 metadata: 2853 annotations: 2854 scheduler.alpha.kubernetes.io/critical-pod: "" 2855 sidecar.istio.io/inject: "false" 2856 labels: 2857 app: istio-ingressgateway 2858 istio: ingressgateway 2859 spec: 2860 affinity: 2861 nodeAffinity: 2862 preferredDuringSchedulingIgnoredDuringExecution: 2863 - preference: 2864 matchExpressions: 2865 - key: beta.kubernetes.io/arch 2866 operator: In 2867 values: 2868 - amd64 2869 weight: 2 2870 - preference: 2871 matchExpressions: 2872 - key: beta.kubernetes.io/arch 2873 operator: In 2874 values: 2875 - ppc64le 2876 weight: 2 2877 - preference: 2878 matchExpressions: 2879 - key: beta.kubernetes.io/arch 2880 operator: In 2881 values: 2882 - s390x 2883 weight: 2 2884 requiredDuringSchedulingIgnoredDuringExecution: 2885 nodeSelectorTerms: 2886 - matchExpressions: 2887 - key: beta.kubernetes.io/arch 2888 operator: In 2889 values: 2890 - amd64 2891 - ppc64le 2892 - s390x 2893 containers: 2894 - args: 2895 - proxy 2896 - router 2897 - -v 2898 - "2" 2899 - --discoveryRefreshDelay 2900 - 1s 2901 - --drainDuration 2902 - 45s 2903 - --parentShutdownDuration 2904 - 1m0s 2905 - --connectTimeout 2906 - 10s 2907 - --serviceCluster 2908 - istio-ingressgateway 2909 - --zipkinAddress 2910 - zipkin:9411 2911 - --proxyAdminPort 2912 - "15000" 2913 - --controlPlaneAuthPolicy 2914 - NONE 2915 - --discoveryAddress 2916 - istio-pilot:8080 2917 env: 2918 - name: POD_NAME 2919 valueFrom: 2920 fieldRef: 2921 apiVersion: v1 2922 fieldPath: metadata.name 2923 - name: POD_NAMESPACE 2924 valueFrom: 2925 fieldRef: 2926 apiVersion: v1 2927 fieldPath: metadata.namespace 2928 - name: INSTANCE_IP 2929 valueFrom: 2930 fieldRef: 2931 apiVersion: v1 2932 fieldPath: status.podIP 2933 - name: ISTIO_META_POD_NAME 2934 valueFrom: 2935 fieldRef: 2936 fieldPath: metadata.name 2937 image: gcr.io/istio-release/proxyv2:release-1.0-latest-daily 2938 imagePullPolicy: IfNotPresent 2939 name: istio-proxy 2940 ports: 2941 - containerPort: 80 2942 - containerPort: 443 2943 - containerPort: 31400 2944 - containerPort: 15011 2945 - containerPort: 8060 2946 - containerPort: 853 2947 - containerPort: 15030 2948 - containerPort: 15031 2949 - containerPort: 15090 2950 name: http-envoy-prom 2951 protocol: TCP 2952 resources: 2953 requests: 2954 cpu: 10m 2955 volumeMounts: 2956 - mountPath: /etc/certs 2957 name: istio-certs 2958 readOnly: true 2959 - mountPath: /etc/istio/ingressgateway-certs 2960 name: ingressgateway-certs 2961 readOnly: true 2962 - mountPath: /etc/istio/ingressgateway-ca-certs 2963 name: ingressgateway-ca-certs 2964 readOnly: true 2965 serviceAccountName: istio-ingressgateway-service-account 2966 volumes: 2967 - name: istio-certs 2968 secret: 2969 optional: true 2970 secretName: istio.istio-ingressgateway-service-account 2971 - name: ingressgateway-certs 2972 secret: 2973 optional: true 2974 secretName: istio-ingressgateway-certs 2975 - name: ingressgateway-ca-certs 2976 secret: 2977 optional: true 2978 secretName: istio-ingressgateway-ca-certs 2979 --- 2980 apiVersion: extensions/v1beta1 2981 kind: Deployment 2982 metadata: 2983 annotations: 2984 checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 2985 labels: 2986 app: istio-pilot 2987 chart: pilot-1.0.3 2988 heritage: Tiller 2989 istio: pilot 2990 release: istio 2991 name: istio-pilot 2992 namespace: default 2993 spec: 2994 replicas: 1 2995 template: 2996 metadata: 2997 annotations: 2998 scheduler.alpha.kubernetes.io/critical-pod: "" 2999 sidecar.istio.io/inject: "false" 3000 labels: 3001 app: pilot 3002 istio: pilot 3003 spec: 3004 affinity: 3005 nodeAffinity: 3006 preferredDuringSchedulingIgnoredDuringExecution: 3007 - preference: 3008 matchExpressions: 3009 - key: beta.kubernetes.io/arch 3010 operator: In 3011 values: 3012 - amd64 3013 weight: 2 3014 - preference: 3015 matchExpressions: 3016 - key: beta.kubernetes.io/arch 3017 operator: In 3018 values: 3019 - ppc64le 3020 weight: 2 3021 - preference: 3022 matchExpressions: 3023 - key: beta.kubernetes.io/arch 3024 operator: In 3025 values: 3026 - s390x 3027 weight: 2 3028 requiredDuringSchedulingIgnoredDuringExecution: 3029 nodeSelectorTerms: 3030 - matchExpressions: 3031 - key: beta.kubernetes.io/arch 3032 operator: In 3033 values: 3034 - amd64 3035 - ppc64le 3036 - s390x 3037 containers: 3038 - args: 3039 - discovery 3040 env: 3041 - name: POD_NAME 3042 valueFrom: 3043 fieldRef: 3044 apiVersion: v1 3045 fieldPath: metadata.name 3046 - name: POD_NAMESPACE 3047 valueFrom: 3048 fieldRef: 3049 apiVersion: v1 3050 fieldPath: metadata.namespace 3051 - name: PILOT_CACHE_SQUASH 3052 value: "5" 3053 - name: GODEBUG 3054 value: gctrace=2 3055 - name: PILOT_PUSH_THROTTLE_COUNT 3056 value: "100" 3057 - name: PILOT_TRACE_SAMPLING 3058 value: "1" 3059 image: gcr.io/istio-release/pilot:release-1.0-latest-daily 3060 imagePullPolicy: IfNotPresent 3061 name: discovery 3062 ports: 3063 - containerPort: 8080 3064 - containerPort: 15010 3065 readinessProbe: 3066 httpGet: 3067 path: /ready 3068 port: 8080 3069 initialDelaySeconds: 5 3070 periodSeconds: 30 3071 timeoutSeconds: 5 3072 resources: 3073 requests: 3074 cpu: 500m 3075 memory: 2048Mi 3076 volumeMounts: 3077 - mountPath: /etc/istio/config 3078 name: config-volume 3079 - mountPath: /etc/certs 3080 name: istio-certs 3081 readOnly: true 3082 - args: 3083 - proxy 3084 - --serviceCluster 3085 - istio-pilot 3086 - --templateFile 3087 - /etc/istio/proxy/envoy_pilot.yaml.tmpl 3088 - --controlPlaneAuthPolicy 3089 - NONE 3090 env: 3091 - name: POD_NAME 3092 valueFrom: 3093 fieldRef: 3094 apiVersion: v1 3095 fieldPath: metadata.name 3096 - name: POD_NAMESPACE 3097 valueFrom: 3098 fieldRef: 3099 apiVersion: v1 3100 fieldPath: metadata.namespace 3101 - name: INSTANCE_IP 3102 valueFrom: 3103 fieldRef: 3104 apiVersion: v1 3105 fieldPath: status.podIP 3106 image: gcr.io/istio-release/proxyv2:release-1.0-latest-daily 3107 imagePullPolicy: IfNotPresent 3108 name: istio-proxy 3109 ports: 3110 - containerPort: 15003 3111 - containerPort: 15005 3112 - containerPort: 15007 3113 - containerPort: 15011 3114 resources: 3115 requests: 3116 cpu: 10m 3117 volumeMounts: 3118 - mountPath: /etc/certs 3119 name: istio-certs 3120 readOnly: true 3121 serviceAccountName: istio-pilot-service-account 3122 volumes: 3123 - configMap: 3124 name: istio 3125 name: config-volume 3126 - name: istio-certs 3127 secret: 3128 optional: true 3129 secretName: istio.istio-pilot-service-account 3130 --- 3131 apiVersion: extensions/v1beta1 3132 kind: Deployment 3133 metadata: 3134 labels: 3135 chart: mixer-1.0.3 3136 istio: mixer 3137 release: istio 3138 name: istio-policy 3139 namespace: default 3140 spec: 3141 replicas: 1 3142 template: 3143 metadata: 3144 annotations: 3145 scheduler.alpha.kubernetes.io/critical-pod: "" 3146 sidecar.istio.io/inject: "false" 3147 labels: 3148 app: policy 3149 istio: mixer 3150 istio-mixer-type: policy 3151 spec: 3152 affinity: 3153 nodeAffinity: 3154 preferredDuringSchedulingIgnoredDuringExecution: 3155 - preference: 3156 matchExpressions: 3157 - key: beta.kubernetes.io/arch 3158 operator: In 3159 values: 3160 - amd64 3161 weight: 2 3162 - preference: 3163 matchExpressions: 3164 - key: beta.kubernetes.io/arch 3165 operator: In 3166 values: 3167 - ppc64le 3168 weight: 2 3169 - preference: 3170 matchExpressions: 3171 - key: beta.kubernetes.io/arch 3172 operator: In 3173 values: 3174 - s390x 3175 weight: 2 3176 requiredDuringSchedulingIgnoredDuringExecution: 3177 nodeSelectorTerms: 3178 - matchExpressions: 3179 - key: beta.kubernetes.io/arch 3180 operator: In 3181 values: 3182 - amd64 3183 - ppc64le 3184 - s390x 3185 containers: 3186 - args: 3187 - --address 3188 - unix:///sock/mixer.socket 3189 - --configStoreURL=k8s:// 3190 - --configDefaultNamespace=default 3191 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans 3192 env: 3193 - name: GODEBUG 3194 value: gctrace=2 3195 image: gcr.io/istio-release/mixer:release-1.0-latest-daily 3196 imagePullPolicy: IfNotPresent 3197 livenessProbe: 3198 httpGet: 3199 path: /version 3200 port: 9093 3201 initialDelaySeconds: 5 3202 periodSeconds: 5 3203 name: mixer 3204 ports: 3205 - containerPort: 9093 3206 - containerPort: 42422 3207 resources: 3208 requests: 3209 cpu: 10m 3210 volumeMounts: 3211 - mountPath: /sock 3212 name: uds-socket 3213 - args: 3214 - proxy 3215 - --serviceCluster 3216 - istio-policy 3217 - --templateFile 3218 - /etc/istio/proxy/envoy_policy.yaml.tmpl 3219 - --controlPlaneAuthPolicy 3220 - NONE 3221 env: 3222 - name: POD_NAME 3223 valueFrom: 3224 fieldRef: 3225 apiVersion: v1 3226 fieldPath: metadata.name 3227 - name: POD_NAMESPACE 3228 valueFrom: 3229 fieldRef: 3230 apiVersion: v1 3231 fieldPath: metadata.namespace 3232 - name: INSTANCE_IP 3233 valueFrom: 3234 fieldRef: 3235 apiVersion: v1 3236 fieldPath: status.podIP 3237 image: gcr.io/istio-release/proxyv2:release-1.0-latest-daily 3238 imagePullPolicy: IfNotPresent 3239 name: istio-proxy 3240 ports: 3241 - containerPort: 15090 3242 name: http-envoy-prom 3243 protocol: TCP 3244 resources: 3245 requests: 3246 cpu: 10m 3247 volumeMounts: 3248 - mountPath: /etc/certs 3249 name: istio-certs 3250 readOnly: true 3251 - mountPath: /sock 3252 name: uds-socket 3253 serviceAccountName: istio-mixer-service-account 3254 volumes: 3255 - name: istio-certs 3256 secret: 3257 optional: true 3258 secretName: istio.istio-mixer-service-account 3259 - emptyDir: {} 3260 name: uds-socket 3261 --- 3262 apiVersion: extensions/v1beta1 3263 kind: Deployment 3264 metadata: 3265 labels: 3266 app: sidecarInjectorWebhook 3267 chart: sidecarInjectorWebhook-1.0.3 3268 heritage: Tiller 3269 istio: sidecar-injector 3270 release: istio 3271 name: istio-sidecar-injector 3272 namespace: default 3273 spec: 3274 replicas: 1 3275 template: 3276 metadata: 3277 annotations: 3278 scheduler.alpha.kubernetes.io/critical-pod: "" 3279 sidecar.istio.io/inject: "false" 3280 labels: 3281 istio: sidecar-injector 3282 spec: 3283 affinity: 3284 nodeAffinity: 3285 preferredDuringSchedulingIgnoredDuringExecution: 3286 - preference: 3287 matchExpressions: 3288 - key: beta.kubernetes.io/arch 3289 operator: In 3290 values: 3291 - amd64 3292 weight: 2 3293 - preference: 3294 matchExpressions: 3295 - key: beta.kubernetes.io/arch 3296 operator: In 3297 values: 3298 - ppc64le 3299 weight: 2 3300 - preference: 3301 matchExpressions: 3302 - key: beta.kubernetes.io/arch 3303 operator: In 3304 values: 3305 - s390x 3306 weight: 2 3307 requiredDuringSchedulingIgnoredDuringExecution: 3308 nodeSelectorTerms: 3309 - matchExpressions: 3310 - key: beta.kubernetes.io/arch 3311 operator: In 3312 values: 3313 - amd64 3314 - ppc64le 3315 - s390x 3316 containers: 3317 - args: 3318 - --caCertFile=/etc/istio/certs/root-cert.pem 3319 - --tlsCertFile=/etc/istio/certs/cert-chain.pem 3320 - --tlsKeyFile=/etc/istio/certs/key.pem 3321 - --injectConfig=/etc/istio/inject/config 3322 - --meshConfig=/etc/istio/config/mesh 3323 - --healthCheckInterval=2s 3324 - --healthCheckFile=/health 3325 image: gcr.io/istio-release/sidecar_injector:release-1.0-latest-daily 3326 imagePullPolicy: IfNotPresent 3327 livenessProbe: 3328 exec: 3329 command: 3330 - /usr/local/bin/sidecar-injector 3331 - probe 3332 - --probe-path=/health 3333 - --interval=4s 3334 initialDelaySeconds: 4 3335 periodSeconds: 4 3336 name: sidecar-injector-webhook 3337 readinessProbe: 3338 exec: 3339 command: 3340 - /usr/local/bin/sidecar-injector 3341 - probe 3342 - --probe-path=/health 3343 - --interval=4s 3344 initialDelaySeconds: 4 3345 periodSeconds: 4 3346 resources: 3347 requests: 3348 cpu: 10m 3349 volumeMounts: 3350 - mountPath: /etc/istio/config 3351 name: config-volume 3352 readOnly: true 3353 - mountPath: /etc/istio/certs 3354 name: certs 3355 readOnly: true 3356 - mountPath: /etc/istio/inject 3357 name: inject-config 3358 readOnly: true 3359 serviceAccountName: istio-sidecar-injector-service-account 3360 volumes: 3361 - configMap: 3362 name: istio 3363 name: config-volume 3364 - name: certs 3365 secret: 3366 secretName: istio.istio-sidecar-injector-service-account 3367 - configMap: 3368 items: 3369 - key: config 3370 path: config 3371 name: istio-sidecar-injector 3372 name: inject-config 3373 --- 3374 apiVersion: extensions/v1beta1 3375 kind: Deployment 3376 metadata: 3377 labels: 3378 chart: mixer-1.0.3 3379 istio: mixer 3380 release: istio 3381 name: istio-telemetry 3382 namespace: default 3383 spec: 3384 replicas: 1 3385 template: 3386 metadata: 3387 annotations: 3388 scheduler.alpha.kubernetes.io/critical-pod: "" 3389 sidecar.istio.io/inject: "false" 3390 labels: 3391 app: telemetry 3392 istio: mixer 3393 istio-mixer-type: telemetry 3394 spec: 3395 containers: 3396 - args: 3397 - --address 3398 - unix:///sock/mixer.socket 3399 - --configStoreURL=k8s:// 3400 - --configDefaultNamespace=default 3401 - --trace_zipkin_url=http://zipkin:9411/api/v1/spans 3402 env: 3403 - name: GODEBUG 3404 value: gctrace=2 3405 image: gcr.io/istio-release/mixer:release-1.0-latest-daily 3406 imagePullPolicy: IfNotPresent 3407 livenessProbe: 3408 httpGet: 3409 path: /version 3410 port: 9093 3411 initialDelaySeconds: 5 3412 periodSeconds: 5 3413 name: mixer 3414 ports: 3415 - containerPort: 9093 3416 - containerPort: 42422 3417 resources: 3418 requests: 3419 cpu: 10m 3420 volumeMounts: 3421 - mountPath: /sock 3422 name: uds-socket 3423 - args: 3424 - proxy 3425 - --serviceCluster 3426 - istio-telemetry 3427 - --templateFile 3428 - /etc/istio/proxy/envoy_telemetry.yaml.tmpl 3429 - --controlPlaneAuthPolicy 3430 - NONE 3431 env: 3432 - name: POD_NAME 3433 valueFrom: 3434 fieldRef: 3435 apiVersion: v1 3436 fieldPath: metadata.name 3437 - name: POD_NAMESPACE 3438 valueFrom: 3439 fieldRef: 3440 apiVersion: v1 3441 fieldPath: metadata.namespace 3442 - name: INSTANCE_IP 3443 valueFrom: 3444 fieldRef: 3445 apiVersion: v1 3446 fieldPath: status.podIP 3447 image: gcr.io/istio-release/proxyv2:release-1.0-latest-daily 3448 imagePullPolicy: IfNotPresent 3449 name: istio-proxy 3450 ports: 3451 - containerPort: 15090 3452 name: http-envoy-prom 3453 protocol: TCP 3454 resources: 3455 requests: 3456 cpu: 10m 3457 volumeMounts: 3458 - mountPath: /etc/certs 3459 name: istio-certs 3460 readOnly: true 3461 - mountPath: /sock 3462 name: uds-socket 3463 serviceAccountName: istio-mixer-service-account 3464 volumes: 3465 - name: istio-certs 3466 secret: 3467 optional: true 3468 secretName: istio.istio-mixer-service-account 3469 - emptyDir: {} 3470 name: uds-socket 3471 --- 3472 apiVersion: extensions/v1beta1 3473 kind: Deployment 3474 metadata: 3475 labels: 3476 app: prometheus 3477 chart: prometheus-1.0.3 3478 heritage: Tiller 3479 release: istio 3480 name: prometheus 3481 namespace: default 3482 spec: 3483 replicas: 1 3484 selector: 3485 matchLabels: 3486 app: prometheus 3487 template: 3488 metadata: 3489 annotations: 3490 scheduler.alpha.kubernetes.io/critical-pod: "" 3491 sidecar.istio.io/inject: "false" 3492 labels: 3493 app: prometheus 3494 spec: 3495 affinity: 3496 nodeAffinity: 3497 preferredDuringSchedulingIgnoredDuringExecution: 3498 - preference: 3499 matchExpressions: 3500 - key: beta.kubernetes.io/arch 3501 operator: In 3502 values: 3503 - amd64 3504 weight: 2 3505 - preference: 3506 matchExpressions: 3507 - key: beta.kubernetes.io/arch 3508 operator: In 3509 values: 3510 - ppc64le 3511 weight: 2 3512 - preference: 3513 matchExpressions: 3514 - key: beta.kubernetes.io/arch 3515 operator: In 3516 values: 3517 - s390x 3518 weight: 2 3519 requiredDuringSchedulingIgnoredDuringExecution: 3520 nodeSelectorTerms: 3521 - matchExpressions: 3522 - key: beta.kubernetes.io/arch 3523 operator: In 3524 values: 3525 - amd64 3526 - ppc64le 3527 - s390x 3528 containers: 3529 - args: 3530 - --storage.tsdb.retention=6h 3531 - --config.file=/etc/prometheus/prometheus.yml 3532 image: docker.io/prom/prometheus:v2.3.1 3533 imagePullPolicy: IfNotPresent 3534 livenessProbe: 3535 httpGet: 3536 path: /-/healthy 3537 port: 9090 3538 name: prometheus 3539 ports: 3540 - containerPort: 9090 3541 name: http 3542 readinessProbe: 3543 httpGet: 3544 path: /-/ready 3545 port: 9090 3546 resources: 3547 requests: 3548 cpu: 10m 3549 volumeMounts: 3550 - mountPath: /etc/prometheus 3551 name: config-volume 3552 - mountPath: /etc/istio-certs 3553 name: istio-certs 3554 serviceAccountName: prometheus 3555 volumes: 3556 - configMap: 3557 name: prometheus 3558 name: config-volume 3559 - name: istio-certs 3560 secret: 3561 defaultMode: 420 3562 optional: true 3563 secretName: istio.default 3564 --- 3565 apiVersion: autoscaling/v2beta1 3566 kind: HorizontalPodAutoscaler 3567 metadata: 3568 name: istio-egressgateway 3569 namespace: default 3570 spec: 3571 maxReplicas: 5 3572 metrics: 3573 - resource: 3574 name: cpu 3575 targetAverageUtilization: 80 3576 type: Resource 3577 minReplicas: 1 3578 scaleTargetRef: 3579 apiVersion: apps/v1beta1 3580 kind: Deployment 3581 name: istio-egressgateway 3582 --- 3583 apiVersion: autoscaling/v2beta1 3584 kind: HorizontalPodAutoscaler 3585 metadata: 3586 name: istio-ingressgateway 3587 namespace: default 3588 spec: 3589 maxReplicas: 5 3590 metrics: 3591 - resource: 3592 name: cpu 3593 targetAverageUtilization: 80 3594 type: Resource 3595 minReplicas: 1 3596 scaleTargetRef: 3597 apiVersion: apps/v1beta1 3598 kind: Deployment 3599 name: istio-ingressgateway 3600 --- 3601 apiVersion: autoscaling/v2beta1 3602 kind: HorizontalPodAutoscaler 3603 metadata: 3604 name: istio-pilot 3605 namespace: default 3606 spec: 3607 maxReplicas: 5 3608 metrics: 3609 - resource: 3610 name: cpu 3611 targetAverageUtilization: 80 3612 type: Resource 3613 minReplicas: 1 3614 scaleTargetRef: 3615 apiVersion: apps/v1beta1 3616 kind: Deployment 3617 name: istio-pilot 3618 --- 3619 apiVersion: autoscaling/v2beta1 3620 kind: HorizontalPodAutoscaler 3621 metadata: 3622 name: istio-policy 3623 namespace: default 3624 spec: 3625 maxReplicas: 5 3626 metrics: 3627 - resource: 3628 name: cpu 3629 targetAverageUtilization: 80 3630 type: Resource 3631 minReplicas: 1 3632 scaleTargetRef: 3633 apiVersion: apps/v1beta1 3634 kind: Deployment 3635 name: istio-policy 3636 --- 3637 apiVersion: autoscaling/v2beta1 3638 kind: HorizontalPodAutoscaler 3639 metadata: 3640 name: istio-telemetry 3641 namespace: default 3642 spec: 3643 maxReplicas: 5 3644 metrics: 3645 - resource: 3646 name: cpu 3647 targetAverageUtilization: 80 3648 type: Resource 3649 minReplicas: 1 3650 scaleTargetRef: 3651 apiVersion: apps/v1beta1 3652 kind: Deployment 3653 name: istio-telemetry 3654 --- 3655 apiVersion: batch/v1 3656 kind: Job 3657 metadata: 3658 annotations: 3659 helm.sh/hook: post-delete 3660 helm.sh/hook-delete-policy: hook-succeeded 3661 helm.sh/hook-weight: "3" 3662 labels: 3663 app: security 3664 chart: security-1.0.3 3665 heritage: Tiller 3666 release: istio 3667 name: istio-cleanup-secrets 3668 namespace: default 3669 spec: 3670 template: 3671 metadata: 3672 labels: 3673 app: security 3674 release: istio 3675 name: istio-cleanup-secrets 3676 spec: 3677 containers: 3678 - command: 3679 - /bin/bash 3680 - -c 3681 - | 3682 kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do 3683 ns=$(echo $entry | awk '{print $1}'); 3684 name=$(echo $entry | awk '{print $2}'); 3685 kubectl delete secret $name -n $ns; 3686 done 3687 image: quay.io/coreos/hyperkube:v1.7.6_coreos.0 3688 name: hyperkube 3689 restartPolicy: OnFailure 3690 serviceAccountName: istio-cleanup-secrets-service-account 3691 --- 3692 apiVersion: batch/v1 3693 kind: Job 3694 metadata: 3695 annotations: 3696 helm.sh/hook: post-install 3697 helm.sh/hook-delete-policy: hook-succeeded 3698 labels: 3699 app: istio-security 3700 chart: security-1.0.3 3701 heritage: Tiller 3702 release: istio 3703 name: istio-security-post-install 3704 namespace: default 3705 spec: 3706 template: 3707 metadata: 3708 labels: 3709 app: istio-security 3710 release: istio 3711 name: istio-security-post-install 3712 spec: 3713 containers: 3714 - command: 3715 - /bin/bash 3716 - /tmp/security/run.sh 3717 - /tmp/security/custom-resources.yaml 3718 image: quay.io/coreos/hyperkube:v1.7.6_coreos.0 3719 name: hyperkube 3720 volumeMounts: 3721 - mountPath: /tmp/security 3722 name: tmp-configmap-security 3723 restartPolicy: OnFailure 3724 serviceAccountName: istio-security-post-install-account 3725 volumes: 3726 - configMap: 3727 name: istio-security-custom-resources 3728 name: tmp-configmap-security 3729 --- 3730 apiVersion: config.istio.io/v1alpha2 3731 kind: attributemanifest 3732 metadata: 3733 name: istioproxy 3734 namespace: default 3735 spec: 3736 attributes: 3737 api.operation: 3738 valueType: STRING 3739 api.protocol: 3740 valueType: STRING 3741 api.service: 3742 valueType: STRING 3743 api.version: 3744 valueType: STRING 3745 connection.duration: 3746 valueType: DURATION 3747 connection.event: 3748 valueType: STRING 3749 connection.id: 3750 valueType: STRING 3751 connection.mtls: 3752 valueType: BOOL 3753 connection.received.bytes: 3754 valueType: INT64 3755 connection.received.bytes_total: 3756 valueType: INT64 3757 connection.requested_server_name: 3758 valueType: STRING 3759 connection.sent.bytes: 3760 valueType: INT64 3761 connection.sent.bytes_total: 3762 valueType: INT64 3763 context.protocol: 3764 valueType: STRING 3765 context.reporter.kind: 3766 valueType: STRING 3767 context.reporter.local: 3768 valueType: BOOL 3769 context.reporter.uid: 3770 valueType: STRING 3771 context.time: 3772 valueType: TIMESTAMP 3773 context.timestamp: 3774 valueType: TIMESTAMP 3775 destination.port: 3776 valueType: INT64 3777 destination.principal: 3778 valueType: STRING 3779 destination.uid: 3780 valueType: STRING 3781 origin.ip: 3782 valueType: IP_ADDRESS 3783 origin.uid: 3784 valueType: STRING 3785 origin.user: 3786 valueType: STRING 3787 request.api_key: 3788 valueType: STRING 3789 request.auth.audiences: 3790 valueType: STRING 3791 request.auth.claims: 3792 valueType: STRING_MAP 3793 request.auth.presenter: 3794 valueType: STRING 3795 request.auth.principal: 3796 valueType: STRING 3797 request.auth.raw_claims: 3798 valueType: STRING 3799 request.headers: 3800 valueType: STRING_MAP 3801 request.host: 3802 valueType: STRING 3803 request.id: 3804 valueType: STRING 3805 request.method: 3806 valueType: STRING 3807 request.path: 3808 valueType: STRING 3809 request.reason: 3810 valueType: STRING 3811 request.referer: 3812 valueType: STRING 3813 request.scheme: 3814 valueType: STRING 3815 request.size: 3816 valueType: INT64 3817 request.time: 3818 valueType: TIMESTAMP 3819 request.total_size: 3820 valueType: INT64 3821 request.useragent: 3822 valueType: STRING 3823 response.code: 3824 valueType: INT64 3825 response.duration: 3826 valueType: DURATION 3827 response.headers: 3828 valueType: STRING_MAP 3829 response.size: 3830 valueType: INT64 3831 response.time: 3832 valueType: TIMESTAMP 3833 response.total_size: 3834 valueType: INT64 3835 source.principal: 3836 valueType: STRING 3837 source.uid: 3838 valueType: STRING 3839 source.user: 3840 valueType: STRING 3841 --- 3842 apiVersion: config.istio.io/v1alpha2 3843 kind: attributemanifest 3844 metadata: 3845 name: kubernetes 3846 namespace: default 3847 spec: 3848 attributes: 3849 destination.container.name: 3850 valueType: STRING 3851 destination.ip: 3852 valueType: IP_ADDRESS 3853 destination.labels: 3854 valueType: STRING_MAP 3855 destination.metadata: 3856 valueType: STRING_MAP 3857 destination.name: 3858 valueType: STRING 3859 destination.namespace: 3860 valueType: STRING 3861 destination.owner: 3862 valueType: STRING 3863 destination.service: 3864 valueType: STRING 3865 destination.service.host: 3866 valueType: STRING 3867 destination.service.name: 3868 valueType: STRING 3869 destination.service.namespace: 3870 valueType: STRING 3871 destination.service.uid: 3872 valueType: STRING 3873 destination.serviceAccount: 3874 valueType: STRING 3875 destination.workload.name: 3876 valueType: STRING 3877 destination.workload.namespace: 3878 valueType: STRING 3879 destination.workload.uid: 3880 valueType: STRING 3881 source.ip: 3882 valueType: IP_ADDRESS 3883 source.labels: 3884 valueType: STRING_MAP 3885 source.metadata: 3886 valueType: STRING_MAP 3887 source.name: 3888 valueType: STRING 3889 source.namespace: 3890 valueType: STRING 3891 source.owner: 3892 valueType: STRING 3893 source.service: 3894 valueType: STRING 3895 source.serviceAccount: 3896 valueType: STRING 3897 source.services: 3898 valueType: STRING 3899 source.workload.name: 3900 valueType: STRING 3901 source.workload.namespace: 3902 valueType: STRING 3903 source.workload.uid: 3904 valueType: STRING 3905 --- 3906 apiVersion: config.istio.io/v1alpha2 3907 kind: kubernetes 3908 metadata: 3909 name: attributes 3910 namespace: default 3911 spec: 3912 attribute_bindings: 3913 destination.container.name: $out.destination_container_name | "unknown" 3914 destination.ip: $out.destination_pod_ip | ip("0.0.0.0") 3915 destination.labels: $out.destination_labels | emptyStringMap() 3916 destination.name: $out.destination_pod_name | "unknown" 3917 destination.namespace: $out.destination_namespace | "default" 3918 destination.owner: $out.destination_owner | "unknown" 3919 destination.serviceAccount: $out.destination_service_account_name | "unknown" 3920 destination.uid: $out.destination_pod_uid | "unknown" 3921 destination.workload.name: $out.destination_workload_name | "unknown" 3922 destination.workload.namespace: $out.destination_workload_namespace | "unknown" 3923 destination.workload.uid: $out.destination_workload_uid | "unknown" 3924 source.ip: $out.source_pod_ip | ip("0.0.0.0") 3925 source.labels: $out.source_labels | emptyStringMap() 3926 source.name: $out.source_pod_name | "unknown" 3927 source.namespace: $out.source_namespace | "default" 3928 source.owner: $out.source_owner | "unknown" 3929 source.serviceAccount: $out.source_service_account_name | "unknown" 3930 source.uid: $out.source_pod_uid | "unknown" 3931 source.workload.name: $out.source_workload_name | "unknown" 3932 source.workload.namespace: $out.source_workload_namespace | "unknown" 3933 source.workload.uid: $out.source_workload_uid | "unknown" 3934 destination_port: destination.port | 0 3935 destination_uid: destination.uid | "" 3936 source_ip: source.ip | ip("0.0.0.0") 3937 source_uid: source.uid | "" 3938 --- 3939 apiVersion: config.istio.io/v1alpha2 3940 kind: kubernetesenv 3941 metadata: 3942 name: handler 3943 namespace: default 3944 spec: null 3945 --- 3946 apiVersion: config.istio.io/v1alpha2 3947 kind: logentry 3948 metadata: 3949 name: accesslog 3950 namespace: default 3951 spec: 3952 monitored_resource_type: '"global"' 3953 severity: '"Info"' 3954 timestamp: request.time 3955 variables: 3956 apiClaims: request.auth.raw_claims | "" 3957 apiKey: request.api_key | request.headers["x-api-key"] | "" 3958 clientTraceId: request.headers["x-client-trace-id"] | "" 3959 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 3960 destinationApp: destination.labels["app"] | "" 3961 destinationIp: destination.ip | ip("0.0.0.0") 3962 destinationName: destination.name | "" 3963 destinationNamespace: destination.namespace | "" 3964 destinationOwner: destination.owner | "" 3965 destinationPrincipal: destination.principal | "" 3966 destinationServiceHost: destination.service.host | "" 3967 destinationWorkload: destination.workload.name | "" 3968 httpAuthority: request.headers[":authority"] | request.host | "" 3969 latency: response.duration | "0ms" 3970 method: request.method | "" 3971 protocol: request.scheme | context.protocol | "http" 3972 receivedBytes: request.total_size | 0 3973 referer: request.referer | "" 3974 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 3975 requestId: request.headers["x-request-id"] | "" 3976 requestSize: request.size | 0 3977 requestedServerName: connection.requested_server_name | "" 3978 responseCode: response.code | 0 3979 responseSize: response.size | 0 3980 responseTimestamp: response.time 3981 sentBytes: response.total_size | 0 3982 sourceApp: source.labels["app"] | "" 3983 sourceIp: source.ip | ip("0.0.0.0") 3984 sourceName: source.name | "" 3985 sourceNamespace: source.namespace | "" 3986 sourceOwner: source.owner | "" 3987 sourcePrincipal: source.principal | "" 3988 sourceWorkload: source.workload.name | "" 3989 url: request.path | "" 3990 userAgent: request.useragent | "" 3991 xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" 3992 --- 3993 apiVersion: config.istio.io/v1alpha2 3994 kind: logentry 3995 metadata: 3996 name: tcpaccesslog 3997 namespace: default 3998 spec: 3999 monitored_resource_type: '"global"' 4000 severity: '"Info"' 4001 timestamp: context.time | timestamp("2017-01-01T00:00:00Z") 4002 variables: 4003 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4004 connectionDuration: connection.duration | "0ms" 4005 connectionEvent: connection.event | "" 4006 destinationApp: destination.labels["app"] | "" 4007 destinationIp: destination.ip | ip("0.0.0.0") 4008 destinationName: destination.name | "" 4009 destinationNamespace: destination.namespace | "" 4010 destinationOwner: destination.owner | "" 4011 destinationPrincipal: destination.principal | "" 4012 destinationServiceHost: destination.service.host | "" 4013 destinationWorkload: destination.workload.name | "" 4014 protocol: context.protocol | "tcp" 4015 receivedBytes: connection.received.bytes | 0 4016 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4017 requestedServerName: connection.requested_server_name | "" 4018 sentBytes: connection.sent.bytes | 0 4019 sourceApp: source.labels["app"] | "" 4020 sourceIp: source.ip | ip("0.0.0.0") 4021 sourceName: source.name | "" 4022 sourceNamespace: source.namespace | "" 4023 sourceOwner: source.owner | "" 4024 sourcePrincipal: source.principal | "" 4025 sourceWorkload: source.workload.name | "" 4026 totalReceivedBytes: connection.received.bytes_total | 0 4027 totalSentBytes: connection.sent.bytes_total | 0 4028 --- 4029 apiVersion: config.istio.io/v1alpha2 4030 kind: metric 4031 metadata: 4032 name: requestcount 4033 namespace: default 4034 spec: 4035 dimensions: 4036 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4037 destination_app: destination.labels["app"] | "unknown" 4038 destination_principal: destination.principal | "unknown" 4039 destination_service: destination.service.host | "unknown" 4040 destination_service_name: destination.service.name | "unknown" 4041 destination_service_namespace: destination.service.namespace | "unknown" 4042 destination_version: destination.labels["version"] | "unknown" 4043 destination_workload: destination.workload.name | "unknown" 4044 destination_workload_namespace: destination.workload.namespace | "unknown" 4045 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4046 request_protocol: api.protocol | context.protocol | "unknown" 4047 response_code: response.code | 200 4048 source_app: source.labels["app"] | "unknown" 4049 source_principal: source.principal | "unknown" 4050 source_version: source.labels["version"] | "unknown" 4051 source_workload: source.workload.name | "unknown" 4052 source_workload_namespace: source.workload.namespace | "unknown" 4053 monitored_resource_type: '"UNSPECIFIED"' 4054 value: "1" 4055 --- 4056 apiVersion: config.istio.io/v1alpha2 4057 kind: metric 4058 metadata: 4059 name: requestduration 4060 namespace: default 4061 spec: 4062 dimensions: 4063 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4064 destination_app: destination.labels["app"] | "unknown" 4065 destination_principal: destination.principal | "unknown" 4066 destination_service: destination.service.host | "unknown" 4067 destination_service_name: destination.service.name | "unknown" 4068 destination_service_namespace: destination.service.namespace | "unknown" 4069 destination_version: destination.labels["version"] | "unknown" 4070 destination_workload: destination.workload.name | "unknown" 4071 destination_workload_namespace: destination.workload.namespace | "unknown" 4072 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4073 request_protocol: api.protocol | context.protocol | "unknown" 4074 response_code: response.code | 200 4075 source_app: source.labels["app"] | "unknown" 4076 source_principal: source.principal | "unknown" 4077 source_version: source.labels["version"] | "unknown" 4078 source_workload: source.workload.name | "unknown" 4079 source_workload_namespace: source.workload.namespace | "unknown" 4080 monitored_resource_type: '"UNSPECIFIED"' 4081 value: response.duration | "0ms" 4082 --- 4083 apiVersion: config.istio.io/v1alpha2 4084 kind: metric 4085 metadata: 4086 name: requestsize 4087 namespace: default 4088 spec: 4089 dimensions: 4090 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4091 destination_app: destination.labels["app"] | "unknown" 4092 destination_principal: destination.principal | "unknown" 4093 destination_service: destination.service.host | "unknown" 4094 destination_service_name: destination.service.name | "unknown" 4095 destination_service_namespace: destination.service.namespace | "unknown" 4096 destination_version: destination.labels["version"] | "unknown" 4097 destination_workload: destination.workload.name | "unknown" 4098 destination_workload_namespace: destination.workload.namespace | "unknown" 4099 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4100 request_protocol: api.protocol | context.protocol | "unknown" 4101 response_code: response.code | 200 4102 source_app: source.labels["app"] | "unknown" 4103 source_principal: source.principal | "unknown" 4104 source_version: source.labels["version"] | "unknown" 4105 source_workload: source.workload.name | "unknown" 4106 source_workload_namespace: source.workload.namespace | "unknown" 4107 monitored_resource_type: '"UNSPECIFIED"' 4108 value: request.size | 0 4109 --- 4110 apiVersion: config.istio.io/v1alpha2 4111 kind: metric 4112 metadata: 4113 name: responsesize 4114 namespace: default 4115 spec: 4116 dimensions: 4117 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4118 destination_app: destination.labels["app"] | "unknown" 4119 destination_principal: destination.principal | "unknown" 4120 destination_service: destination.service.host | "unknown" 4121 destination_service_name: destination.service.name | "unknown" 4122 destination_service_namespace: destination.service.namespace | "unknown" 4123 destination_version: destination.labels["version"] | "unknown" 4124 destination_workload: destination.workload.name | "unknown" 4125 destination_workload_namespace: destination.workload.namespace | "unknown" 4126 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4127 request_protocol: api.protocol | context.protocol | "unknown" 4128 response_code: response.code | 200 4129 source_app: source.labels["app"] | "unknown" 4130 source_principal: source.principal | "unknown" 4131 source_version: source.labels["version"] | "unknown" 4132 source_workload: source.workload.name | "unknown" 4133 source_workload_namespace: source.workload.namespace | "unknown" 4134 monitored_resource_type: '"UNSPECIFIED"' 4135 value: response.size | 0 4136 --- 4137 apiVersion: config.istio.io/v1alpha2 4138 kind: metric 4139 metadata: 4140 name: tcpbytereceived 4141 namespace: default 4142 spec: 4143 dimensions: 4144 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4145 destination_app: destination.labels["app"] | "unknown" 4146 destination_principal: destination.principal | "unknown" 4147 destination_service: destination.service.name | "unknown" 4148 destination_service_name: destination.service.name | "unknown" 4149 destination_service_namespace: destination.service.namespace | "unknown" 4150 destination_version: destination.labels["version"] | "unknown" 4151 destination_workload: destination.workload.name | "unknown" 4152 destination_workload_namespace: destination.workload.namespace | "unknown" 4153 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4154 source_app: source.labels["app"] | "unknown" 4155 source_principal: source.principal | "unknown" 4156 source_version: source.labels["version"] | "unknown" 4157 source_workload: source.workload.name | "unknown" 4158 source_workload_namespace: source.workload.namespace | "unknown" 4159 monitored_resource_type: '"UNSPECIFIED"' 4160 value: connection.received.bytes | 0 4161 --- 4162 apiVersion: config.istio.io/v1alpha2 4163 kind: metric 4164 metadata: 4165 name: tcpbytesent 4166 namespace: default 4167 spec: 4168 dimensions: 4169 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) 4170 destination_app: destination.labels["app"] | "unknown" 4171 destination_principal: destination.principal | "unknown" 4172 destination_service: destination.service.name | "unknown" 4173 destination_service_name: destination.service.name | "unknown" 4174 destination_service_namespace: destination.service.namespace | "unknown" 4175 destination_version: destination.labels["version"] | "unknown" 4176 destination_workload: destination.workload.name | "unknown" 4177 destination_workload_namespace: destination.workload.namespace | "unknown" 4178 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") 4179 source_app: source.labels["app"] | "unknown" 4180 source_principal: source.principal | "unknown" 4181 source_version: source.labels["version"] | "unknown" 4182 source_workload: source.workload.name | "unknown" 4183 source_workload_namespace: source.workload.namespace | "unknown" 4184 monitored_resource_type: '"UNSPECIFIED"' 4185 value: connection.sent.bytes | 0 4186 --- 4187 apiVersion: config.istio.io/v1alpha2 4188 kind: prometheus 4189 metadata: 4190 name: handler 4191 namespace: default 4192 spec: 4193 metrics: 4194 - instance_name: requestcount.metric.default 4195 kind: COUNTER 4196 label_names: 4197 - reporter 4198 - source_app 4199 - source_principal 4200 - source_workload 4201 - source_workload_namespace 4202 - source_version 4203 - destination_app 4204 - destination_principal 4205 - destination_workload 4206 - destination_workload_namespace 4207 - destination_version 4208 - destination_service 4209 - destination_service_name 4210 - destination_service_namespace 4211 - request_protocol 4212 - response_code 4213 - connection_security_policy 4214 name: requests_total 4215 - buckets: 4216 explicit_buckets: 4217 bounds: 4218 - 0.005 4219 - 0.01 4220 - 0.025 4221 - 0.05 4222 - 0.1 4223 - 0.25 4224 - 0.5 4225 - 1 4226 - 2.5 4227 - 5 4228 - 10 4229 instance_name: requestduration.metric.default 4230 kind: DISTRIBUTION 4231 label_names: 4232 - reporter 4233 - source_app 4234 - source_principal 4235 - source_workload 4236 - source_workload_namespace 4237 - source_version 4238 - destination_app 4239 - destination_principal 4240 - destination_workload 4241 - destination_workload_namespace 4242 - destination_version 4243 - destination_service 4244 - destination_service_name 4245 - destination_service_namespace 4246 - request_protocol 4247 - response_code 4248 - connection_security_policy 4249 name: request_duration_seconds 4250 - buckets: 4251 exponentialBuckets: 4252 growthFactor: 10 4253 numFiniteBuckets: 8 4254 scale: 1 4255 instance_name: requestsize.metric.default 4256 kind: DISTRIBUTION 4257 label_names: 4258 - reporter 4259 - source_app 4260 - source_principal 4261 - source_workload 4262 - source_workload_namespace 4263 - source_version 4264 - destination_app 4265 - destination_principal 4266 - destination_workload 4267 - destination_workload_namespace 4268 - destination_version 4269 - destination_service 4270 - destination_service_name 4271 - destination_service_namespace 4272 - request_protocol 4273 - response_code 4274 - connection_security_policy 4275 name: request_bytes 4276 - buckets: 4277 exponentialBuckets: 4278 growthFactor: 10 4279 numFiniteBuckets: 8 4280 scale: 1 4281 instance_name: responsesize.metric.default 4282 kind: DISTRIBUTION 4283 label_names: 4284 - reporter 4285 - source_app 4286 - source_principal 4287 - source_workload 4288 - source_workload_namespace 4289 - source_version 4290 - destination_app 4291 - destination_principal 4292 - destination_workload 4293 - destination_workload_namespace 4294 - destination_version 4295 - destination_service 4296 - destination_service_name 4297 - destination_service_namespace 4298 - request_protocol 4299 - response_code 4300 - connection_security_policy 4301 name: response_bytes 4302 - instance_name: tcpbytesent.metric.default 4303 kind: COUNTER 4304 label_names: 4305 - reporter 4306 - source_app 4307 - source_principal 4308 - source_workload 4309 - source_workload_namespace 4310 - source_version 4311 - destination_app 4312 - destination_principal 4313 - destination_workload 4314 - destination_workload_namespace 4315 - destination_version 4316 - destination_service 4317 - destination_service_name 4318 - destination_service_namespace 4319 - connection_security_policy 4320 name: tcp_sent_bytes_total 4321 - instance_name: tcpbytereceived.metric.default 4322 kind: COUNTER 4323 label_names: 4324 - reporter 4325 - source_app 4326 - source_principal 4327 - source_workload 4328 - source_workload_namespace 4329 - source_version 4330 - destination_app 4331 - destination_principal 4332 - destination_workload 4333 - destination_workload_namespace 4334 - destination_version 4335 - destination_service 4336 - destination_service_name 4337 - destination_service_namespace 4338 - connection_security_policy 4339 name: tcp_received_bytes_total 4340 --- 4341 apiVersion: config.istio.io/v1alpha2 4342 kind: rule 4343 metadata: 4344 name: kubeattrgenrulerule 4345 namespace: default 4346 spec: 4347 actions: 4348 - handler: handler.kubernetesenv 4349 instances: 4350 - attributes.kubernetes 4351 --- 4352 apiVersion: config.istio.io/v1alpha2 4353 kind: rule 4354 metadata: 4355 name: promhttp 4356 namespace: default 4357 spec: 4358 actions: 4359 - handler: handler.prometheus 4360 instances: 4361 - requestcount.metric 4362 - requestduration.metric 4363 - requestsize.metric 4364 - responsesize.metric 4365 match: context.protocol == "http" || context.protocol == "grpc" 4366 --- 4367 apiVersion: config.istio.io/v1alpha2 4368 kind: rule 4369 metadata: 4370 name: promtcp 4371 namespace: default 4372 spec: 4373 actions: 4374 - handler: handler.prometheus 4375 instances: 4376 - tcpbytesent.metric 4377 - tcpbytereceived.metric 4378 match: context.protocol == "tcp" 4379 --- 4380 apiVersion: config.istio.io/v1alpha2 4381 kind: rule 4382 metadata: 4383 name: stdiotcp 4384 namespace: default 4385 spec: 4386 actions: 4387 - handler: handler.stdio 4388 instances: 4389 - tcpaccesslog.logentry 4390 match: context.protocol == "tcp" 4391 --- 4392 apiVersion: config.istio.io/v1alpha2 4393 kind: rule 4394 metadata: 4395 name: stdio 4396 namespace: default 4397 spec: 4398 actions: 4399 - handler: handler.stdio 4400 instances: 4401 - accesslog.logentry 4402 match: context.protocol == "http" || context.protocol == "grpc" 4403 --- 4404 apiVersion: config.istio.io/v1alpha2 4405 kind: rule 4406 metadata: 4407 name: tcpkubeattrgenrulerule 4408 namespace: default 4409 spec: 4410 actions: 4411 - handler: handler.kubernetesenv 4412 instances: 4413 - attributes.kubernetes 4414 match: context.protocol == "tcp" 4415 --- 4416 apiVersion: config.istio.io/v1alpha2 4417 kind: stdio 4418 metadata: 4419 name: handler 4420 namespace: default 4421 spec: 4422 outputAsJson: true 4423 --- 4424 apiVersion: networking.istio.io/v1alpha3 4425 kind: DestinationRule 4426 metadata: 4427 name: istio-policy 4428 namespace: default 4429 spec: 4430 host: istio-policy.default.svc.cluster.local 4431 trafficPolicy: 4432 connectionPool: 4433 http: 4434 http2MaxRequests: 10000 4435 maxRequestsPerConnection: 10000 4436 --- 4437 apiVersion: networking.istio.io/v1alpha3 4438 kind: DestinationRule 4439 metadata: 4440 name: istio-telemetry 4441 namespace: default 4442 spec: 4443 host: istio-telemetry.default.svc.cluster.local 4444 trafficPolicy: 4445 connectionPool: 4446 http: 4447 http2MaxRequests: 10000 4448 maxRequestsPerConnection: 10000 4449 --- 4450 apiVersion: networking.istio.io/v1alpha3 4451 kind: Gateway 4452 metadata: 4453 name: istio-autogenerated-k8s-ingress 4454 namespace: istio-system 4455 spec: 4456 selector: 4457 istio: ingress 4458 servers: 4459 - hosts: 4460 - '*' 4461 port: 4462 name: http 4463 number: 80 4464 protocol: HTTP2